Recent local events have dramatically highlighted security issues among users of the iPhone. There have been reports of high-tech equipment used to recover data and crack phone encryption - as well as obtaining login details of Web sites used to manage the phone - and these have raised concerns that personal data is simply not safe.
So says Dimitri Fousekis, security analyst/team lead, Telspace Systems, who asks: So how much can someone who has your phone and/or the right tools learn about you?
A common question among Apple users is whether the phone manufacturer pre-installs "backdoors" or some kind of "hidden access" into the handset to be used to gather information for law enforcement, says Fousekis.
"To answer that, we need to consider what security the iPhone has, and why it has it," he says.
According to Fousekis, when Apple designed the phone's built-in security (locking, securing data etc), it did so under the premise that the user requires his/her data protected in the event of loss or theft.
He explains that Apple would not operate under the impression that its users would need to hide something from law enforcement, or not have their phone used as evidence in a court of law.
Regardless, he adds, Apple has used high levels of encryption on the iPhone, improving it with each new version of its operating system (iOS).
He also notes that various experts in the industry (such as Charlie Miller) have often reiterated that they do not believe Apple actually keeps your passcode on their servers. Apple states the same thing, he reveals.
"Whether or not this is true, we don't know for sure. But it appears, given the time and effort required by law enforcement officials (even in other countries) to crack encryption on an iPhone, that they are not working with a passcode simply handed to them by Apple."
Fousekis also points out that the fancy tools available to extract data from iPhones rely on well-known exploits, default configurations or other entry points into the phone. Some can try to brute-force passwords on the phone using methods that do not trigger the built-in protection, or that simply cater for such, he states, adding that law enforcement officials also rely on simple user mistakes or inexperience to gain access.
"How many people use their birthday as their iPhone pin? Or use 1234 or 1111 because it's easy to type in?"
Encryption
With regards to data encryption on the iPhone, says Fousekis, keep in mind that not all data is encrypted. Due in part to the access required by certain applications, it can be deduced that some photos, for instance, are not encrypted, he explains.
Chat programs such as WhatsApp can also implement their own encryption - in which case Apple may have no insight into how this data is protected, nor who has the keys used for decryption, Fousekis notes.
Could Touch ID, a fingerprint recognition feature devised by Apple, solve these issues? Fousekis asks. "Probably not. Touch ID adds convenience but not necessarily extra strength in cryptography. Remember you still need to enter a PIN code to enable Touch ID, and therefore it's highly likely the iPhone is still using the PIN code as part of the key generation for encryption - much like iPhones without Touch ID."
According to Fousekis, Apple would not have relied solely on a fingerprint to generate encryption keys because if the print stops working, access to data is lost. "Besides, users can simply enter their PIN to bypass the Touch ID requirement. Keep in mind, this is not a failure on Apple's part since it does not sell Touch ID as an upgrade to your phone's encryption capabilities."
Solution
Should we be worried then? Fousekis asks. "Yes and no. Apple has put a lot of work and research into iOS and the iPhone itself. Compared to other operating systems, iOS also maintains a relatively good stance on security and lack of critical security flaws."
However, he says, there will always be a way around something, and given enough time and resources someone will find vulnerabilities, a flaw or an "undocumented feature".
Switching to Android, BlackberryOS or Windows will not make you any more secure against law enforcement officials, or highly skilled malicious users, he concludes.
Share