A security researcher from Johns Hopkins University is shocked by the number of vulnerabilities he has been able to find in iOS and Android. This was revealed as part of a report by Wired, which reveals that the security and encryption in iOS and Android is not strong enough and allows government and law enforcement agencies to break into smartphones.
The report shows that security researchers at John Hopkins University used official documentation from Apple and Google to analyze the strength of encryption in iOS and Android. The researchers also used past documentation of various methods that have been using by law enforcement agencies and malicious actors, to bypass security on smartphones using hacking tools.
Johns Hopkins cryptographer Matthew Green, who oversaw the research, revealed to Wired that he was shocked at how poor the security was on both major mobile operating systems.
“It just really shocked me, because I came into this project thinking that these phones are really protecting user data well. Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?”
Maximilian Zinkus, a PhD student at Johns Hopkins who led the analysis of iOS security, pointed out that the structure for encryption is in place on iOS, but a lot of it is left unused. This is likely to balance between user friendliness, features and security.
“On iOS in particular, the infrastructure is in place for this hierarchical encryption that sounds really good. But I was definitely surprised to see then how much of it is unused.”
The report also pointed out the gap in encryption when it comes to cloud backups. For example, iCloud backups are encrypted during transit and on server, but they are not end-to-end encrypted like other Apple services. The data is also available on other linked Apple devices, which is actually a feature, but could also pose as a threat if physical access is gained to one of them.
“It’s the same type of thing where there’s great crypto available, but it’s not necessarily in use all the time. And when you back up, you also expand what data is available on other devices. So if your Mac is also seized in a search, that potentially increases law enforcement access to cloud data.”
The report also points out how Android lags behind in terms of security because patches are not often available on time, or at all, on many smartphones because of differences in OEMs, carriers, and so on.
An Apple spokesperson gave a statement to Wired regarding the vulnerabilities and pointed out that physical access is required to the target device for these hacks to work, and that these hacks stop working once a patch is released by the company.
“Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly to add new protections for our users’ data,”
To improve its security, Apple has a bug bounty program in place, and recently introduced a new Security Research Device Program.
Check out the complete article here, it’s worth a read.