Faux Disk Encryption: Mobile phone crypto not a magic bullet

And sorry fandroids, iOS provides 'more granular control'

10 Reg comments Got Tips?

Black Hat Europe Full-disk encryption on mobile devices is nowhere near as secure as commonly believed and Android offers less granular control than iOS, according to security researchers from NCC Group.

Daniel Mayer and Drew Suarez debunked some commonly held but inaccurate beliefs about smartphone crypto as well as presenting a comparison between iOS and Android during a presentation at last week’s Black Hat Europe conference in Amsterdam, The Netherlands.

The talk, Faux Disk Encryption: Realities of Secure Storage on Mobile Devices, peeled out a few realities known to those in computer forensics, if not those in the wider IT community – much less the general public. In particular, the talk highlighted some of the risk that arise from lost or stolen devices.

For one thing, crypto keys are kept in memory if a smartphone is running, which means that attackers with physical access to a target smartphone or tablet can recover its secrets. Although passcode-protected iPhones have robust permissions tied into hardware components, it might still make sense to protect data until it is read. That way attackers would have to enter a code to get access to that information, even if they got their hands on a running device.

Suarez explained that the fragmentation of Android creates additional mobile device encryption security risks over and above those found on iOS devices. A targeted device may not be fully patched. In addition, not all the boot processes on Android are signed. This makes it possible to backdoor Android firmware and plant it on a device, given physical access. The same risk does not exist of iPhones and iPads because code is signed.

The latest version of Android (Marshmallow 6.0) mitigates several of these risks so arguably the bigger risk is that many mobile application developers fail to take advantage of security protections built into Android. More than 50 per cent make mistakes in this category, according to Suarez.

This is important because in traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, typically, long-lived than browser applications.

The loss or theft of a device which grants an attacker physical access might therefore be be used to bypass security controls in order to gain access to application data. The research is far from theoretical. Mayer and Suarez told El Reg that problems with lost smartphones are already causing problems from NCC Group’s clients.

The talk aimed to helping mobile app developers to better understand the risks and thereby take steps to secure app data as well as debunking common misconceptions about full-disk encryption, which the researchers warned is not sufficient for most attack scenarios. More secure storage methods are available on both platforms and ought to be considered even though they may incur some usability tradeoffs that mean they aren’t suitable in every case.

A white paper on the research can be found here (pdf). The researchers’ 70 page presentation, which digs much deeper into the problem, is here (pdf). A video of an earlier version of the talk, as delivered at Black Hat US, can be found here. ®


Keep Reading

New Google rules mandate Android 'Poundland' Edition, Go, for sub-2GB RAM phones once Android 11 is out

Chocolate Factory actively pushing lightweight OS on less powerful devices

Android 11 lands with plenty more privacy preferences for Pixels and special Google friends first

Enterprise edition offers admins more ways to blend work and play

Android 11 will let users stop device-makers from killing background apps, says Google

Users will be able to 'override ... restrictions' on phones and other kit, says engineering team

Google promises another low-end Android effort as it buys into Indian mega-carrier Jio Platforms

$4.5bn splash turns out to be first installment in $10bn ‘Digitisation fund’ and development template for new products

Android user chucks potential $10bn+ sueball at Google over 'spying', 'harvesting data'... this time to build supposed rival to TikTok called 'Shorts'

These are the class-action-suit-joining 'droids lawyers are looking for. (We'll get our coats)

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs

As the world descends into madness, it's good to see some things never change: Monthly Android patches

Qualcomm bugs among the worst – including a critical hole in wireless networking

Xiaomi what you're working with: Chinese mobe maker starts Android 11 rollout

Ladling out custom brew to its devices

Biting the hand that feeds IT © 1998–2020