Culture

Research: your smartphone encryption isn't so hard to work around

Forget backdoor entry. With the right kind of method, law enforcement authorities and other agencies can access your data without your permission.

Privacy as personal data protection with security safety tiny persons concept. Abstract eyes peek in private files on mobile phone vector illustration. Web cyberspace information protection scene.
Shutterstock

The manufacturers of smartphones, be it Apple or Android, insist that their encryption schemes are airtight and cannot be easily compromised by any entity, government or otherwise. But cryptographers at John Hopkins University debunked that claim by going through heaps of publicly available documentation from both companies.

It turns out that you don't need a complicated deal of knowledge to bypass these phones' security infrastructure. In fact, tussles over backdoor entries into smartphones mentioned in investigations are moot at this point. The right kind of hacking and forensic tools will let you in through the front door.

What researchers found — Normally, smartphone security schemes are multi-layered and hierarchal, meaning that you need to cross multiple layers and levels of security to access and decrypt a user's personal data like passcodes. However, the researchers found that iOS and Android systems' encryption protections don't go as deep and far as they should.

For example, for iPhones, the "available after first unlock" AFU protection method is open to exploitation once you've rebooted your phone. Once AFU is activated, your data is stored in quick access memory for the purpose of convenience. If government agencies, law enforcement authorities, or other hackers wanted to, they could exploit iOS vulnerabilities, access security keys, and decode your data. On top of that, researchers worry that Apple's reliance on iCloud transfers piles of user data to servers that can be hacked remotely.

It's not pretty for Android either. Researchers found that Android's AFU protocol is open for exploitation as well, arguing that its mechanism is even weaker than iOS' infrastructure.

What researchers recommend — Putting iOS and Android on blast is not what these cryptographers want to do. In fact, they have offered their study to both companies for the purpose of deriving meaningful lessons for their protocols. Smartphone creators often respond to research like this by explaining that encryption schemes have to balance both convenience and security, so it's tough to find the perfect formula.

The researchers, however, think it is possible to create a useful smartphone that doesn't open itself easily to bad actors. "It is our hope," they write, "that this work stimulates mobile device development and research towards increased security and privacy, promotes understanding as a unique reference of information, and acts as an evidence-based argument for the importance of reliable encryption to privacy, which we believe is both a human right and integral to a functioning democracy."