Researchers at Johns Hopkins University have come out with a report that highlights all the vulnerabilities that Android and iOS phone encryption have, and how law enforcement agencies can exploit these to access even locked smartphones. This research comes at a time when governments in various countries are pressuring for backdoors in encryption for accessing data on smartphones when the national security is at stake. However, this new research claims that methods are already available for law enforcement to access locked smartphones of they have the right knowledge and tools, thanks to current security loopholes in the Android and iOS ecosystems.
This new research was reported by Wired, and it has been conducted by Maximilian Zinkus, Tushar Jois, and Matthew Green, of Johns Hopkins University. In their analysis, it is found that Apple does have a powerful and compelling set of security and privacy controls, backed by strong encryption. However, critical lack in coverage due to under-utilisation of these tools allows for law enforcement and other hackers to access the phones if they desire. “We observed that a surprising amount of sensitive data maintained by built-in apps is protected using a weak “available after first unlock” (AFU) protection class, which does not evict decryption keys from memory when the phone is locked. The impact is that the vast majority of sensitive user data from Apple’s built-in apps can be accessed from a phone that is captured and logically exploited while it is in a powered-on (but locked) state.”
The researchers also spoke about weakness in cloud backup and services as they found ‘several counter-intuitive features of iCloud that increase the vulnerability of this system.’ They also highlight the blurred nature of Apple documentation when it comes to “end-to-end encrypted” cloud services in tandem with iCloud backup service.
The researchers said that while Android also has strong protections, especially on the latest flagship phones, the fragmented and inconsistent nature of security and privacy controls across devices, makes it more vulnerable. The report also blames the deeply lagging rate of Android updates reaching devices, and various software architectural considerations as big reasons for high breach rate. “Android provides no equivalent of Apple’s Complete Protection (CP) encryption class, which evicts decryption keys from memory shortly after the phone is locked. As a consequence, Android decryption keys remain in memory at all times after “first unlock,” and user data is potentially vulnerable to forensic capture,” the researchers detail in their post.
Further, it faults de-prioritisation and limited use of end-to-end encryption. Researchers also pointed to the deep integration with Google services, such as Drive, Gmail, and Photos. These apps offer rich user data that can be infiltrated either by knowledgeable criminals or by law enforcement.
Johns Hopkins cryptographer Matthew Green told Wired, “It just really shocked me, because I came into this project thinking that these phones are really protecting user data well. Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?”