Comparing Android and iOS security

Considering buying a new phone? Liz and Geoffrey compare the different security models of Android and iOS, the two most popular smartphone options on the market. We also talk about California's new privacy law, a number of recent attacks on cell phones, and how Tinder swiped left on bad crypto.

Comparing Android and iOS security episode art

Timeline

  • 1:04 - Security news: New privacy law
  • 3:02 - Security news: LTE attacks
  • 5:42 - Security news: breaches of phone numbers
  • 10:14 - Phone security: updates
  • 13:57 - Phone security: hardware
  • 16:45 - Phone security: Two-factor authentication
  • 17:41 - Phone security: design
  • 20:39 - Phone security: purchasing concerns

Show notes & further reading

Apple's iOS security document is quite long, but it goes into detail about the Secure Enclave, their approach to file encryption, software security, and many other things. It's dense reading yet quite readable, and it's a good exploration of how to build secure systems.

Google's 2017 Android security report isn't the same sort of document, but it does have an overview of recent security improvements in Android. (A lot of the document is focused on tracking the installation of "Potentially Harmful Apps," which are much rarer on iOS because of Apple's stricter approach to their App Store, so the portions about other security improvements are not particularly long.) Some of the more notable recent improvements to Android security include

  • Project Treble (p. 16-17), which separates the Android core from manufacturer customizations, allowing both greater security hardening around the manufacturer's code and easier updates of the Android core
  • Support for hardware security modules (p. 18), as found on the Pixel 2, which are comparable to the iPhone's Secure Enclave
  • Monthly security updates (p. 25) for Google-manufactured phones (Nexus and Pixel)
  • Android Verified Boot 2.0 (p. 18), which adds rollback protection (prevent downgrading to an older and vulnerable but still legitimate version of Android)
  • Seamless system updates (p. 25) to make the update process more pleasant. Although rebooting shouldn't take more time than a normal reboot, there are often post-install tasks that make the update effectively slower - although still significantly faster than a traditional update.

Android also posted last year that they increased their bounties for successful exploits of verified boot after no one claimed them, which is great news for Android itself - but there are other ways to attack the average Android phone, and there were successful attacks against both an iPhone 7 and a Samsung Galaxy S8 at Mobile Pwn2Own 2017, where the attacking team was able to both install malware and cause it to persist on the phone after a reboot.

Android's "Google Play Services" component has support for U2F security keys using either the Near-Field Communication (NFC) or Bluetooth Low Energy (BLE) wireless protocols. If you want to use a USB security key - which is probably most helpful for people with a USB-C phone and security key, but would also work with an appropriate USB adapter - you'll need a recent version of the Google Authenticator app, which knows how to talk to U2F devices over USB. Both Google Play Services and Google Authenticator aren't part of Android itself, so this wasn't mentioned in the annual security report. (Unfortunately, both are also closed-source components. Google Play Services is in practice an essential part of Android, so it's one of the things that effectively makes Android not entirely open-source.)

In the news

California's new privacy law is likely to change quite a bit between now and January 1, 2020, when it goes into effect. If you want to read about the current version, there's a lot of detail at Ballotpedia's article on the initiative. The organization behind the ballot initiative also has lots of information on their website, although of course it's biased in favor of it. We haven't seen much in-depth analysis of the bill - only reporting on the rather unusual or hurried process by which it passed - so if you'd like, you can always read the text of the bill.

AppleInsider has a timeline of the apparent iPhone unlocking bug, including a statement by Apple that the test was mistaken, so this isn't the answer to the puzzle of how iPhone unlockers like the GrayKey can bypass the limit on brute-fore attempts. We last talked about GrayKey unlocking devices in our episode on two-factor authentication. Motherboard has posted the emails they were leaked from people worried about Motherboard's own Freedom of Information Act requests.

At the end of June, a team of researchers announced the aLTEr attack and related attacks on LTE cell phone networks. Two of the researchers were also authors of the paper we talked about in our previous episode on phone security, where they discovered that all the devices they could find would happily connect to LTE in an unencrypted mode, too.

