Researchers answer basic questions about mobile device security
'What kind of security measures for mobile devices effectively prevent unauthorized access to user data?' 'What kind of unauthorized access is received by modern mobile devices?' 'To prevent unauthorized access, mobile A research team at Johns Hopkins University has scrutinized iOS and Android to answer the basic question about mobile device security, 'What are the improvements in devices?'
Data Security on Mobile Devices
Data Security on Mobile Devices: Current State of the Art, Open Problems, and Proposed Solutions
◆ iOS case
According to the research team, iOS has strong encryption and strict security and privacy control, but the coverage was insufficient due to insufficient use of tools. ..
Specifically, it has been pointed out that 'the benefits of encryption are limited on terminals that are turned on.' This is because the surprising amount of sensitive data held by the pre-built application is protected by a protection class that is 'available after the first unlock'. This protection class does not remove the decryption key from memory when the device is locked, so it extracts sensitive data from Apple's built-in app from the device that is 'locked but powered on'. Is possible.
One of the weaknesses is backup and services using the cloud. The large amount of user data sent to Apple's servers when using iCloud can be remotely accessed by an attacker who has unauthorized access to your iCloud account or by a law enforcement agency with a subpoena. 'Surprisingly, we also found iCloud features that increase the vulnerability of the system,' the research team said.
Regarding the cloud, the research team also points out the limitations
Another problem is that there is a vulnerability in Secure Enclave , which is supposed to be a 'secure coprocessor with hardware-based key management'. It has been pointed out that this vulnerability cannot be fixed by a patch.
An irreparable patch is found in the 'Secure Enclave' chip that secures Apple devices --GIGAZINE
◆ Android case
For Android devices, the flagship model has fairly strong protection, but the connection between Google and the device maker is weak, OS updates are slow to be reflected, and it is considered in the software architecture. There are many points to be done, and security and privacy controls are incoherent and fragmented.
The same goes for Android devices, as pointed out in iOS that 'the benefits of encryption are limited on devices that are turned on.' Android encryption is less protected than iOS, and the decryption key is always retained after the 'first unlock', making user data more accessible to law enforcement agencies.
Android has end-to-end encrypted backup capabilities based on physical hardware in Google's data centers. However, the app developer must opt in to do an end-to-end encrypted backup.
Another weakness of Android is that it is composed of systems developed by various companies and organizations, and since the development of components is not centralized, adjustments are required to integrate the security of the entire Android, but such efforts Has been pointed out as missing or nonexistent.
It also mentions that end-to-end encryption is limited. By default, only third-party messaging apps have end-to-end encryption, and many native Android apps do not offer end-to-end encryption.
In addition, Android is tightly integrated with Google services such as Google Drive and Gmail, and users send a lot of data to Google to use the service, but as mentioned above, end-to-end encryption. Because of the lack of thoroughness, knowledgeable attackers and law enforcement agencies with summoning authority are in a position to steal information.
According to the research team, increasing data synchronization with the cloud for both iOS and Android is a factor that deteriorates security.
Related Posts: