Check - It's a well known fact: Android offers less security than iOS
By now almost everybody knows: full-disk encryption on mobile devices is nowhere near as secure as commonly believed, and Android offers less security than iOS does, according to security researchers from the NCC Group.
To be sure, Daniel Mayer and Drew Suarez clarified some commonly held but inaccurate beliefs about smartphone encryption technology as well as presenting a comparison between the iOS and Android operating systems during a presentation at last week’s Black Hat Europe conference in Amsterdam.
The paper is entitled 'Faux Disk Encryption: Realities of Secure Storage on Mobile Devices'. It peeled out a few realities known to those in computer forensics, if not those in the wider IT community, much less the general public.
In particular, the whitepaper highlighted some of the risks that arise from lost or stolen devices.
For one thing, crypto keys are kept in memory if a smartphone is running, which means that potential attackers with physical access to a target smartphone or tablet can recover its data.
Although passcode-protected iPhones have robust permissions tied into hardware components, it might still make sense to protect data until it is read.
That way, potential hackers would have to enter a specific code to get access to that information, even if they got their hands on a running device.
Suarez explained that the fragmentation of Android creates additional mobile device encryption security risks over and above those found on iOS devices.
A targeted device may not be fully patched. Additionally, not all the boot processes on Android's OS are signed. This makes it possible to backdoor Android firmware and plant it on a device, given physical access.
The same risk does not exist of iPhones and iPads because code is simply signed.
The latest version of Android (dubbed Marshmallow 6.0) mitigates several of those risks so arguably that the bigger risk is that many mobile app developers fail to take advantage of security protections built into Android.
On average, about 51.2 percent of app developers make similar mistakes in that category, according to Suarez.
This is important because in traditional browser-server applications, data tends to be stored on the server side where much tighter controls can be enforced.
In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors.
Worse, locally stored data often includes authentication tokens that are typically longer lived than regular browser applications.
The loss or theft of a mobile device which grants an attacker physical access might therefore be be used to bypass security controls in order to gain access to application data.
The research is far from theoretical, however. Mayer and Suarez say that security issues with lost smartphones are already causing problems from NCC Group’s clients.
The whitepaper aimed to helping mobile app developers to better understand the risks and thereby take steps to secure app data as well as debunking some common misconceptions about full-disk encryption, which the researchers warned is not sufficient for most attack scenarios.
More secure storage methods are available on both platforms and ought to be considered even though they may incur some usability tradeoffs that could mean they aren’t suitable in every case.
Source: The NCC Group.