Many iOS Encryption Measures 'Unused,' Say Cryptographers

by

iOS does not utilize built-in encryption measures as much as it could do, allowing for potentially unnecessary security vulnerabilities, according to cryptographers at Johns Hopkins University (via Wired).

iPhone 12 Security Feature

Using publicly available documentation from Apple and Google, law enforcement reports about bypassing mobile security features, and their own analysis, the cryptographers assessed the robustness of iOS and Android encryption. The research found that while encryption infrastructure on iOS "sounds really good," it is largely left unused:

"On iOS in particular, the infrastructure is in place for this hierarchical encryption that sounds really good," said Maximilian Zinkus, lead iOS researcher. "But I was definitely surprised to see then how much of it is unused."

When an iPhone boots up, all stored data is in a state of "Complete Protection," and the user must unlock the device before anything can be decrypted. While this is extremely secure, the researchers highlighted that once the device has been unlocked for the first time after a reboot, a large amount of data moves into a state Apple calls "Protected Until First User Authentication."

Since devices are rarely restarted, most data is in a state of "Protected Until First User Authentication" rather than "Complete Protection" most of the time. The advantage of this less secure state is that decryption keys are stored in quick access memory, where they can be swiftly accessed by applications.

In theory, an attacker could find and exploit certain types of security vulnerabilities in iOS to obtain encryption keys in the quick access memory, enabling them to decrypt large amounts of data from the device. It is believed that this is how many smartphone access tools work, such as those from the forensic access company Grayshift.

While it is true that attackers require a specific operating system vulnerability to access the keys, and both Apple and Google patch many of these flaws as they are noticed, it may be avoidable by hiding encryption keys more deeply.

"It just really shocked me, because I came into this project thinking that these phones are really protecting user data well," says Johns Hopkins cryptographer Matthew Green. "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?"

The researchers also shared their findings and a number of technical recommendations with Apple directly. A spokesperson for Apple offered a public statement in response:

"Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly to add new protections for our users' data. As customers continue to increase the amount of sensitive information they store on their devices, we will continue to develop additional protections in both hardware and software to protect their data."

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. They also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. Apple also emphasized that its objective with iOS is to balance security and convenience.

Tag: Security
Related Forum: iOS 14

Popular Stories

iOS 26

15 New Things Your iPhone Can Do in iOS 26.2

Friday December 5, 2025 9:40 am PST by
Apple is about to release iOS 26.2, the second major point update for iPhones since iOS 26 was rolled out in September, and there are at least 15 notable changes and improvements worth checking out. We've rounded them up below. Apple is expected to roll out iOS 26.2 to compatible devices sometime between December 8 and December 16. When the update drops, you can check Apple's servers for the ...
Read Full Article51 comments
Intel Inside iPhone Feature

Apple's Return to Intel Rumored to Extend to iPhone

Friday December 5, 2025 10:08 am PST by
Intel is expected to begin supplying some Mac and iPad chips in a few years, and the latest rumor claims the partnership might extend to the iPhone. In a research note with investment firm GF Securities this week, obtained by MacRumors, analyst Jeff Pu said he and his colleagues "now expect" Intel to reach a supply deal with Apple for at least some non-pro iPhone chips starting in 2028....
Read Full Article152 comments
iPhone 14 Pro Dynamic Island

iPhone 18 Pro Leak Adds New Evidence for Under-Display Face ID

Monday December 8, 2025 4:54 am PST by
Apple is actively testing under-screen Face ID for next year's iPhone 18 Pro models using a special "spliced micro-transparent glass" window built into the display, claims a Chinese leaker. According to "Smart Pikachu," a Weibo account that has previously shared accurate supply-chain details on Chinese Android hardware, Apple is testing the special glass as a way to let the TrueDepth...
Read Full Article74 comments
iOS 26

Apple Seeds Second iOS 26.2 Release Candidate to Developers and Public Beta Testers

Monday December 8, 2025 10:18 am PST by
Apple today seeded the second release candidate version of iOS 26.2 to developers and public beta testers, with the software coming one week after Apple seeded the first RC. The release candidate represents the final version iOS 26.2 that will be provided to the public if no further bugs are found. Registered developers and public beta testers can download the betas from the Settings app on...
Read Full Article51 comments
iPhone 17 Pro Cosmic Orange

10 Reasons to Wait for Next Year's iPhone 18 Pro

Monday December 1, 2025 2:40 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article107 comments
Johny Srouji

Apple's Chipmaking Chief Johny Srouji Responds to Report About Him Potentially Leaving

Monday December 8, 2025 9:23 am PST by
Apple's chipmaking chief Johny Srouji has reportedly indicated that he plans to continue working for the company for the foreseeable future. "I love my team, and I love my job at Apple, and I don't plan on leaving anytime soon," said Srouji, in a memo obtained by Bloomberg's Mark Gurman. Here is Srouji's full memo, as shared by Bloomberg:I know you've been reading all kind of rumors and...
Read Full Article89 comments
Johny Srouji

