Many iOS Encryption Measures 'Unused,' Say Cryptographers

iOS does not utilize built-in encryption measures as much as it could do, allowing for potentially unnecessary security vulnerabilities, according to cryptographers at Johns Hopkins University (via Wired).

iPhone 12 Security Feature

Using publicly available documentation from Apple and Google, law enforcement reports about bypassing mobile security features, and their own analysis, the cryptographers assessed the robustness of iOS and Android encryption. The research found that while encryption infrastructure on iOS "sounds really good," it is largely left unused:

"On iOS in particular, the infrastructure is in place for this hierarchical encryption that sounds really good," said Maximilian Zinkus, lead iOS researcher. "But I was definitely surprised to see then how much of it is unused."

When an iPhone boots up, all stored data is in a state of "Complete Protection," and the user must unlock the device before anything can be decrypted. While this is extremely secure, the researchers highlighted that once the device has been unlocked for the first time after a reboot, a large amount of data moves into a state Apple calls "Protected Until First User Authentication."

Since devices are rarely restarted, most data is in a state of "Protected Until First User Authentication" rather than "Complete Protection" most of the time. The advantage of this less secure state is that decryption keys are stored in quick access memory, where they can be swiftly accessed by applications.

In theory, an attacker could find and exploit certain types of security vulnerabilities in iOS to obtain encryption keys in the quick access memory, enabling them to decrypt large amounts of data from the device. It is believed that this is how many smartphone access tools work, such as those from the forensic access company Grayshift.

While it is true that attackers require a specific operating system vulnerability to access the keys, and both Apple and Google patch many of these flaws as they are noticed, it may be avoidable by hiding encryption keys more deeply.

"It just really shocked me, because I came into this project thinking that these phones are really protecting user data well," says Johns Hopkins cryptographer Matthew Green. "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?"

The researchers also shared their findings and a number of technical recommendations with Apple directly. A spokesperson for Apple offered a public statement in response:

"Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly to add new protections for our users' data. As customers continue to increase the amount of sensitive information they store on their devices, we will continue to develop additional protections in both hardware and software to protect their data."

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. They also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. Apple also emphasized that its objective with iOS is to balance security and convenience.

Related Forum: iOS 14

Popular Stories

iPhone 17 Air Size Feature

'iPhone 17 Air' With Rear Camera Bar Allegedly Shown in Leaked Photo

Tuesday January 21, 2025 12:46 pm PST by
A leaker known as "Majin Bu" today shared an alleged image of a component for the rumored, ultra-thin "iPhone 17 Air" model. The blurry, pixelated image shows a pair of rear iPhone shells with a pill-shaped, raised camera bar along the top. On the left side of the bar, there is a circular cutout that appears to be for a single rear camera. On the right side of the bar, there appears to be an ...
Generic iOS 19 Feature Mock Light

iOS 19 Leak Reveals All-New Design

Friday January 17, 2025 2:42 pm PST by
iOS 19 is still around six months away from being announced, but a new leak has allegedly revealed a completely redesigned Camera app. Based on footage it obtained, YouTube channel Front Page Tech shared a video showing what the new Camera app will apparently look like, with the key change being translucent menus for camera controls. Overall, the design of these menus looks similar to...
iOS 18

Here Are Apple's Full Release Notes for iOS 18.3

Tuesday January 21, 2025 4:31 pm PST by
Apple provided developers and public beta testers with the release candidate version of iOS 18.3 today, and with it comes release notes confirming what's new. While we knew about several of the features that are in the update, there are some lesser known tweaks and bug fixes. The update adds new Visual Intelligence features for iPhone 16 models, it tweaks Notification summaries on all...
iPhone SE Dynamic Island Majin Bu

iPhone SE 4 Leak Shows Dynamic Island, Casts Doubt on Rumored 'iPhone 16E' Name

Monday January 20, 2025 9:01 am PST by
A new iPhone SE is widely rumored to launch this year, and the device has potentially been confirmed today by known leaker Evan Blass. In a private social media post, Blass shared an image of what appears to be source code mentioning an iPhone SE (4th Gen), which casts doubt on the alternative "iPhone 16E" name rumored for the device. However, the name in the source code could be a...
2024 App Store Awards

Apple Explains Why It Removed TikTok From the App Store in the U.S.

