Many iOS Encryption Measures 'Unused,' Say Cryptographers

iOS does not utilize built-in encryption measures as much as it could do, allowing for potentially unnecessary security vulnerabilities, according to cryptographers at Johns Hopkins University (via Wired).

iPhone 12 Security Feature

Using publicly available documentation from Apple and Google, law enforcement reports about bypassing mobile security features, and their own analysis, the cryptographers assessed the robustness of iOS and Android encryption. The research found that while encryption infrastructure on iOS "sounds really good," it is largely left unused:

"On iOS in particular, the infrastructure is in place for this hierarchical encryption that sounds really good," said Maximilian Zinkus, lead iOS researcher. "But I was definitely surprised to see then how much of it is unused."

When an iPhone boots up, all stored data is in a state of "Complete Protection," and the user must unlock the device before anything can be decrypted. While this is extremely secure, the researchers highlighted that once the device has been unlocked for the first time after a reboot, a large amount of data moves into a state Apple calls "Protected Until First User Authentication."

Since devices are rarely restarted, most data is in a state of "Protected Until First User Authentication" rather than "Complete Protection" most of the time. The advantage of this less secure state is that decryption keys are stored in quick access memory, where they can be swiftly accessed by applications.

In theory, an attacker could find and exploit certain types of security vulnerabilities in iOS to obtain encryption keys in the quick access memory, enabling them to decrypt large amounts of data from the device. It is believed that this is how many smartphone access tools work, such as those from the forensic access company Grayshift.

While it is true that attackers require a specific operating system vulnerability to access the keys, and both Apple and Google patch many of these flaws as they are noticed, it may be avoidable by hiding encryption keys more deeply.

"It just really shocked me, because I came into this project thinking that these phones are really protecting user data well," says Johns Hopkins cryptographer Matthew Green. "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?"

The researchers also shared their findings and a number of technical recommendations with Apple directly. A spokesperson for Apple offered a public statement in response:

"Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly to add new protections for our users' data. As customers continue to increase the amount of sensitive information they store on their devices, we will continue to develop additional protections in both hardware and software to protect their data."

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. They also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. Apple also emphasized that its objective with iOS is to balance security and convenience.

Related Roundups: iOS 14, iPadOS 14

Top Rated Comments

Joseph C Avatar
12 weeks ago
The biggest problem for me is that Apple planned to make iCloud backups end to end encrypted but this was thwarted.

Thus really even on Apple devices we have little privacy if we use iCloud.
Score: 28 Votes (Like | Disagree)
aid Avatar
12 weeks ago

I wouldn't mind sacrificing some speed when logging in/opening applications to have my phone in a state of "complete protection" when ever I lock it. I do however have no idea what impact this will have for calls, text and other notifications. But we are at a place where the iPhone is fast enough that added security shouldn't be noticed to much on new models
The problem is that enforcing the "complete protection" at all times would result in you having to enter your password every time you use your phone. Nor would the phone be able to perform background operations whilst it was locked - such as check email, accept incoming notifications etc. The impact is not about a couple millisecond delay as users start using the phone - but real changes to the user experience.

All of security it a balance between privacy and convenience; I think Apple's balance in iOS is pretty good - and appropriate for something like 99.5% of the users out there.
Score: 17 Votes (Like | Disagree)
velocityg4 Avatar
12 weeks ago
It would be nice if they had a USB off option. I know there is USB Restricted Mode. But that still gives an hour where the USB port may be attacked (plus loopholes to reset the timer). When we should have the option to disable all data connections to the USB port entirely. Whether or not the phone is unlocked. Only allowing charging. Heck with wireless charging now. Users should have the option to totally disable the port.


So, TL;DR, it seems that I should restart my phone every day.
Doesn't really help. As soon as you use it the vulnerability returns. You'd have to turn it off whenever you aren't using it.
Score: 12 Votes (Like | Disagree)
AngerDanger Avatar
12 weeks ago

Then what was the slogan all about “what’s on iPhone stays on iPhone” ? Or something like that lol
My guess is that the original was more accurate but less eloquent.



Attachment Image
Score: 11 Votes (Like | Disagree)
dvanwinkle Avatar
12 weeks ago

So, TL;DR, it seems that I should restart my phone every day.
You don't have to restart your phone. Hitting the power button 5 times in a row forces the phone into the Complete Protection mode as well.
Score: 7 Votes (Like | Disagree)
lkrupp Avatar
12 weeks ago
The last paragraph is the most important.

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. T[I]hey also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. [/I]Apple also emphasized that its objective with iOS is to balance security and convenience.