In Timehop's announcement that their data was breached, they made a somewhat confusing recommendation to make sure that your cell phone account has a PIN on it to protect against an attacker social engineering their way into getting a replacement SIM card or porting your phone number. (This is a PIN for your cell phone account with your service provider, not a PIN or passcode on your device or SIM card itself.) That threat isn't unique to your phone number getting breached, and often this type of attack is personal and done by someone who didn't need a breach to know your phone number. It's a good idea to ask your cell phone provider and request additional protection against both someone porting your cell phone number away and someone getting a replacement SIM card (or phone!) for your account. Some good recommendations are in an FTC blog post from their chief technologist and a TechCrunch article from one of their writers, both of whom were themselves victims of this attack. However, we've heard lots of anecdotes of both cell phone customer service not following procedures or just being breached themselves, so if you're a high-risk target, you may just need to be aware that this attack is still possible - if you ever see your cell phone lose service unexpectedly, contact your cell phone provider immediately.

Transcript

Liz Denys (LD): Last episode, we talked about how to secure the smartphone you have, but what if you're in the market for a new phone?

Geoffrey Thomas (GT): Maybe you've been an Android person your whole life and are thinking of switching to iPhone or vice versa.

LD: Didn't you switch two years ago, Geoffrey?

GT: I did, but mostly, Android phones kept getting bigger and I wanted to get a smaller phone. At the time, switching to iOS got me a more secure phone. But Androids have also gotten more secure in the last few years, right, Liz?

LD: Yeah, the latest versions of Android have some neat security improvements. Stay tuned because this week's episode is all about iPhone and Android security.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

LD: Big privacy news out of California - the legislature passed the California Consumer Privacy Act of 2018, under the threat of an even stricter ballot initiative about digital privacy.

GT: I used to live in California - ballot initiatives are super weird. The legislature can't amend them, it has to go back to the ballot. So the lawmakers made a deal with the people behind the initiative: in exchange for taking it off the ballot, they passed a slightly weaker version as a normal law. You can tell it was done in a hurry - there's duplicated text and incorrect references - and it doesn't go into effect for another year and a half, so it will certainly be amended a lot between now and then.

LD: Basically the law requires large companies to inform you about what categories of data they're selling and a way to opt out of that sale. It also lets you tell them to delete all of your data.

GT: And it lets you sue companies if your personal information is breached. The ballot initiative originally let individuals sue companies for not having compliant privacy practices, kind of like Europe's GDPR, but that part was dropped in the assembly bill. But the government can still enforce it in court of course.

LD: Also, similar to the GDPR, the law only directly applies to Californians, but it's expected to impact everyone's privacy because of what companies need to do to be compliant. If you live in California, maybe reach out to your state legislators and tell them what sorts of things you want them to do as they revise the law between now and 2020.

GT: A security researcher posted a video on Twitter that looked to be bypassing the iPhone's limit of 10 passcode attempts, by just entering the codes right after each other. There was speculation that this was how the GrayKey unlocking device works. But it turns out this wasn't a vulnerability.

LD: Yeah - the passcodes were being entered so fast that the hardware wasn't even checking if they were right, it was just denying them. So that's why it looked like it didn't trip the limit. There weren't any actual attempts.

GT: We still don't know how the GrayKey works, but a journalist at Motherboard has been filing Freedom of Information Act requests - and while waiting for those, someone leaked him a bunch of cringeworthy emails from forensic experts worried about the Freedom of Information Act request. We'll have the link for that in our show notes.

LD: Researchers have announced a new set of attacks on LTE cell phone networks - two passive attacks to identify users and what websites they're visiting, and one attack that allows data to be modified, called the "aLTEr attack".

GT: This is a good example of how it's not enough to just say, "It's encrypted." LTE is actually encrypted with a good encryption algorithm, but there's no protection against tampering.

LD: Right, so you've got messages that are protected against eavesdroppers because they can't decrypt it, but there is not a protection against someone changing the message.

GT: Yeah, someone can guess what you're encrypting and make changes to the encrypted version - in this case just flipping some bits - and when the other end decrypts it, they'll see those same bits flipped in the original, decrypted message.

