ZePyro

Forensics detective says Android encryption now superior to iPhones

Comments
TL;DR:
"Cellebrite — one of the most prominent companies that government agencies hire to crack smartphones — has a cracking tool that can break into any iPhone made up to and including the iPhone X [...] the tool could not extract any social media, internet browsing, or GPS data from devices such as the Google Pixel 2 and Samsung Galaxy S9. In the case of the Huawei P20 Pro, the cracking software literally got nothing."
TL;DR: of TL;DR: Government can crack IPhone up to x , Google pixel and s9 no social media, no browsing or GPS and Huawei p20 pro-nothing.
It's an issue of resources. They've allocated a significant amount of time and effort to crack iPhones because A) that gets all the headlines and B) iPhones are more-or-less uniform, there are only a handful of models. I have no doubt there are exploits for the Pixel 2, Galaxy S9 and P20 pro that they simply haven't spent any time exploring.
I'm surprised that the S9 was less secure than the Huawei, doesn't Samsung make Knox for this reason?
I think the reason why it's upto the X is because of a recent exploit called checkra1n maybe idk
Maybe they should try using Chinese translation software? /s
The Chinese wanna keep all the data to themselves
So this is why Trump want to ban Huawei, because it doesn't allow the US to spy freely as they did until recently.
From this sentence it sounds like they tried to use the tool for iphones on android devices
Suddenly the government's campaign against Huawei takes on a new light...
Yeah, that's checkm8. I bet their tool is literally just checkm8 renamed.
Huawei P20 Pro, cracking software got nothing; China got everything.
TIL the CCP is very protective of it's digital property.
Funny how Huawei is a security risk but they let nothing out to others, whereas Apple phones are considered the best in some areas.
So the headline is absolutely deceptive. The iPhone X is two generations ago for fuck’s sake.
But this really just means that one company is unable to get into your phone. Do not presume that no government agencies or contracted third parties can get at your data!
TLDR company that makes money off of cracking phones has better tooling for phones made by most prominent manufacturer in developed countries
So, they are comparing the entire iPhone line against three specific android phones?
What about the newer phones than iPhone X? Can they get anything off of them?
So iPhone XS and 11 better than Android?
Cellebrite is a script kiddie ahole,not a forensics detective
I mean, if we're being clear and completely honest, we know that the reason for this is because the government has spent all their resources to crack iPhones since the original 2015 (2016?) time apple refused to give them access. They've been interested in doing the same for androids, but they've been pursuing the iPhone path with more resources. I imagine they'll come after Android next.
Did they try purchasing the info from Samsung & google? Or the carrier? I'm sure that'll help. Everyone else does.
Wait is this only up to the x then?
As someone that uses Cellebrite in their day job I can tell you that is a load of BS 🤣
isnt that cause it got jail broken recently?
I'm also still using S7 edge until they release a phone without the hole punch.
Funny enough. Celebrate makes the device to transfer data between phones and has for at least a decade for big box stores and places like radio shack.
And now you know why Huawei gets no access to the US
One danger with this article is that people might think Huawei is safe and secure, while it is actually loaded with malware. It’s important to understand the text only deals with ONE cracking software.
Hm
Am I the only one who thinks usc c should actually be lightning and that one should rule them all? I say this cos the lightning pin into a hole feels way more solid than getting a pin inside the usb c, feels more delicate and the whole thing is thicker than the lightning way. I mean, I wish android had the lightning and stupid apple was with usb c, it truly feels the lightning pin is better. Am I too dumb?
No one had a USB-C cable handy.
Big ups to Huawei. This is a great showing for their device security and may highlight why the US Govt is so against their devices. Yes Huawei has its own Chinese backdoors but it seems the US Govt only wants devices they can hack as well
[deleted]
I assume this does not apply to phones with long alphanumeric passwords that are immune to brute force attacks, especially when they dont have biometrics enabled right?
My only issue is that the key for the backups seems to be your device unlock pin. Wish there was an option to use a different code than the unlock pin for an extra layer of separation.
But then you'd need to enter 2 passwords to login..
You can just use a complex password for your normal pin.. and finger/face unlock for convenience..
I believe I can do that on my note 9, a screen with Knox Branding pops up asking for a passcode.
I can't remember if it wanted a new passcode or not though.
Not necessarily. The pin can be used to (attempt to) unlock an encryption key locked in hardware that has brute force protection.
I used to do this with a Xposed module, the encryption key was different than the lockscreen. I just manually entered the longer encryption key each boot.
That's kind of what biometrics are. At least, on my phone I can't unlock with my face (I don't have fingerprints configured) immediately after a reboot. I have to do the first unlock with the pattern.
Only if your manufacturer gives you security updates, looking at you LG.
LG makes inexpensive phones with surprisingly good hardware, but once you buy it you're on your own. Horrible updates and warranty repairs are a nightmare.
I'm still getting security updates on my nexus 5x. So there's that!
Even without security updates it's very unlikely for you to be hacked as they would have to target your model specifically in most cases.
[deleted]
 from than others,” Kiser told Vice. “I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones … under the guise of consumer privacy.”
Okay pig. Most people who want encryption are not criminals and insinuating the main reason companies want to be more secure is to make law enforcement life harder.
Edit: did not expect this one to get gold. TYVM
This may slow down some law enforcement, in a very few select cases. But it also protects millions from life altering data breaches, several times a day every day. Good trade off IMO.
That line got me as well.
I'm a middle aged non-tech savvy person who is really only mildly bothered that a lot of companies track my location and spending habits, and probably share that data with God knows who.
But I strongly think we should have a choice about it and other aspects of privacy, including info I keep or access on my phone.
Do they really want to go with "its just criminals who want privacy in their lives"?
This is particularly disgusting considering we know for a fact that Apple, Google, and other will divulge cloud information to authorities given a warrant. It's not that these tech companies don't want to help law enforcement. They will. But they don't want to compromise security and privacy on a personal level. We don't want the common person/thief to be able to do the same.
I don't want government authorities to access my Google information, but I have have a bit more faith that a police officer isn't using a warrant to request my cloud data to steal my banking information as opposed to a thief.
[deleted]
Is it so bad that that’s exactly what I want? Manufacturers making phones that are increasingly hard for both hackers and the government to extract data from?
I feel like that quote could imply the companies are covering their own tracks (some sort of malpractice or data mining maybe) under the guise of consumer privacy by making it harder for law enforcement to uncover all of the information in the phone.
It's worth noting that in the UK, police can demand your password so none of it matters anyway
I have a very bad memory :(
what is the prison sentence if you refuse to provide your password?
Happy Cake Day!
Doesn’t this really come down to the unpatch able checkm8 vuln? Basically making any iPhone X and earlier and open book?
I thought checkm8 did not break Secure Enclave Protocol, or am I mistaken?
If not, then not an open book, not completely at least.
There was a delayed start but kudos to Android for catching up with security. This isn’t Android vs. iOS. You vs. me. Etc. We all benefit from better encryption. If you care about privacy then Android or not, we’re all on the same team here.
Get your sensible comment outta here. If you're not with us, you're against us.
Yes, more competition on this issue, please!
Annoying how Android always gets a bad rap for malware and poor security. If you aren't an idiot and just provide permission to anything for everything you should be fine.
But that's what the vast majority of people do. Android is perfectly safe if you aren't an average consumer. But if you are it's far less secure.
Android deserves bad rap for poor security because critical security updates don't reach devices. Permissions don't mean anything when they can be bypassed with 12 months old exploits.
Or download shitty unheard of apps. Or sideload apk from shady sites (but I gotta get the free cracked premium games? )
Its like windows , a bigger use case makes it a bigger target
It’s not like there are many malware on the google play store, some like that would NEVER happen
If you aren't an idiot and buy a phone that receives software updates.
The average iPhone user that doesn't have the mental capacity for that, I mean 99.9% of them use their $1000 phone exclusively for tiktok...
/s^
I've always wondered if there was a way to increase android encryption, though I don't see how it could be done outside of a custom rom...
If you have a Samsung, you could use the Knox container. I personally use it for work on my Note 10+. It IS slower to use, but I know my data is somewhat protected.
edit a word
Could this just be the product of iPhones having larger market share compared to any individual Android phone model?
Similar to the old claim that Macs don't get malware, when in reality more effort was put into hacking Windows computers because there were more of them, making them a more lucrative target.
Several hundred(600+ in 2015) Android phones are released per year. A handful of iPhones are released per year, and probably all have the same vulnerabilities. From a labor/revenue standpoint, Cellebrite, Graykey, etc have a lot more to gain if they just focus on taking down iPhones.
Actually Android has way more malware than iPhones (time monkey, etc) since outside the US Android is waaaaaay more popular.
pretty much.. nailed it spot on.
We have security by obscurity!
[deleted]
That's a misleading headline if you read the article.
That’s a big “if”
Read the article and definitely points to some Android phones having better encryption than iPhones. Obviously not across the board on devices.
Well did you? The original vice article specifically noted that cellebrite could not retrieve data from Samsung S9, Pixel 2 and literally nothing from Huawei P20 Pro but could extract data from iPhone X. Cellebrite's same software, according to Vice's related article, was also used to extract data from Lev Parnas, a Giuliani associate, Trump's lawyer, involved in the Ukraine-Trump scandal.
“A year ago we couldn’t get into iPhones, but we could get into all the Androids. Now we can’t get into a lot of the Androids.”
Who wrote this article, the Feds? The United States Government, even this week are considering suing Apple over their encryption being unbreakable, but have never yet heard of a situation where the US Government couldn't hack an Android phone. And that's all I have to say about that.
The government is not suing Apple for unbreakable encryption. They want Apple to give them a signed ROM that allows you an unlimited number of PIN guesses. They are asking for this becase iPhones allow you to install an Apple-signed update without unlocking the phone and without erasing user data.
The government hasn't asked Google to provide a similar ROM because Android will not install OTA updates when the phone is locked, and flashing from the bootloader will erase all data even if the image is signed Pixel 2 and later have hardware protection against the exact thing the government is asking Apple to do.
https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html?m=1
EDIT: the description of the bootloader security model was incorrect, this document has the details:
The bootloader will accept images signed with the manufacturer key; other images will fail to boot and unlocking the bootloader wipes user data. This means that the Apple-type attack is possible on Android, but the government would have to ask each Android manufacturer separately (each has their own signing keys) and most of them are not under U.S. jurisdiction. Phones with hardware security chips are immune to this attack, because they will only accept a firmware update for the security chip that lets you guess the PIN an unlimited number of times without delay only if you already know the PIN.
The document also mentions that Pixels have a special partition that lets you set your own ROM signing key, so that you can get the same level of security with custom ROMs as with Google ROMs.
Exactly. This just sounds like an android fan’s boner article honestly
Android encryption is open source. While you could ask Google, they don't technically own the software and their defense is obvious
Apple rolls their own software. Therefore, forcing them to build in a backdoor is relatively easy
You're a student who hates having to do homework, you find out that the teacher could give you the answer key, and then you wouldn't have to work as hard. However, in order to get this answer key you need to convince your parents you deserve to have them write you a note in your agenda telling the teacher to give you the key.
I love android....but come on
Come on what?
Not all, but certain phones. The article mentions the Pixel 2, Galaxy S9, and P20 Pro. While it isn't said, one could also assume newer devices are also unaffected in each company keeps their commitment to security.
Samsung has Knox, and Google has been very upfront about device security when they started design the custom Titan M security chip included in Pixel 3
A. We don't really know about the iPhone cracking capabilities
B. While it's good that Android has better security, it gets disabled way easily like oi you have accessibility service enabled.
