Locked Phones Accessible Via Various Android and iOS Flaws – Investigation
Researchers from Johns Hopkins University have released a report highlighting all the vulnerabilities in Android and iOS phone encryption, and how law enforcement agencies can exploit them to access even locked smartphones. This research comes at a time when governments in several countries are pushing to create encryption back doors to access data on smartphones when national security is at stake. However, this new research claims that the methods are already available for law enforcement agencies to access locked smartphones or have the right knowledge and tools, thanks to current security loopholes in the Android and iOS ecosystems.
This new research was reported by Wired and has been directed by Maximilian Zinkus, Tushar Jois, and Matthew Green of Johns Hopkins University. In your analysis, you find that Apple has a powerful and compelling set of security and privacy controls, backed by strong encryption. However, the critical lack of coverage due to the underuse of these tools allows law enforcement and other hackers to gain access to phones if they choose. “We found that a surprising amount of sensitive data maintained by embedded applications is protected by a weak protection class” available after first unlock “(AFU), which does not evict decryption keys from memory when the phone is locked. The impact is that the vast majority of sensitive user data in Apple’s built-in applications can be accessed from a phone that is logically captured and exploited while on (but locked). ”
The researchers also spoke about the weakness in backup and cloud services, as they found “several counterintuitive features of iCloud that increase the vulnerability of this system.” They also highlight the fuzzy nature of Apple’s documentation when it comes to “end-to-end encrypted” cloud services in conjunction with the iCloud backup service.
The researchers said that while Android It also has strong protections, especially on the latest flagship phones, the fragmented and inconsistent nature of security and privacy controls across devices makes it more vulnerable. The report also blames the deeply lagged rate of Android updates reaching devices and various software architecture considerations as the main reasons for the high non-compliance rate. “Android doesn’t offer the equivalent of Apple’s Complete Protection (CP) encryption class, which ejects decryption keys from memory shortly after the phone is locked. As a consequence, Android’s decryption keys remain in memory at all times after the ‘first unlock’ and user data is potentially vulnerable to forensic capture, ”the researchers detail in their post.
In addition, prioritization and limited use of end-to-end encryption fail. The researchers also pointed to deep integration with Google services, such as Drive, Gmail and Photos. These applications offer valuable user data that can be infiltrated by expert criminals or law enforcement agencies.
Johns Hopkins cryptographer Matthew Green told Wired: “It really surprised me, because I went into this project thinking that these phones really do protect user data well. Now I left the project thinking that almost nothing is as protected as it should be. So why do we need a back door for law enforcement when the protections these phones offer are so bad? ”