Many iOS Encryption Measures 'Unused,' Say Cryptographers

iOS does not utilize built-in encryption measures as much as it could do, allowing for potentially unnecessary security vulnerabilities, according to cryptographers at Johns Hopkins University (via Wired).

iPhone 12 Security Feature

Using publicly available documentation from Apple and Google, law enforcement reports about bypassing mobile security features, and their own analysis, the cryptographers assessed the robustness of iOS and Android encryption. The research found that while encryption infrastructure on iOS "sounds really good," it is largely left unused:

"On iOS in particular, the infrastructure is in place for this hierarchical encryption that sounds really good," said Maximilian Zinkus, lead iOS researcher. "But I was definitely surprised to see then how much of it is unused."

When an iPhone boots up, all stored data is in a state of "Complete Protection," and the user must unlock the device before anything can be decrypted. While this is extremely secure, the researchers highlighted that once the device has been unlocked for the first time after a reboot, a large amount of data moves into a state Apple calls "Protected Until First User Authentication."

Since devices are rarely restarted, most data is in a state of "Protected Until First User Authentication" rather than "Complete Protection" most of the time. The advantage of this less secure state is that decryption keys are stored in quick access memory, where they can be swiftly accessed by applications.

In theory, an attacker could find and exploit certain types of security vulnerabilities in iOS to obtain encryption keys in the quick access memory, enabling them to decrypt large amounts of data from the device. It is believed that this is how many smartphone access tools work, such as those from the forensic access company Grayshift.

While it is true that attackers require a specific operating system vulnerability to access the keys, and both Apple and Google patch many of these flaws as they are noticed, it may be avoidable by hiding encryption keys more deeply.

"It just really shocked me, because I came into this project thinking that these phones are really protecting user data well," says Johns Hopkins cryptographer Matthew Green. "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?"

The researchers also shared their findings and a number of technical recommendations with Apple directly. A spokesperson for Apple offered a public statement in response:

"Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly to add new protections for our users' data. As customers continue to increase the amount of sensitive information they store on their devices, we will continue to develop additional protections in both hardware and software to protect their data."

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. They also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. Apple also emphasized that its objective with iOS is to balance security and convenience.

Related Forum: iOS 14

Top Rated Comments

Joseph C Avatar
27 months ago
The biggest problem for me is that Apple planned to make iCloud backups end to end encrypted but this was thwarted.

Thus really even on Apple devices we have little privacy if we use iCloud.
Score: 28 Votes (Like | Disagree)
aid Avatar
27 months ago

I wouldn't mind sacrificing some speed when logging in/opening applications to have my phone in a state of "complete protection" when ever I lock it. I do however have no idea what impact this will have for calls, text and other notifications. But we are at a place where the iPhone is fast enough that added security shouldn't be noticed to much on new models
The problem is that enforcing the "complete protection" at all times would result in you having to enter your password every time you use your phone. Nor would the phone be able to perform background operations whilst it was locked - such as check email, accept incoming notifications etc. The impact is not about a couple millisecond delay as users start using the phone - but real changes to the user experience.

All of security it a balance between privacy and convenience; I think Apple's balance in iOS is pretty good - and appropriate for something like 99.5% of the users out there.
Score: 17 Votes (Like | Disagree)
velocityg4 Avatar
27 months ago
It would be nice if they had a USB off option. I know there is USB Restricted Mode. But that still gives an hour where the USB port may be attacked (plus loopholes to reset the timer). When we should have the option to disable all data connections to the USB port entirely. Whether or not the phone is unlocked. Only allowing charging. Heck with wireless charging now. Users should have the option to totally disable the port.


So, TL;DR, it seems that I should restart my phone every day.
Doesn't really help. As soon as you use it the vulnerability returns. You'd have to turn it off whenever you aren't using it.
Score: 12 Votes (Like | Disagree)
AngerDanger Avatar
27 months ago

Then what was the slogan all about “what’s on iPhone stays on iPhone” ? Or something like that lol
My guess is that the original was more accurate but less eloquent.



Attachment Image
Score: 11 Votes (Like | Disagree)
dvanwinkle Avatar
27 months ago

So, TL;DR, it seems that I should restart my phone every day.
You don't have to restart your phone. Hitting the power button 5 times in a row forces the phone into the Complete Protection mode as well.
Score: 7 Votes (Like | Disagree)
lkrupp Avatar
27 months ago
The last paragraph is the most important.

