For the better part of four decades, Apple has bragged that not only are their devices more secure than PCs, hackers don’t bother building threats specifically for their operating systems because their security is so superior. For this reason, Apple has routinely refused advances from law enforcement to share workarounds so that police can get into phones. Apple’s rationale for this constant refusal is that it would undermine their ability to keep the most secure personal computing devices, secure. Federal law enforcement officials went ahead and developed their own workaround and the findings may surprise many Apple aficionados. Let’s take a look:
The Discovery
After years of trying to go through Apple to gain access, they finally worked it out in 2020. In 2021, cryptographers published Data Security on Mobile Devices: Current State of the Art, Open Problems, and Proposed Solutions, which is a position paper that looked to answer three questions:
- What security measures are currently in place to help deter unauthorized access to user data?
- How do modern devices allow unauthorized access?
- How can mobile security be improved to prevent unauthorized access?
Researchers analyzed both the newest Android and iOS platforms and found that neither of them had security preparations that functioned any better than the other. Any person with the right equipment, and the inclination, can in fact, access the OS on either device. This may come as a shock to those people who have been lauding Apple’s devices to be impenetrable.
Before you trash your iPhone, the researchers did “find a powerful and compelling set of security and privacy controls, backed and empowered by strong encryption” in iOS, but the tools presented were not used frequently enough to ensure security is maintained.
Android’s issues were exacerbated, in comparison to Apple’s, due to the vast amount of manufacturers that make Android-run products. They found that many devices lacked communications between Google, resulting in slowly implemented updates and inconsistencies in some devices’ security and privacy controls.
These are just the hardware and software vulnerabilities. In the rest of the report, the researchers detailed the specific vulnerabilities for each platform.
Apple-Specific Weaknesses
One of iPhone’s best features is that it allows users to securely store data to iCloud. According to the researchers of this report, that isn’t all the data Apple takes possession of. When initiated, iCloud takes control of a lot of other data that is sent to Apple, where it is accessible by all different types of entities, hackers and law enforcement included.
This problem is exacerbated as the defenses put forth by Apple are less effective than initially thought. Analysis of this relationship led researchers to suppose that a tool that has been around since 2018 allows attackers to bypass integrated protections to guess user passcodes.
Android-Specific Weaknesses
On the other hand, researchers found Android had some serious issues with its local data protection. An example of this can be found in Android’s lack of an equivalent to Apple’s Complete Protection encryption, which leaves Android more open to breach. This is why the FBI can effectively access data from either platform without help from developers.
So What’s the End Result?
Ultimately, both mobile OSs are much more open to data breaches than either manufacturer is willing to admit. It’s never a good practice to assume your data is safe; especially with the default data protection developers have in place. It just goes to show that there is no such thing as impenetrable security, and it is on the users (or the organization) to actively accept these results and do what they need to do to secure their data more effectively.
To do this, you will need to manage these devices with a mobile device management platform and have your employees sign onto a Bring Your Own Device policy. This way your organization is covered in ways that individual devices and mobile platforms simply can’t.
If you would like more information about Bring Your Own Device, mobile device management, or any other platform that helps keep your organization’s data secure, give the IT experts at Lantek a call at (610) 683-6883.