So all you worrywarts out there thinking Apple security is crap need to take chill pill and relax. If you had 100% security you wouldn’t be able to use your device.
Score: 7 Votes (Like | Disagree)

Top Stories

samsung experience 1

Samsung's 'iTest' Lets You Try a Galaxy Device on Your iPhone

Thursday April 8, 2021 12:42 pm PDT by
Samsung has launched "iTest," an interactive website experience that's designed to allow iPhone users to test out Android on a Galaxy device, or "sample the other side," as Samsung puts it. Subscribe to the MacRumors YouTube channel for more videos. The iTest website is being advertised in New Zealand, according to a MacRumors reader who came across the feature. Visiting the iTest website on...
sonny 2021 ipad mini pro dummies

Leaked Dummy Units Show iPad Mini 6 With Thick Bezels and Home Button, New iPad Pro Models

Thursday April 8, 2021 2:11 am PDT by
Rumors suggest Apple will release refreshed versions of the iPad mini and iPad Pro models in the first half of this year, potentially as soon as this month, and a new leak today has provided us with a possible preview of what to expect in terms of the devices' overall design and camera prospects. Tech leaker and Apple blogger Sonny Dickson this morning shared images on Twitter showing dummy ...
iMessage Android featured

Apple's Rationale for Not Bringing iMessage to Android Revealed in Legal Documents

Friday April 9, 2021 2:22 am PDT by
It's no secret that Apple sees iMessage as a big enough selling point to keep the service exclusive to Apple devices, however new court filings submitted by Epic Games in its ongoing lawsuit with the company reveal just how Apple executives have rationalized their decision not to develop a version of iMessage for Android. Apple clearly recognizes the power that iMessage has to keep users...
fake airpods 3

Counterfeit 'AirPods 3' Hit the Market Prior to Official Announcement

Friday April 9, 2021 2:45 am PDT by
Apple is expected to launch the third iteration of AirPods in the third quarter of this year. Rumors and reports suggest the new AirPods will feature an updated design more in line with the AirPods Pro, but lacking in "Pro" features such as active noise cancellation. Despite AirPods 3 not yet being officially announced by Apple, counterfeit products of the unreleased earbuds have already hit ...
nba tracking prompt orange

Two-Thirds of iPhone Users Expected to Block Ad Tracking

Friday April 9, 2021 7:19 am PDT by
As many as 68 percent of iPhone users are expected to deny advertisers permission to track them thanks to Apple's App Tracking Transparency feature, in what is beginning to look like a significant blow to the advertising industry (via AdWeek). With the launch of iOS 14.5, apps will have to receive explicit user permission before accessing an iPhone's advertising identifier or IDFA, which is...
iPhone 13 Battery Life Feature

DigiTimes: iPhone 13 Pro Models to Feature 120Hz ProMotion Refresh Rate and 15-20% Less Power Consumption

Friday April 9, 2021 12:52 am PDT by
The two premium "Pro" models of the upcoming iPhone 13 lineup will be equipped with a low-power LTPO display, enabling the iPhones to have a 120Hz refresh rate, according to industry sources cited by Taiwanese publication DigiTimes. According to today's paywalled report, Apple suppliers Samsung and LG Display are in the process of converting parts of their production capacity to produce LTPO ...
ipad pro and macbook pro

iPad and MacBook Production Reportedly Delayed Due to Global Chip Shortage

Thursday April 8, 2021 2:31 am PDT by
Apple is facing a global shortage of certain components for some of its MacBook and iPad models, causing the Cupertino tech giant and its suppliers to postpone production of the products, according to a new report from Nikkei Asia. According to the report, MacBook production is being hindered due to the shortage of chips mounted onto the circuit board before final assembly, which is a key...
ehric

iPhone 12 Mini Missing From Top 5 Best Selling Smartphone List of January 2021

Friday April 9, 2021 4:58 am PDT by
According to market data compiled by Counterpoint Research, Apple's smallest iPhone since the 2016 iPhone SE, the iPhone 12 mini, struggled to obtain a spot in the top five list of best-selling smartphones in January of this year. According to the market data, the iPhone 12 mini came in eighth place for the best-selling smartphone worldwide in the first month of the year. However, the iPhone ...
tmobile 5g modem

T-Mobile Launches Unlimited 5G Home Internet for $60/Month

Wednesday April 7, 2021 2:18 pm PDT by
T-Mobile today hosted an Un-carrier event where the company announced the launch of a a new 5G home internet plan, which is priced at $60 per month and offers unlimited data. The service is available to more than 30 million Americans across much of the United States, including 10 million households in rural areas not typically able to access reliable broadband. Connectivity will be either 4G ...
apple find my network

Apple Announces Find My Network With Support for Third-Party Devices

Wednesday April 7, 2021 10:06 am PDT by
Apple today announced the launch of its Find My network accessory program, which is designed to allow third-party Bluetooth devices to be tracked in the Find My app right alongside your Apple devices. According to Apple, the first accessory companies to take advantage of the new Find My integration include Belkin, Chipolo, and VanMoof, with devices set to be available beginning next week. ...