Android Security Is Many Years Behind Apple's iOS, Cryptography Professor Claims

[Exterminator]

Every time someone says something good or bad about Android/iOS security all hell breaks loose. This is surely one of the most controversial topic in the smartphone industry, one that will probably continue to engage fans in heat discussions over what mobile platform is better protected against hacking.

Matthew Green is a cryptographer and professor at Johns Hopkins University, so you can imagine that he's very passionate when it comes to security, data and privacy protection.

According to him, Android has adopted the same encryption solution as PCs, though the smartphones are not PCs. The main difference between smartphones and PCs is that smartphone users are not encouraged to shut down their devices, so the cryptographic keys remain in RAM almost all the time.

“Since phone batteries live for a day or more (a long time compared to laptops) encryption doesn’t really offer much to protect you against an attacker who gets their hands on your phone during this time,” explains Green.

On the other hand, Apple has found a different approach which is supposed to offer a much better protection. Starting with iOS 4, Apple included a “data protection” feature that encrypts all data stored on device.

So, unlike Android which uses full-disk encryption, Apple uses a file-based encryption system that individually encrypts each file on the device. This was possible once Apple provided an API developers can use to specify which class key to use in encrypting any given file.

Here are the main protection classes that Apple's iOS offers: complete protection, protected until first user authentication, and no protection. There's also a fourth protection for apps that need to create new encrypted files when the class key has been evicted from RAM.

The new class created by Apple uses public key encryption to write new files, which is why it's safe to take pictures even when the device is locked.

Google is trying to introduce a similar security system with the launch of Android 7.0 Nougat, but it's not quite there yet. The new Android OS comes with two protection classes: credential encrypted storage and device encrypted storage.

These two protection classes are part of a new system called Direct Boot, which allows phones to access some data even before the user enters the passcode.

Unfortunately, Android is missing the two “complete protection” security categories which could cause major problems to users.

Matthew Green says that the problem is not in the cryptography, but the fact that “Google is not giving developers proper guidance, the company may be locking Android into years of insecurity.”

 

[ForgottenSeer 55474]

Very good news for IOS owners and very bad news for Android users

 

[XIII]

This has been known, even logically. It's not good news, or bad. Customizability and an open source base OS comes at a price. Yes, iOS is more secure, but that's because they essentially don't let you change anything from what they've provided you.

 

[tonibalas]

I would like to know what Microsoft is doing with Windows Mobile on this matter.

 

[MalwareBlockerYT]

I am & always have been an Android user and have never had any problems with security. I personally like both IOS & Android although my phone runs Android 7.1.1 - Nexus 5X with the new beta version of Android. In the future I may eventually get an IOS device but both are great operating systems with unique benefits.

 

[ForgottenSeer 55474]

My Android runs 7.0 Nougat,and I have 4 IOS inclusive my phone,and I love android too but IOS is just running much more smoothly,my android is a Htc Nexus 9.

 

[Vipersd]

Whole Android OS is a mess, add bloatware from mobile operators that nobody uses and you get a nightmare of security problems. Lock the OS preferably within ROM chip or something like a read only SD card. If you want upgraded OS swap chip or the card. Indipendent memory storage via SD card that can be encrypted in several diferent ways, indipendant card for apps and phone storage that can be easily purged from apps and current data and temporary files. Coding is a bit heavy and it requires a little bit more processing power and RAM, also fast hardware.
Modular approach is the way to prevent malware or loss of data coupled with faster networks that allow unlimited internet for synching with cloud or your own data storage at home.

It sounds like utopian way to look at things but old saying says don't put all eggs in one basket which is what we have today.

 

[Azure]

I would like to know what Microsoft is doing with Windows Mobile on this matter.

What is your Mobile security setup these days?

Apparently "nothing runs unless signed by Microsoft".

 

[jamescv7]

I have to admit that IOS' security mechanism are fully efficient which result to lesser possible attacks compare to Android where it's more on standard security only.


Android:*

High Price (not Google smartphones) = Good quality of hardware but poor on software e.g old version of Android and security patches

Medium Price = mediocre hardware performance, you have latest possible Android Marsmallow but security patches are old.

* If you want to hardware and software smartphones that both excel, then purchase a Nexus/Pixel Smartphones.

Apple smartphones

High price = you get the all possible security and quality features depend on the model you have. Also the good thing where updates takes 4 years to support.

 

[Entreri]

Apple is your choice for secure and smooth OS.

I can't stand Samsung's bloatware, that is why I got stock Android via Google Nexus, but soon will be switching to an Apple smartphone.