Data Security on Mobile Devices

By Maximilian Zinkus, Tushar Jois, and Matthew Green, of Johns Hopkins University

Read the full report or the PDF version with full citations

Motivated by events ranging from Apple v. FBI in 2016 to the EARN IT Act currently in Congress, and the general disposition of many governments against end-to-end encryption and user privacy in favor of law enforcement access,

We set out to answer three major questions:

  • 1.

    Which concrete security measures in mobile devices meaningfully prevent unauthorized access to user data?

  • 2.

    In what ways are modern mobile devices accessed by unauthorized parties?

  • 3.

    How can we improve modern mobile devices to prevent unauthorized access?

What we found:

Read our key findings for Apple iOS and Google Android

We organized our search to answer these questions by platform, with Apple iOS and Google Android as they represent the bulk of the market share of the most advanced devices. For each, we provide an overview of security features (including histories for each), and then deep dives into techniques to bypass these controls, analyzing technical measures and forensic software. We conclude each section with improvements and research directions based on our analysis.

In iOS we found a powerful and compelling set of security and privacy controls, backed and empowered by strong encryption, and yet a critical lack in coverage due to under-utilization of these tools leading to serious privacy and security concerns.

In Android we found strong protections emerging in the very latest flagship devices, but simultaneously fragmented and inconsistent security and privacy controls, not least due to disconnects between Google and Android phone manufacturers, the deeply lagging rate of Android updates reaching devices, and various software architectural considerations.

We also found, in both iOS and Android, exacerbating factors due to increased synchronization of data with cloud services.

We analyzed troves of publicly-available documents including over a decade of DHS forensic software tests, published Apple and Google documentation, research papers, news articles, blogs, and hardware tear-downs to fully understand the technical landscape of mobile devices. Our report serializes and summarizes much of this information, and we archived the documents we read just in case.

Finally, for both iOS and Android we propose concrete improvements which mitigate or entirely address many concerns we raise. We also propose research directions to take these mitigations even further, with the central theme of these improvements and proposals being increasing the coverage of user data with strong encryption - not a trivial task, for many reasons.

It is our hope that this work stimulates mobile device development and research towards increased security and privacy, promotes understanding as a unique reference of information, and acts as an evidence-based argument for the importance of reliable encryption to privacy, which we believe is both a human right and integral to a functioning democracy.

Changelog

  • 19 Nov 2020:

    Minor copy edits, added GitHub archive link

  • 18 Nov 2020:

    Initial upload