LD: This is a common risk when there are small, predictable messages being encrypted. In this case, an attacker knows you're going to one website: they can send you to another website instead. So if you type in your bank's website dot com, by default the initial request isn't going over HTTPS - it's only secured by LTE's encryption. The researchers have demonstrated that they can flip some bits in what your phone is sending over the air, and send you to evil fake bank dot com instead.

GT: There aren't any direct practical defenses against the aLTEr attack. Using HTTPS definitely helps, because it's another layer that does both encryption and integrity protection.

LD: Since the HTTPS Everywhere extension only works on Firefox on Android phones, the most straightforward way to do this is to explicitly type https:// into the address bar yourself.

GT: Using a VPN would also help, but picking a good and trustworthy VPN is its own challenge, because the point of a VPN is to hand all your traffic over to someone else.

LD: The aLTEr attack does require a fair bit of equipment, so maybe the best thing to do is to be aware of it - if you think you're at an unusually high risk of someone targeting you, only use a trustworthy wifi connection for your more sensitive work.

GT: The next version of LTE, 5G, has an option for authenticated encryption, which makes your traffic both secret and protected from tampering. In general, this attack is a good reminder that security is a lot more than just using a good encryption algorithm.

LD: Oh, there was another attack recently that was also about how encrypting something doesn't always mean it's secure. You know Tinder, the dating app where you swipe left or swipe right depending on whether or not you like the person?

GT: Oh no, this is going nowhere good.

LD: For a while they weren't encrypting photos. They fixed that, but until a few weeks ago, they were encrypting "swiped left" and "swiped right", but those messages are actually of different lengths.

GT: Oh, wow. So the encryption wasn't actually protecting anything, you could just see the photo and how long the response was and figure out which direction they swiped.

LD: Right, and the best part of this was that a US senator sent them a letter about this security flaw, and they replied to him saying, they fixed it so the swipe messages are the same length.

GT: Thank you for protecting our freedom, Senator.

LD: Also last week, Timehop, that social media memories service, was breached. Timehop disclosed that the breach included names, email addresses, and phone numbers for some 21 million of their users, but no social media content or memories.

GT: They did mention that some of the keys that let Timehop read your social media posts were compromised, so it's a bit odd to confidently state that no social media data was breached, because you could use those keys to do that.

LD: Yeah, they mentioned that they deactivated all the keys that did this as a precaution, which is good, but they don't definitely know that the compromised keys weren't used during the stated over two hours between the breach and the deactivations?

GT: Right, and because they deactivated those keys, everyone got logged out. Which is good! If you want to keep using it, just log back in.

LD: Another slightly confusing thing in their brief about the incident was a recommendation to make sure that your cell phone account has a PIN on it. This isn't super specific to Timehop releasing phone numbers, though, just a general risk of someone social engineering their way into getting a replacement SIM card for your phone number, right, Geoffrey?

GT: It looks that way. Most people don't publicly post their phone number, so now people who might not have had it before are one step closer to attacking them. But this attack generally involves someone going to a cell phone store in person, so it's unlikely this attacker with millions of accounts is going to go steal millions of cell phone numbers. However, if you are an individual high-profile target, like a politician or an activist, it's possible someone who gets your phone number - maybe through this attack - would go after your phone account, especially if they have other info about you from social media.

LD: Or it's personal, and that person probably already has your phone number. I feel kind of weird that they made 21 million people more aware of this attack because it doesn't sound like it's particularly related to this breach, and this isn't something phone companies have been making good progress at preventing - it's more likely that someone will start thinking about how to use this attack than the 21 million customers will be able to take actual precautions against it.

GT: It is still worth setting a PIN, but there are varying reports of whether it's effective - people have said they've gotten their phone number stolen even though they've set a PIN. I'm pretty confused by this advice because there are lots of breaches of databases with phone numbers, and I've never seen a company say, we got hacked and you should set a PIN for your phone. And it's not at all clear why Timehop gave that advice.

LD: There was another database exposed recently - a marketing firm called Exactis had made its database of basically everyone in the US, their phone number, address, and some interests available on the public internet, until a security researcher noticed.

