iOS is Not as Secure as You Might Think, Reveals Study

BY Sanuj Bhatia

Published 14 Jan 2021

ios encryption vulnerability

A professor at Johns Hopkins University has revealed that iOS isn’t as secure as Apple markets it. The professor has revealed that Apple doesn’t utilize all the built-in encryption methods as much as it could do.

The same study was published by the professors a while ago, revealing more about iOS encryption, and how iOS security works last month. Now, the professors have published a scientific paper, revealing more tidbits of information.

Cryptographers deep studied publicly available documentation from Apple and Google, to study more about the encryption available on Android and iOS. Researchers say they have studied over documents from the past decade.

“It just really shocked me, because I came into this project thinking that these phones are really protecting user data well”

Researchers revealed that when any iPhone boots up “Complete Protection,” and the user must put in the passcode before any data on the iPhone is decrypted. This is the reason why the phone number shows up when you get a call just after booting up your iPhone. This is the most secure state of the phone and no one can extract any kind of data from an iPhone in this state, researchers say.

After the first unlock, the phone states change to “Protected Until First User Authentication.” Since you rarely reboot your phone, the phone stays in this state, rather than the “Complete Protection.” After you unlock the device for the first time, a set of decryption keys are stored in quick access memory. These keys stay on the phone, even when the phone’s locked.

At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone.

Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?”

Though the iPhone’s security is a bit compromised in the After First Unlock (AFU) state, it’s acceptable since decrypting data every time you unlock the phone will only slow it down.

Apple does offer some security over Android though. It allows developers to keep some data under the “Complete Protection” state. For e.g., banking apps utilize these methods so that even if your phone is stolen, the thief won’t be able to decrypt data and get access of your personal information.

Apple says it continuously updates privacy and security layers on iOS.

“Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly to add new protections for our users’ data. As customers continue to increase the amount of sensitive information they store on their devices, we will continue to develop additional protections in both hardware and software to protect their data.”

Our Take

With Apple taking so much pride with its ‘Privacy’, seeing so many vulnerabilities left is pretty shocking. But it’s understandable since by keeping every data in the locked state, the phone will become slow since it will have to decrypt data every time. From what I understand, Apple’s way of dealing with encryption and security is one of the best, and there’s no need to panic.

What are your thoughts on this story? Do you care about the encryption and privacy of your phone? Do leave a comment let us know your thoughts!

[Via Wired]