Only on older full-disk encryption devices that needed the PIN to boot. Android 7 introduced the Direct Boot encryption model which boots the OS first, allowing accessibility on the lock screen. Also, while many manufacturers have used Direct Boot for a while, it's straight up required for Android 10.
android is open source so google is forced to fix security vulnerabilities
. ios is closed so only people with resources can discovers exploits
Not as much 0day development work by Cellebrite. Makes sense.
Still going hard with the s8
Just now? After all these years? Apple get your shit together!
Apple OS update.
Oh sheeeeet
At last the day has come.
Cries in Jeff Bezos....
How much cracking is being done exactly? It was my understanding that the tools for this were known exploits and 0days and all that, if needed, governments and law enforcements have little trouble getting data from phones regardless of brand.
2048 bit encryption doesn't do you any good if they can just plug in a cable and run unlimited password tries or get private keys or whatever. They even named the device the Universal Forensic Extraction Device for crying out loud.
People who are fanboying one way or the other are actually completely missing the point. The government wants to have all your data. And they don't want stupid shit like privacy, human rights and mathematics to get in the way of that. They want to own you regardless of what brand you happen to use.
And they will continue to lobby for it. And they'll continue to emotionally blackmail the public that they need special privileges because of all the child rapists, drug dealers and terrorists out there.
But as Snowden and others showed, there is no human alive who can be trusted with this information.
For the people who keep saying things like "Well, I have nothing to hide.", "I'm not doing anything illegal" etc. Need to rethink what privacy actually means. Do you want people to know what thoughts you have? Ever regretted saying something when you were drunk or angry?
You are constantly hiding things, it's how we approach the world, continuously choosing what parts of ourselves to reveal to others and which we don't.
Also remember that "I did nothing wrong" is relative. Being gay in my country is fine. Being gay in Qatar means you will be killed. The rules are made up and very fluent.
Titan M flex
Open Source technology ultimately always wins!
Wait and see how comments here will be defending apple at the same time shiting on Android.
This might be a surprise for you, but some people are not biased fanboys, like you.
When you see criticism as shitting on, then you're probably too delusional to be reasoned with anyway.
The rational reason is because there are hundreds of Android phones compared to the handful of iPhones, which all shares the same security security holes. That, and the fact that iPhones are currently more popular in the US, therefor hackers will invest more time into hacking.
Although you'll probably pretend those contexts doesn't exist because you're an irrational fanboy.
It's strange that a sub dedicated to Android spends most of it time bashing Android and defending Apple
So android encryption is superior to the X but not the XS and iPhone 11.
GG
Also
Breaking into an iPhone is one thing
Breaking into the SEP is a completely different story.
The Secure Enclave Processor has never (publicly) ever been hacked into.
The SEP store stuff like TouchID/FaceID data, credit card details for Apple Pay, and a bit more.
Without access to SEP you cannot downgrade iPhones software version past what Apple lets you, this eliminates almost all attack vectors besides hardware level exploits that cannot be patched.
AFAIK most if not all android OEM let you downgrade as far as you want but with Apple this is simply not an attack vector.
Edit: I was wrong
Even on older Android phones like pixel 2 and s9 they were unable to extract the data.
The iPhone X and the Pixel 2 are from the same year.
They were able to get into the iPhone X but got nothing from the Pixel 2.
Android wins.
Any phone can be crack. Its up to the hacker decides which phone worth their time / popular.
Just wanted to say that my iPhone 11 was stolen last November. The thief was able to remove activation lock within an hour before I was able to have my phone wiped remotely through iCloud. I just lost trust with Apple since. Anybody with a similar experience?
No. Never heard of that happening. Sorry to hear. I guess you didn’t have two factor authentication setup.
Is this law enforcement trying to get people to switch to Android??
So if this is true why can’t the FBI leave Apple alone instead of trying to force them to introduce vulnerabilities on purpose?
Also has the FBI done anything to Android?