GT: We don't know that anyone malicious got this data, but we certainly don't know that they didn't - it was just public on the internet.

LD: Apparently the data was marketing targeting info, like whether you're a smoker, or have kids or pets, and so forth. Probably wildly inaccurate because it was marketing data and was inferred from habits or old data sources, so let's hope it didn't stay anywhere public.

GT: In one last bit of phone security news, a number of people have found that Samsung's text message app is silently texting images from their phone's photo album to random contacts, and leaving no record of it.

LD: Yikes. That's a pretty bad surprise, especially because there's no way to notice that this is happening.

GT: Samsung says they haven't found a single cause and are investigating these as isolated incidents. In the meantime, if you have a Samsung phone, it's probably a good idea to go to your phone settings and remove the permission for Samsung Messages to get to your photos.

LD: And you can switch your default text messages app to the regular Android messenger app, or another third-party texting app, to keep using photos. Although, this is a pretty good excuse to switch to an encrypted messaging app like Signal or WhatsApp, like we were talking about last time.

GT: That about wraps it up for security news - there's been a lot happening with phone security since our last episode, both with phone numbers being breached and risks to the files and data on your cell phone.

LD: We'll get to the main segment of today's episode - Android and iOS security - after a brief break.

Interlude music plays.

LD: Today's main segment is about the comparing the security models of Android and iOS, because they are overwhelmingly the two most popular smartphone options.

GT: If you're in the market for a new phone, it's worth thinking about the security concerns and how they affect your life. And if you're interested in something that isn't Android or iOS, this episode talks through a lot of features you should look for, even if we're not going to directly talk about what's available for other types of phones.

LD: Also, if you're thrilled with the phone you have or it's just not the right time to get a new phone, stay tuned so you can better understand your current phone's approach to security and get a little more familiar with how to evaluate device security models.

LD: The first thing to do to make sure your phone's software is secure is to make sure it's keeping up to date with software updates. Mobile operating systems are incredibly complex because phones do a lot of things, and there will always be bugs that can be exploited. However as bugs are discovered, operating systems release software updates to protect against them.

GT: Once a bug is publicly known, attackers will start moving quickly to exploit it, so it's important to take the update as quickly as you can. And in the other direction, there's always new security features coming out like better encryption or permissions schemes. Sometimes you might want features in hardware, too, which we'll get to in a bit, but most things can be improved in software. So you want to make sure you're getting software updates.

LD: Even the American Civil Liberties Union, which is a legal organization and not a technical one, wrote an article recently about how important software updates are to privacy and security. They say, "seamless software updates are one of the most important successes in improving cybersecurity in recent years."

GT: Yeah, definitely. You want to make sure that your phone is giving you updates, and that when they're available, you're applying the software updates.

LD: There's one big difference between iOS and Android that we'll see a lot: on iOS, Apple controls the hardware and the software all together. It's one product. So software updates come directly from Apple.

GT: Android is distributed by phone manufacturers, which means there's a lot more models available, but updates need to go through the manufacturer to make sure they're compatible. And Android's model is also that it's up to your cell phone provider to send you the update.

LD: iPhones tend to get security updates for around four and a half years after their release - the shortest recent one was the iPhone 5C, whose last security update was three years and eight months after release, and the longest one is currently the iPhone 5S, which is expected to get the new iOS version this fall, five years after its release. Every iPhone that's still supported gets the latest version of iOS - bug fixes, features, and all.

GT: Android, of course, has a lot more phones from a lot more manufacturers, so there isn't a clear answer. A report from earlier this year found that Android phones tend to get security updates for between one and three years after their release, with many manufacturers not offering any security updates after about one and a half years. Google's own phones tend to do the best, but many of the other brands - both the larger and the smaller ones - often only give you support for a year or so.

LD: Apple's approach also means it's easier for them to deliver security updates quickly - if there's a big vulnerability that's discovered, they can put out an update pretty quickly and push it directly to iPhones once it's been tested.

GT: Android is getting better at this, but a lot of manufacturers are very slow to test and push out updates. Generally, if you're using a device that's from Google, you're going to be among the first people getting the update.