Sunday January 19, 2025 6:58 am PST by
Apple on late Saturday removed TikTok from the App Store in the U.S., and it has now explained why it was required to take this action. Last year, the U.S. passed a law that required Chinese company ByteDance to divest its ownership of TikTok due to potential national security risks, or else the platform would be banned. That law went into effect today, and companies like Apple and Google...
airtag 4 pack blue

AirTag 2 Launching This Year With These 3 New Features

Sunday January 19, 2025 8:11 am PST by
After a four-year wait, a new AirTag is finally expected to launch in 2025. Below, we recap rumored upgrades for the accessory. A few months ago, Bloomberg's Mark Gurman said Apple was aiming to release the AirTag 2 around the middle of 2025. While he did not offer a more specific timeframe, that means the AirTag 2 could be announced by the end of June. The original AirTag was announced...
truecaller

Truecaller iOS Update Rolls Out Real-Time Caller ID Support

Wednesday January 22, 2025 2:07 am PST by
Popular caller ID app Truecaller is rolling out an update that brings real-time caller ID support to its iOS subscribers. Apple introduced Live Caller ID Lookup in iOS 18, allowing third-party caller ID apps to securely retrieve information about a caller from their servers, hence today's Truecaller update. iPhone users can enable the Live Caller ID Lookup feature by going to Settings ➝ ...
ipad pro 2024

New iPad Pro Reportedly Launching This Year

Tuesday January 21, 2025 6:40 am PST by
Apple plans to release at least one new iPad Pro model this year, according to a supplier-focused report today from Korean website The Elec. It is likely that the 11-inch and 13-inch iPad Pro models would be updated simultaneously. After receiving an OLED display last year, the report said the iPad Pro will receive only "minor" changes this year. Overall, the next iPad Pro is expected to...
iOS 19 Roundup Feature

iOS 19 Rumored to Be Compatible With These iPhones

Saturday January 18, 2025 10:28 am PST by
iOS 19 will not drop support for any iPhone models, according to French website iPhoneSoft.fr. The report cited a source who said iOS 19 will be compatible with any iPhone that can run iOS 18, which would mean the following models: iPhone 16 iPhone 16 Plus iPhone 16 Pro iPhone 16 Pro Max iPhone 15 iPhone 15 Plus iPhone 15 Pro iPhone 15 Pro Max iPhone 14 iPhon...

Top Rated Comments

Joseph C Avatar
53 months ago
The biggest problem for me is that Apple planned to make iCloud backups end to end encrypted but this was thwarted.

Thus really even on Apple devices we have little privacy if we use iCloud.
Score: 28 Votes (Like | Disagree)
aid Avatar
53 months ago

I wouldn't mind sacrificing some speed when logging in/opening applications to have my phone in a state of "complete protection" when ever I lock it. I do however have no idea what impact this will have for calls, text and other notifications. But we are at a place where the iPhone is fast enough that added security shouldn't be noticed to much on new models
The problem is that enforcing the "complete protection" at all times would result in you having to enter your password every time you use your phone. Nor would the phone be able to perform background operations whilst it was locked - such as check email, accept incoming notifications etc. The impact is not about a couple millisecond delay as users start using the phone - but real changes to the user experience.

All of security it a balance between privacy and convenience; I think Apple's balance in iOS is pretty good - and appropriate for something like 99.5% of the users out there.
Score: 17 Votes (Like | Disagree)
velocityg4 Avatar
53 months ago
It would be nice if they had a USB off option. I know there is USB Restricted Mode. But that still gives an hour where the USB port may be attacked (plus loopholes to reset the timer). When we should have the option to disable all data connections to the USB port entirely. Whether or not the phone is unlocked. Only allowing charging. Heck with wireless charging now. Users should have the option to totally disable the port.


So, TL;DR, it seems that I should restart my phone every day.
Doesn't really help. As soon as you use it the vulnerability returns. You'd have to turn it off whenever you aren't using it.
Score: 12 Votes (Like | Disagree)
AngerDanger Avatar
53 months ago

Then what was the slogan all about “what’s on iPhone stays on iPhone” ? Or something like that lol
My guess is that the original was more accurate but less eloquent.



Attachment Image
Score: 11 Votes (Like | Disagree)
dvanwinkle Avatar
53 months ago

So, TL;DR, it seems that I should restart my phone every day.
You don't have to restart your phone. Hitting the power button 5 times in a row forces the phone into the Complete Protection mode as well.
Score: 7 Votes (Like | Disagree)
lkrupp Avatar
53 months ago
The last paragraph is the most important.

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. T[I]hey also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. [/I]Apple also emphasized that its objective with iOS is to balance security and convenience.

So all you worrywarts out there thinking Apple security is crap need to take chill pill and relax. If you had 100% security you wouldn’t be able to use your device.
Score: 7 Votes (Like | Disagree)