If they do something like a cold boot attack then checkm8 is what allows all current iphones to be cracked. That will become ineffective with the next generation
Steve Jobs already said it: If you want porn, use Android!
This is good, really just to shut up the idiots who think that because iPhone was better that Android was crap and insecure.
Both are pretty secure, just because one is better didn't make the other bad.
Why trust the guys trying to break the encryption? For all we know they want to steer people towards devices they can hack more easily to get more business.
The title is misleading at best, it is not the encryption, it’s because the new jailbreak checkm8 iirc is the name, that can run up to phones until the iPhone X, but the worst part is that they’re comparing last year or so devices from Android to old devices form iOS. From the X onwards (The phones that doesn’t have that Jailbreak) they got nothing.
*doubt
Kiser told Vice. “I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones under the guise of consumer privacy.”
Wtf? And can we at least get information on what OS they were on? Like was the iPhone on iOS 13 or like 10? And were the android phones on android 8,9 or 10? Like come on how do people jump on this article without reading how shady those guys are
That only means that the currently known exploits are patched at the moment, not necessarily that the encryption is actually stronger. I seriously hope we all use open and well established standards at this point.
Really what I think phones need are vault based encryption like FileVault 2 or bitlocler, I wouldn’t mind entering a different password at boot to acsess my phone just so I know it’s encrypted most cellebrete stuff depends on low level boot access
Pixel 2xl FO LIFE SON
Does Google's Titan M chip enhance security?
Yes. Why it exist.
full encryption custom ROM gang
So Apple has been right all these years.
Oh I never hear authorities asking google for help unlocking a phone. Which should Probably scare you
Good and bad I guess, paranoia is getting big in these times, but so is hacking and stealing private data, and not just the legally gray/legal way big corporations do it, but also criminals. I'm hating more and more this "extra security" on everything that makes everything take extra steps to do anything...
For example, why make smartphones almost as powerful as computers if you can't really modify them to your liking (save for certain "looks" customization) with OS or whatever you want if you are so inclined.
luckily spent an extra 10 grand for the xs whew
Instead of cracking the phones why dont they just use the NSAs special squelched agreement a nd back door to get that stuff directly from google? People are already so carelessly uploading their loves and data to the likes of google. Location data, photos, etc...
I get that 98% of people have a numeric pin on their phone, but doesn’t having an alphanumeric password defeat the purpose of products from Cellebrite (at least on the iPhone side of things)?
Can confirm. I forget my Google password at least twice a week...
Interesting
Competition is good :)
Me: Looks at the URL.... hmmm Doubt
[deleted]
Look into Google Inactive Account Manager. It lets you set specific contacts that will be able to gain access to your Google account (and then your phone) after you account has been inactive for a certain period of time.
give them a spare yubikey. Is your android account set up with 2FA using a hardware key like yubikey? You can (and highly recommended that you do) link at least two yubikeys to your android account alongside your password. So give them a copy of that AND a recovery password seed list that Google generated in the security settings page.
They have been already superior to those of iPhones
They? The encryption?
apple
So for me the only reason I would want an iPhone is iMessage but even that is coming to a close because of RCS.
It's been a long time but it's nice to see Android catching up with Apple's more premium features.
time to go back i guess (I temp switched to an iPhone 11)
I hope 2020 will deliver some neat smartphones :3
I worked for Apple for years. This is indeed true... why I'm typing this from my SAMSUNG GALAXY S10.
iphone
ITT: no one read the final paragraph:
Except Cellebrite technology isn’t cracking Apple’s encryption. The SEP hasn’t been cracked yet. What cellebrite is doing is brute forcing the password through some zero day exploit.
SUCK MY FUCK APPLE!
Ya... I'm not believing any of this.
These companies are rarely held accountable when it eventually comes out that they were lying...
We already knew this without a essay
They don't have to. Google sells user data for cheap.
Google does not sell data as far as I am aware?
They do use data for improving their products and targeted ads.
[deleted]
/s why?