LD: One of the features in the latest version of Android is Project Treble, which is intended to make it easier for manufacturers and carriers to update because now their customizations are separated from the Android core. This feature hopefully will make security updates come out faster in the future.

GT: But it doesn't matter how quickly you get the update if you're not actually hitting okay when your phone says there's an update available.

LD: I know it can kind of be annoying sometimes to make sure you take updates, but it really is important to keep up to date with these because they're the first line of defense against known exploits.

GT: Since updates are so important, both Android and iOS try to make taking updates easier. On iOS, there's an option to schedule an update to take automatically in the middle of the night. This is a pretty great option for most people, and often how I take my iPhone's updates.

LD: On modern versions of Android, you can download the update and do a lot of the installation while using the phone as usual. There's also a pause button if you need it, too, like if you're still downloading and about to go off wifi and want to conserve your data usage. After it's done downloading and installing, it will need to restart, and it is a longer restart than usual, but it's significantly faster than if you have to stop everything to take an update.

GT: Another thing the Apple ecosystem has done well isn't actually about iOS, the operating system, itself. All iPhones since 2014, so the iPhone 6 and higher and the iPhone SE, have special hardware for encrypting your data. Apple calls this special hardware "Secure Enclave". Verification of your passcode, or Touch ID or Face ID, happens on a separate processor that has its own storage, and that processor holds the actual decryption key.

LD: Or put more simply, this model means when you reboot the phone, you can't get access to any personal data until it's been unlocked with a passcode. It also means that even if there's an operating system bug, your data is secure because it won't have the required passcode to decrypt your data.

GT: The other day I was confused why my phone was playing the default ringtone instead of my custom ringtone, and I realized it's because I had just charged it from an empty battery and not unlocked it, so my custom ringtone was still encrypted.

LD: Not all Android phones have separate physical hardware for encrypting your data. Google's newest phone, the Pixel 2, has it. But also, only some of the other phones use your passcode as part of their encryption. Google's blog post about that says, "Many Android devices, including all Pixel phones, use your lock screen passcode to derive the key that is then used to encrypt your data." So some of them don't! That means that someone with physical access to the phone can probably get access to files on it.

GT: Android gives you so many more hardware choices than iPhone, which is great, but it also means it's very hard to figure out which phones have the right hardware features for security.

LD: Also, Android supports passcode / PIN verification on separate secure hardware, but not fingerprint verification because, as they say, it's too slow.

GT: There was some controversy a few years back when they first launched device encryption, because it was making phones too slow, too. This is one of those places where Apple has an advantage because they're co-developing their hardware and have that whole team in-house.

LD: Another issue is how encryption keys are used. On Android phones that support encrypting individual files with your passcode, just like on iPhones, those files aren't available until you unlock your phone. But iOS has an option for encrypting certain files with a key that it forgets once your phone has been locked for ten seconds. Email, location data, and many other apps use this. You have to unlock your phone again to get those files decrypted. On Android, the key for all your encrypted files stays loaded until your phone powers off.

GT: So if you're the sort of person who keeps your phone charged all the time, like most people, your files can always be decrypted. Liz, how realistic is it that this could be exploited in an attack?

LD: It's not that difficult if you can open the phone, and anyone with a mildly-well-equipped electronics lab could do that. It also exposes you to potential attacks involving the software running on your phone, like malicious notifications. Of course, those can also affect you while you're using your phone and a particular file happens to be unlocked, but that exposure is a lot more limited.

GT: There is one security feature that Android supports that iOS doesn't: two-factor security keys. There's no support in the iPhone to talk to a hardware security key over U2F, either with an NFC tap or via USB.

LD: iOS recently added enough NFC support for the YubiKey app to get one-time passwords, but it's much weaker than the U2F protocol. There's nothing built in, and they don't let apps have enough access to NFC or USB to make two-way communication work. That's the thing that makes security keys so strong - they send the name of the website to the key, to prevent phishing sites from getting your two-factor credentials if the website name doesn't match. And there isn't enough support to in iOS to make this work.

GT: Android definitely supports it with NFC, and we've also heard that you can connect a security key over USB, either with an adapter or with USB-C. Of course, authenticator apps work on both, so you can still use two-factor authentication with iOS, but you'll have to use a code generation app or some other non-security-key method.