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. T[I]hey also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. [/I]Apple also emphasized that its objective with iOS is to balance security and convenience.

So all you worrywarts out there thinking Apple security is crap need to take chill pill and relax. If you had 100% security you wouldn’t be able to use your device.
Score: 7 Votes (Like | Disagree)

Popular Stories

iPhone trade in

Apple Adjusts Trade-In Values for iPhones, Macs, and More

Wednesday January 25, 2023 9:40 am PST by
After announcing new Mac and HomePod models last week, Apple adjusted its trade-in values for select devices in the United States. iPhone trade-in values decreased by up to $80, and most Android smartphones also went down. Mac trade-in values remained unchanged or increased by up to $40 depending on the model, while some Apple Watch models increased in value and others decreased. Trade-in...
iPhone 14 Pro Purple Side Perspective Feature Purple

iPhone 15 Pro Expected Later This Year With These 7 Exclusive Features

Tuesday January 24, 2023 4:53 pm PST by
Apple's next-generation iPhone 15 Pro and iPhone 15 Pro Max are expected to be announced in September as usual. Already, rumors suggest the devices will have at least seven exclusive features not available on the standard iPhone 15 and iPhone 15 Plus. An overview of the seven features rumored to be exclusive to iPhone 15 Pro models:A17 chip: iPhone 15 Pro models will be equipped with an A17...
Mac mini M2 2023

New 256GB Mac Mini and 512GB MacBook Pro Have Slower SSD Speeds Than Previous Models

Tuesday January 24, 2023 1:11 pm PST by
While the new Mac mini with the M2 chip has a lower $599 starting price, the base model with 256GB of storage has slower SSD read and write speeds compared to the previous-generation model with the M1 chip and 256GB of storage. A teardown of the new Mac mini shared by YouTube channel Brandon Geekabit reveals that the 256GB model is equipped with only a single 256GB storage chip, while the...
apple tv 4k red image

Apple Releases tvOS 16.3

Tuesday January 24, 2023 10:10 am PST by
Apple today released tvOS 16.3, the third major point update to the tvOS 16 operating system that originally came out in September. Available for the Apple TV 4K and Apple TV HD, tvOS 16.3 comes six weeks after tvOS 16.2, an update that added Apple Music Sing. The tvOS 16.3 update can be downloaded over the air through the Settings app on the ‌‌‌‌Apple TV‌‌‌‌ by going to System > Software...
watchOS 9 Feature

Apple Releases watchOS 9.3 With New Watch Face, Bug Fixes

Monday January 23, 2023 10:06 am PST by
Apple today released watchOS 9.3, the third major update to the watchOS 9 operating system that first launched in September. watchOS 9.3 comes over a month after watchOS 9.2, an update that added new Workout functionality and Crash Detection optimizations. watchOS 9.3 can be downloaded for free through the Apple Watch app on the iPhone by opening it up and going to General > Software Update. ...
iOS 16

iOS 16.3 for iPhone Launching Next Week With These 4 New Features

Friday January 20, 2023 11:43 am PST by
In a recent press release, Apple confirmed that iOS 16.3 will be released to the public next week. The software update will be available for the iPhone 8 and newer and includes a handful of new features, changes, and bug fixes. Below, we've recapped bigger features in iOS 16.3, including support for physical security keys as a two-factor authentication option for Apple ID accounts, worldwide ...
maxresdefault

Hands-On With the New M2 Pro Mac Mini

Tuesday January 24, 2023 1:45 pm PST by
The new M2-series MacBook Pro and Mac mini models launched today, marking the debut of the first M2 Pro and M2 Max chips. We have the M2 Pro Mac mini on hand, and thought we'd take a look at the machine and do a series of benchmarks to see how it fits into Apple's lineup. Subscribe to the MacRumors YouTube channel for more videos. Base model Mac mini machines come with either an M2 or M2 Pro...
Ventura Macs Feature Blue

Apple Releases macOS Ventura 13.2

Monday January 23, 2023 10:09 am PST by
Apple today released macOS Ventura 13.2, the second major update to the macOS Ventura operating system initially released in October. macOS Ventura 13.2 comes more than a month after macOS Ventura 13.1, an update that added the Freeform app and other changes. The ‌macOS Ventura‌ 13.2 update can be downloaded for free on all eligible Macs using the Software Update section of System...