Data Security on Mobile Devices: Current State of the Art, Open Problems, and Proposed Solutions
Maximilian Zinkus, Tushar M. Jois, Matthew Green Johns Hopkins University November 19, 2020 DRAFT Executive Summary In this work we present definitive evidence, analysis, and (where needed) speculation to answer the questions, (1) “Which concrete security measures in mobile devices meaningfully prevent unauthorized access to user data?” (2) “In what ways are modern mobile devices accessed by unauthorized parties?” and finally, (3) “How can we improve modern mobile devices to prevent unauthorized access?” We divide our attention between two major platforms in the mobile space, iOS and Android, and for each we provide a thorough investigation of existing and historical security features, evidence-based discussion of known security bypass techniques, and concrete recommendations for remediation. In iOS we find a powerful and compelling set of security and privacy controls, backed and empowered by strong encryption, and yet a critical lack in coverage due to under- utilization of these tools leading to serious privacy and security concerns. In Android we find strong protections emerging in the very latest flagship devices, but simultaneously fragmented and inconsistent security and privacy controls, not least due to disconnects between Google and Android phone manufacturers, the deeply lagging rate of Android updates reaching devices, and various software architectural considerations. We also find, in both platforms, exacerbating factors due to increased synchronization of data with cloud services. The markets for exploits and forensic software tools which target these platforms are alive and well. We aggregate and analyze public records, documentation, articles, and blog postings to categorize and discuss unauthorized bypass of security features by hackers and law enforcement alike. Motivated by an increasing number of cases since Apple v. FBI in 2016, we analyze the concrete impact of forensic tools, and the privacy risks involved in unchecked seizure and search. Then, we provide in-depth analysis of the data potentially accessed via common law enforcement methodologies from both mobile devices and accompanying cloud services. Our fact-gathering and analysis allow us to make a number recommendations for improving data security on these devices. In both iOS and Android we propose concrete improvements which mitigate or entirely address many concerns we raise, and provide ideation towards resolving the remainder. The mitigations we propose can be largely summarized as the increased coverage of sensitive data via strong encryption, but we detail various challenges and approaches towards this goal and others. It is our hope that this work stimulates mobile device development and research towards increased security and privacy, promotes understanding as a unique reference of information, and acts as an evidence-based argument for the importance of reliable encryption to privacy, which we believe is both a human right and integral to a functioning democracy. NOTE: This document is a draft and may contain technical errors. Please contact the authors if you encounter any inaccurate information. https://securephones.io/main.pdf _______________________________________________ Medianews mailing list [email protected] http://etskywarn.net/mailman/listinfo/medianews_etskywarn.net