LD: This is a good example of the difference between Android and iOS's overall security philosophies. iOS wants to put security first, even if that means limiting features. They limit what apps can access over USB or NFC because they're worried about potential attacks, but in general, their security-first approach lets them build a more secure system. There's a really good design document on iOS security that we'll link on our website if you're interested; it's long, but it shows how they think about putting security first with both their hardware and software design.

GT: Writing secure software is a constant balancing game between the two extremes of, let's disable everything so nothing can go wrong, and let's support all the cool features we can. iOS has chosen a balance that leans a little more towards more security and less features, which isn't something that makes everyone happy - for instance, you can't install apps on an iPhone that haven't been approved by Apple, unless you jailbreak the phone. And Apple relies on this. as part of their security defenses.

LD: Yeah. Android, on the other hand, wants to be more open by default, and support more features. You can replace the phone dialer, the text messenger, your whole home screen launcher even. They tend to avoid breaking applications, even if it means they can't fix a security weakness that quickly. There was an interview where Google's product manager for Android security said, "Android comes from a stance of trying to be more open ... It's a constant challenge for us and that's unique to Android of balancing how to protect users and functionality."

GT: You might think that this idea of "we're trying to be more open" is a bit of a cop out, but it's actually worth mentioning that Android really does have a lot more features - it's substantially more customizable than iOS like Liz mentioned and lots of people genuinely prefer Android for that reason.

LD: If you're a high-risk user - a politician, an activist, or a company executive, or just someone expecting targeted attacks - you probably don't want to compromise security for additional customization. You're going to want a platform that consistently puts security first.

GT: But for many people, the decision isn't so obvious, and we're definitely not saying that Android is so terribly insecure that no one should use it. Android's most recent annual security report talks a lot about the protections they've added recently. It doesn't quite say this directly, but Google now believes that they're as good as the iPhone, if not better, especially with their top devices.

LD: One reason for this, they say, is that the Android core is open source, and they offer quite sizable bounties for security researchers who find serious bugs and report them responsibly. Their report says that a recent hacking contest found no bugs in the core Android platform.

GT: We always love to see security-sensitive products be open source, but Android isn't completely open source: custom software from manufacturers - like a messaging app - are often closed source, and while many drivers are technically open source, they don't get the same level of scrutiny as the main Android project. The hacking contest found one attack for iPhone that could leave persistent malware, and one for Android that could leave persistent malware on a specific Android phone, a Samsung Galaxy. A lot of the security advantages in the Google report are specific to Google's own phones, such as the recent Pixel 2 with secure hardware.

LD: Even if your security heart is set on the latest and greatest iPhone or Google's recent Pixel 2, your wallet might not agree. Android definitely has the market on cheaper devices, but they may not have the latest security features, especially secure hardware. If you're looking at Google's most recent Android phones, those are often in the same price range as Apple's most recent iPhones.

GT: Also, think about how long the phone you're looking at is going to be supported - both in terms of security updates and in general what its lifetime is. It might be a better idea to spend a bit more money now for a phone that will last you three or more years instead of buying a new phone every year.

LD: That's my strategy - I buy a new-to-the-market phone right when it comes out and expect not to buy another phone until it's close to unsupported, somewhere between 3 and 5 years. Oh, how's your phone doing? You've had it for about two years, right?

GT: It's holding up well! It's the iPhone SE, which is new enough to have the Secure Enclave hardware for encryption. If Apple keeps supporting their phones for four to five years, like they've been doing, I can probably keep using it securely until late 2020, and while it's not the latest hardware, it's still holding up pretty well. I've actually been seeing it at pretty deep discounts from some cell phone providers, because it's not the latest and greatest any more.

LD: That wraps up our discussion about Android and iOS security!

GT: When you're shopping for a new phone, and you're comparing megapixels and millimeters, also consider what security needs you have and what phone will be best for you.

LD: See y'all in two weeks, for the first of our series of episodes on using the web securely!

GT: I think we'll call it "Safely Surfing the World Wide Web".

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.