In the current era, data and mobile security are becoming an imminent concern for vendors as well as consumers. However, protection mechanisms implemented by smartphone companies have helped mobile devices to progressively become more resistant to physical imaging. Physical imaging, or physical acquisition, is the process of copying a user’s data. Through physical imaging, infiltrators can capture the entire data that is located on the hard drive. In this article, we discuss the protection mechanism of iOS and Android against physical imaging.
- Implementation of protection mechanism in iOS
- Implementation of protection mechanism in Android
Implementation of protection mechanism in iOS
Apple Inc. has developed the iOS operating system exclusively for its hardware devices. One of Apple’s devices iPhone 4 which was released in 2010 had become a victim of a bootloader-level vulnerability that could not be patched. Consequently, this resulted in the possibility of performing physical imaging of the device even without a password.
In 2014, with the introduction of iOS 8, Apple implemented an encryption mechanism that encrypted everything on the device with dynamic, passcode-based encryption keys. The keys are protected by Secure Enclave, which is an extra layer of security that includes a hardware-based key manager. The foundation of Secure Enclave made it impossible to perform physical dumping of a data partition. The physical acquisition was still possible with the usage of jailbreak, however, to install a jailbreak, passcode, or unlocking the device is required.
Therefore, a passcode is essential to perform any sort of physical imaging, as the cryptographic key that is required to decrypt the data partition is generated dynamically through the user’s password and keys from Secure Enclave.
FBI had requested Apple to sign a boot image that could have been used to brute-force passcodes on an iPhone 5c. However, Apple refused to write or sign, which speaks tremendous volumes about their commitment to security and the actions enacted by them.
Implementation of protection mechanism in Android
We will now discuss certain security mechanisms that have been implemented by Android to restrict physical acquisition.
A bootloader is a piece of software that manages several storage partitions of the mobile phone. It acts as a security checkpoint to ensure that the software starting up is genuine. A locked bootloader implements a limitation on what can be installed/booted on the device. It will only load the code that has been signed by the device manufacturer. To perform a physical acquisition, it is required to unlock the bootloader, however, doing that will destroy cryptographic keys that encrypt the data partition and hence wipe the data.
It is the process of assuring the end-user of the integrity of the software keeps running on a device. It implements a check-in of every part of the boot process for integrity. Starting from Android 7.0 Nougat, Google has rigorously imposed a verified boot on its devices. As a result of this implementation, it is extremely difficult to root devices running Android 7.0. To root devices, we have to unlock the bootloader first which would automatically wipe user data. Even if the bootloader lock is bypassed, the verified boot will continuously check for integrity and would block booting into an image with an unreliable signature.
Factory Reset Protection (FRP)
FRP is a security method is specifically designed for making sure that someone cannot just wipe, and make the phone factory reset in case if it was stolen or you have lost it. For devices that have a secure lock screen (passcode) and at least one Google Account configured, FRP is automatically activated. FRP aids in restricting physical imaging by ensuring it is active regardless of whether the phone was wiped or not. For instance, a thief tries to flash a custom ROM on a phone with an unlocked bootloader and no FRP measures. Thankfully, FRP works with bootloader locker and Verified Boot to ensure no untrusted code or flashing images are booted onto the device.
Full Disk Encryption (FDE)
The main function of FDE is that It works automatically by converting data into a substitute form that can’t be tacit by a person who is not having its key to “undo” the conversion. With the implementation of cryptographic keys that are stored separately, encryption acts as a barrier to prevent physical imaging
Workarounds to the security measures
Although, there are various security measures implemented as mentioned above. The issue that arises in Android phones compared to iPhones is that Android phones comprise various hardware built by various vendors. Therefore, Google has implemented several checks to ensure the validity and integrity of these components. Several chipsets are weak in security, for instance – Qualcomm chipset also implements Qualcomm’s USB Upload Mode 9008, which issues unrestricted low-level access to the device storage. Another chipset manufacturer, MediaTek simplifies data extraction by enabling easy access to the device memory through a special protocol. Additionally, some manufacturers such as LG have implemented a low-level firmware that enables easy accessibility to the device storage, the two-way communication makes it easier to perform physical imaging with just a few clicks.
Samsung’s adherence to security
Samsung KNOX is a comprehensive set of security features for personal and enterprise use pre-installed in most of Samsung’s devices. It aids in protecting the device from the moment it boots until the launch on an application. As quoted by Injong Rhee, Executive Vice President and Head of R&D, Software and Services, Mobile Communication Business at Samsung Electronics, “Samsung prides itself on providing end-to-end solutions that are secured at the core”. If we understand the veracity of this quote, Samsung has implemented several security measures as mentioned above. However, a leak by Samsung has resulted in a boot image developed and signed by Samsung that can be used to perform physical imaging as all the security measures can be bypassed in one go.
The article has discussed the security measures employed by manufacturers to protect data and overcome security vulnerabilities. With the foundation of the Security Enclave, Apple has seamlessly strengthened its protection against physical imaging and security concerns. Samsung, on the other hand, has implemented various secured techniques that are difficult to by-pass – thus adding value to their solemnity about tackling security issues