Android security is far behind Apple: Cryptography professor
While Android uses full-disk encryption, Apple has a file based encryption that encrypts each file individually.
Security has been one of the most talked about topic amongst the smartphone users and when it comes to comparing Android and iOS about their security, it is the most controversial topic of the industry, one that has engaged fans in heated discussions over which operating system is better protected against online threats.
According to cryptographer and professor at Johns Hopkins University, Matthew Green, Android has taken on the same encryption solution as PCs, which makes it vulnerable because unlike the PCs smartphones are not encouraged to shut down, so the cryptographic keys remain in RAM most of the time.
“Since phone batteries live for a day or more (a long time compared to laptops) encryption doesn’t really offer much to protect you against an attacker who gets their hands on your phone during this time,” explains Green.
Apple on the other hand takes a different approach that offers much better protection. With iOS 4, the company rolled out the ‘data protection’ feature that encrypts all the data stored on the smartphone.
While Android uses full-disk encryption, Apple has a file based encryption that encrypts each file individually. This was possible once Apple provided an API developers can use to specify which class key to use in encrypting any given file.
Apple’s iOS offers different classes of protections such as: complete protection, protected until first user authentication, and no protection. There's also a fourth protection for apps that need to create new encrypted files when the class key has been evicted from RAM.
It is also safe to take pictures while the smartphone is locked, thanks to the new class created by the Apple team that uses public key encryption to write new files.
Google is also planning to roll out a similar security system with its Android 7.0 Nougat, but it is yet to be released. The new Android OS comes with two protection classes: credential encrypted storage and device encrypted storage.
These new protection classes are part of a newly designed system known as the Direct Boot that allows the device to access some data before the user enters the passode. Android is missing on two important protection, which makes it more vulnerable to hacking.
Matthew Green says that the problem is not in the cryptography, but the fact that “Google is not giving developers proper guidance, the company may be locking Android into years of insecurity.”