Except often with Android, you’ve given all your data to Google. And they’re okay with giving all your data to authorities. Including access to your entire search history, your full Gmail account, docs, photos, etc.
So it’s a moot point.
Android does NOT send "all your data to Google". There is definitely some data that goes to Google just like there is data on the iPhone that goes to Apple. Most of the data that goes to Google is from the app you use which are also available on the iPhone.
But what is nice about Google is they have a dashboard.
https://myaccount.google.com/dashboard
Wish Apple had the exact same thing.
Fucking click-bait title. iPhone uses AES 256 and Android uses AES 128. Neither one can't be brute force with current technology but Android encryption isn't "superior".
Better encryption but preloaded malware
Apple is trash. Has been for a few years now.
Care to elaborate on why? Because I can say the same thing about Android.
Now? It always has been. All Apple does is release the same phone every year with a new camera feature basically and maybe a slimmer size.
Go to Apple subreddit and laugh with the guys trying to make excuses about that.
Or, just maybe, you could just try being an adult? You know - just for once?
Meaningless with stuff like SensorVault. The Government doesn’t even need to break into your phone.
“Some of the newer operating systems are harder to get data from than others,” Kiser told Vice. “I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones … under the guise of consumer privacy.”
Ummm....that's the point. Law enforcement in the 21st century, at least in America, have a carte blanche to invade privacy on literally anyone they suspect is a criminal. If you ain't got a warrant, if you barely have a case and are going after smartphone data to grasp for straws; fuck off sweaty.
Took long enough
Took them long enough.
So they can pop a 2,5 year phone lmao ...
The article seems to present a confused concept of encryption. If data is encrypted using commonplace modern methods, no government or cracking tools can break it. There would have to be a back door or compromised encryption keys.
I hope so, but still sick of google's BS.
What Google BS specifically?
Doubt.
Yeah because cellebrite software is specifically manufactured for iPhones. And cellebrite software is not for just anyone. It’s provided to and taught mostly to law enforcement. So yes it cracks into iPhones Much easier than android, because android cracking has been a thing for forever. You don’t need cellebrite to crack into an android.
Yeah this circlejerk of a thread is a bunch of people thinking their Android phones are now more secure because theyve had less resources dedicated to cracking them.
It's like taking a wrecking ball to a brick wall and a hammer to the other, then saying the wall that got the hammer is more sturdy.
So this article is garbage...
Where do crackers spend the most of their effort? On the most popular phones.
Iphones have limited models.
Android has a LOT of models. If you don't spend time cracking certain models, then its not somehow safer. The models they listed if you google them, are older, sold in the millions but compare it to a popular phone and they arn't anything in the grand scheme of things.
Androids security problems are numerous. Apples are not.
In the end anything can be broken into given enough time and resources. Holding up old model phones with low sales is not the way to promote a platforms encryption lol.
Haha. Ahhhaha. AHAHAAAHHHHAHAHAH.
Dude’s a fucking clown.
Android is better than iPhone says android website founded by android lovers
the original source is VICE. This was a re-blog article.
ITT: Applebros lose their only "reason" to use iphones
[deleted]
If privacy was your only reason to use a completely closed source operating system...
Ahh, the standard investigator-bluff. I dont think so. Partial data recovery? - my ass. Either you crack the encryption, or you dont, and get absolutely nothing
Yes and no. It is sometimes possible possible for a device to leak information indirectly without its encryption being broken. Not often, and generally not a LOT of data, but it does happen.
At least Apple doesn't have a backdoor...
I'm an 10-year Android owner.
If only the OS for Android was standard. Since it's not that isn't wholey true. There's tons of Android variations out there that may be less encrypted. This seems to only apply to the most current android devices.
Is it just me or is the article a little ambiguous?
It’s a TRAP!
Anyone remember how crappy the security isnon old Android phones? In my Samsung Galaxy infinite that still runs jellybean you can literally reset the phone from the recovery mode... You don't even have to boot to Android to reset a stolen phone...