Every time someone says something good or bad about Android/iOS security all hell breaks loose. This is surely one of the most controversial topics in the smartphone industry, one that will probably continue to engage fans in heat discussions over what mobile platform is better protected against hacking.
Matthew Green is a cryptographer and professor at Johns Hopkins University, so you can imagine that he’s very passionate when it comes to security, data and privacy protection.
According to him, Android has adopted the same encryption solution as PCs, though the smartphones are not PCs. The main difference between smartphones and PCs is that smartphone users are not encouraged to shut down their devices, so the cryptographic keys remain in RAM almost all the time.
“Since phone batteries live for a day or more (a long time compared to laptops) encryption doesn’t really offer much to protect you against an attacker who gets their hands on your phone during this time,” explains Green.
On the other hand, Apple has found a different approach which is supposed to offer a much better protection. Starting with iOS 4, Apple included a “data protection” feature that encrypts all data stored on the device.
So, unlike Android which uses full-disk encryption, Apple uses a file-based encryption system that individually encrypts each file on the device. This was possible once Apple provided API developers can use to specify which class key to use in encrypting any given file.
Here are the main protection classes that Apple’s iOS offers: complete protection, protected until first user authentication, and no protection. There’s also a fourth protection for apps that need to create new encrypted files when the class key has been evicted from RAM.
The new class created by Apple uses public key encryption to write new files, which is why it’s safe to take pictures even when the device is locked.
Google is trying to introduce a similar security system with the launch of Android 7.0 Nougat, but it’s not quite there yet. The new Android OS comes with two protection classes: credential encrypted storage and device encrypted storage.
This two protection classes are part of a new system called Direct Boot, which allows phones to access some data even before the user enters the passcode.
Unfortunately, Android is missing the two “complete protection” security categories which could cause major problems to users.
Matthew Green says that the problem is not in the cryptography, but the fact that “Google is not giving developers proper guidance, the company may be locking Android into years of insecurity.”