Android has taken on the same encryption solution as PCs, which makes it vulnerable.
Millions of Google accounts have reportedly been breached by exploiting an unpatched vulnerability within Google’s operating system for smartphone —Android.
At this stage, security researchers claim that Android’s encryption is still not in par to Apple’s iOS.
According to cryptography professor at Johns Hopkins University, Matthew Green, Android has taken on the same encryption solution as PCs, which makes it vulnerable because unlike the PCs smartphones are not encouraged to shut down, so the cryptographic keys remain in RAM most of the time.
“Since phone batteries live for a day or more (a long time compared to laptops) encryption doesn’t really offer much to protect you against an attacker who gets their hands on your phone during this time,” explains Green.
Apple, on the other hand, takes a different approach that offers better protection. With iOS 4, the company rolled out the ‘data protection’ feature that encrypts all the data stored on the smartphone.
While Android uses full-disk encryption (FED), Apple has a file based encryption that encrypts each file individually. This was possible once Apple provided an API developers can use to specify which class key to use in encrypting any given file.
Apple’s iOS offers different classes of protections such as: complete protection, protected until first user authentication, and no protection. There's also a fourth protection for apps that need to create new encrypted files when the class key has been evicted from RAM.
It is also safe to take pictures while the smartphone is locked, thanks to the new class created by the Apple team that uses public key encryption to write new files.
Google is planning to roll out a similar security system with its Android 7.0 Nougat. The Android Nougat comes with two protection classes: credential encrypted storage and device encrypted storage. These new protection classes are part of a newly designed system known as the Direct Boot that allows the device to access some data before the user enters the passcode.
Matthew Green says that the problem is not in the cryptography, but the fact that “Google is not giving developers proper guidance, the company may be locking Android into years of insecurity.”