Ever wondered how any smartphone you use today is susceptible to some cyber security flaw or the other, irrespective of how many security updates that are pushed to it? While a large part of it has to do with the extensive amount of resources that cyber criminals and law enforcement bodies put into finding these exploits, a new research by cryptographers at Johns Hopkins University has shed light on exactly why these exploits prevail, and how these vulnerabilities include both Android and iOS devices. The research also sheds light on how many law enforcement agencies use highly sophisticated tactics to bypass such flaws, in turn breaking the encryption of a particular device.
The research was based on finding out how Android and iOS encrypts smartphones in order to protect the data on the phones. The key focus, as it so happens, was on finding out exactly how security vulnerabilities are exploited by anyone to break into a locked smartphone and extract data out of it. To understand this, they have broken down encryption on both Android and iOS smartphones into two parts – Complete Protection, and After First Unlock (AFU). It’s important to note that both Android and iOS phones offer both the steps, but varying degrees.
As they reveal, Complete Protection essentially refers to the state of your phone right after you reboot it, or start it up after some time. At this stage, prior to you unlocking your phone for the very first time, all the data on your phone is in a stage of full encryption. This is why you may often see that if you receive a phone call from a saved contact prior to the initial unlock, you will only see their number pop up on the screen and not the name – because your phone’s RAM (or instant memory) will not have the access to your contacts at this stage. For both Android and iOS phones, this step remains the same.
The difference kicks in after this. On Android phones, right after the first unlock, even when you lock your phone using your face, fingerprint, a PIN or a pattern, the device will forever be in the AFU phase. In AFU, a large chunk of your data is pulled from the encrypted memory of your phone and stored in the non-encrypted instant memory, so that it is easy for you to access some of the data right from your lock screen without needing to unlock your phone repeatedly. This memory can be exploited by privilege escalation cyber attacks, by using flaws that are either super deep in the system, or not known yet (therefore being zero-day vulnerabilities). It is this that most law enforcement agencies use, in order to tap into data even in a locked smartphone.
In iOS, the situation is slightly better. As the researchers state, iOS devices employ something called hierarchical encryption, which stores some data in AFU but still protects some of the most sensitive information in encrypted storage, even after the first unlock. In an interview with Wired, an Apple spokesperson stated that this is a choice that the company has made by design, to find the optimal balance between the convenience of finding all info readily on lock screen, and the security of protecting everything behind safe encryption. However, the researchers note that Apple’s iOS still has room for improvement in terms of what all can they keep behind complete encryption, in turn reducing the chances of law enforcements using the AFU operational process as a backdoor of sorts.
The researchers also state that while both Apple and Google patch numerous such privilege escalation security flaws every month, iOS has a better shot at being more secure thanks to the single umbrella of Apple that it is controlled under. For Android, there are far too many OEMs, each of which have their own telecom approval and testing phase before rolling out an update – while matching it to their own customisation kernel. In other words, Android’s fragmented ecosystem of devices, despite improving majorly in the recent past in terms of frequency of updates, still has a long way to go in order to catch up with Apple.
Apple has also reasoned that one of the reasons why they afford the convenience of storing information in cached memory rather than encrypted storage is because the hacking tools that the Johns Hopkins researchers have spoken about require highly sophisticated surveillance and tracking tools, which in turn require a significant amount of resources to develop. In comparison, unless there is any specific motive at hand that would prove to be proportionately beneficial, no attacker would find creating such tools to be a financially beneficial process.
Google, however, did not offer a response yet to how they approach the data encryption on devices.