Apple Chip Chief Johny Srouji Could Be Next to Go as Exodus Continues

Sunday December 7, 2025 10:41 am PST by
Apple's senior vice president of hardware technologies Johny Srouji could be the next leading executive to leave the company amid an alarming exodus of leading employees, Bloomberg's Mark Gurman reports. Srouji apparently recently told CEO Tim Cook that he is "seriously considering leaving" in the near future. He intends to join another company if he departs. Srouji leads Apple's chip design ...
Read Full Article382 comments
top stories 2025 12 04a

Top Stories: iOS 26.2 Coming Soon, Apple Execs Depart, and More

Saturday December 6, 2025 6:00 am PST by
You'd expect things to be starting to wind down for the holidays by now, but that doesn't seem to be the case yet in the world of Apple news, with Apple just about ready to release iOS 26.2 and other operating system updates to the public. There was also a flurry of news this week about Apple executive departures, some expected and some not so expected, while we also learned that Apple and...
Read Full Article8 comments
Apple Fitness Plus expansion hero

Apple Fitness+ Coming to 28 New Regions With Digital Voice Dubbing

Monday December 8, 2025 6:19 am PST by
Apple today announced that Fitness+ is expanding to 28 new markets on December 15 in the service's largest international rollout since launch, accompanied by new language dubbing and a K-Pop music genre. Apple Fitness+ will become available in Chile, Hong Kong, India, the Netherlands, Singapore, Taiwan, and additional regions on December 15, with Japan scheduled to follow early next year....
Read Full Article47 comments
google pixel 10

Switching Between iPhone and Android Will Get Easier With New Apple and Google Collaboration

Monday December 8, 2025 11:10 am PST by
Apple and Google are teaming up to make it easier for users to switch between iPhone and Android smartphones, according to 9to5Google. There is a new Android Canary build available today that simplifies data transfer between two smartphones, and Apple is going to implement the functionality in an upcoming iOS 26 beta. Apple already has a Move to iOS app for transferring data from an Android...
Read Full Article69 comments

Top Rated Comments

Joseph C Avatar
Joseph C
64 months ago
The biggest problem for me is that Apple planned to make iCloud backups end to end encrypted but this was thwarted.

Thus really even on Apple devices we have little privacy if we use iCloud.
Score: 28 Votes (Like | Disagree)
aid Avatar
aid
64 months ago

I wouldn't mind sacrificing some speed when logging in/opening applications to have my phone in a state of "complete protection" when ever I lock it. I do however have no idea what impact this will have for calls, text and other notifications. But we are at a place where the iPhone is fast enough that added security shouldn't be noticed to much on new models
The problem is that enforcing the "complete protection" at all times would result in you having to enter your password every time you use your phone. Nor would the phone be able to perform background operations whilst it was locked - such as check email, accept incoming notifications etc. The impact is not about a couple millisecond delay as users start using the phone - but real changes to the user experience.

All of security it a balance between privacy and convenience; I think Apple's balance in iOS is pretty good - and appropriate for something like 99.5% of the users out there.
Score: 17 Votes (Like | Disagree)
velocityg4 Avatar
velocityg4
64 months ago
It would be nice if they had a USB off option. I know there is USB Restricted Mode. But that still gives an hour where the USB port may be attacked (plus loopholes to reset the timer). When we should have the option to disable all data connections to the USB port entirely. Whether or not the phone is unlocked. Only allowing charging. Heck with wireless charging now. Users should have the option to totally disable the port.


So, TL;DR, it seems that I should restart my phone every day.
Doesn't really help. As soon as you use it the vulnerability returns. You'd have to turn it off whenever you aren't using it.
Score: 12 Votes (Like | Disagree)
AngerDanger Avatar
AngerDanger
64 months ago

Then what was the slogan all about “what’s on iPhone stays on iPhone” ? Or something like that lol
My guess is that the original was more accurate but less eloquent.



Attachment Image
Score: 11 Votes (Like | Disagree)
dvanwinkle Avatar
dvanwinkle
64 months ago

So, TL;DR, it seems that I should restart my phone every day.
You don't have to restart your phone. Hitting the power button 5 times in a row forces the phone into the Complete Protection mode as well.
Score: 7 Votes (Like | Disagree)
lkrupp Avatar
lkrupp
64 months ago
The last paragraph is the most important.

The spokesperson also told Wired that Apple's security work is primarily focused on protecting users from hackers, thieves, and criminals looking to steal personal information. T[I]hey also noted that the types of attacks the researchers highlighted are very costly to develop, require physical access to the target device, and only work until Apple releases a patch. [/I]Apple also emphasized that its objective with iOS is to balance security and convenience.

So all you worrywarts out there thinking Apple security is crap need to take chill pill and relax. If you had 100% security you wouldn’t be able to use your device.
Score: 7 Votes (Like | Disagree)
Read All Comments