How Law Enforcement Bypasses Android and iOS Encryption

Given how regular encryption-weakening law proposals are, one could assume that security standards in our smartphones are good enough to protect our data.

Unfortunately, researchers from John Hopkins University debunk that wishful thinking, stating that mainstream mobile operating systems in iOS and Android don’t extend their encryption protection as far as they could. Presumably, so that law enforcement agencies would have better luck in extracting encrypted data from captured devices.

Because this concerns two of the most popular operating systems, we need to learn how law enforcement passes Android and iOS encryption and if it is possible to make our devices a bit more secure.

Locks Are Useful, But Not Against Everyone

Many people are using screen locks to fend off some ill-mannered people from snooping through their private business.

It is an excellent feature to keep curious eyes out of your screen, but it goes beyond just blocking others from accessing your data directly. When you set a screen lock on your device, whether through a fingerprint, passcode, or even Face ID, the feature encrypts the content of your device, or in simpler terms, turns it to ciphertext.

To decode such data, the third party in control of your device would need a decryption key - regenerated when the passcode is known or the fingerprint is copied. But there’s a problem, the security hindrance, that skips over this protective measure is present in Android and iOS.

To understand it, you need to know that our smartphones are under “Complete Protection” only until first user authentication when we boot up devices after they were turned off. When data is in the Complete Protection state, the encryption keys are stored deep within the operating system and encrypted.

This state is aptly called “Before First Unlock”, and it is followed by “After First Unlock”, or simply AFU state, where encryption keys are stored in quick access memory and are not as protected.

In the AFU state, attackers can quickly access encryption keys and decrypt sensitive user data quickly. That’s a problem, since our phones are in the AFU state almost all the time.

Nobody Powers Their Devices Down After Each Use

Now AFU is integral for law enforcement to extract data from devices, as most forensic tools do not break encryption, but instead find a way to bypass it. 

If the keys are evicted from memory, the process is not so streamlined. Even the most notable tools produced by private intelligence companies like Celebritte and Grayshift struggle with BFU mode and come down to brute force after removing the limit of possible passcode entries.

Such companies rely not only on AFU state, but also gather zero-day vulnerabilities that help them bypass the security measures more effectively. Such entities try to keep their tools secret for as long as possible, so companies wouldn't be able to fix their bugs and render their breakthrough forensics technology outdated.

One thing intelligence companies do not keep in secret is the range of services they provide. 

You can discover a wide range of features advertised on the official website, or hear from them on social media, where they are proudly presenting their flagship product - a Universal Forensic Extraction Device. It can unlock the majority of iOS phones and high-end Android devices.

They also have different tiers of their services, just like some popular media streaming platforms.

Nothing Is Protected As Much As It Could Be

The full report by John Hopkins University researchers also highlights the weaknesses of iPhone cloud backup and services, evidence of past hardware (SEP) compromise on IOS, and limitations of “end-to-end encrypted” cloud services that companies like Celebritte cover with other tools.

More than that, it provides a special application to browse through extracted data, such as browser and location history, installed apps, multimedia, social media statistics, and much more sensitive data. Upturn researchers discovered approximately 50,000 examples of US police in all 50 states using mobile device forensic tools (MDFTs) to get access to smartphone data between 2015 and 2019. 

Furthermore, this open stance has attracted 7000 customers in 150 countries for the Israeli company, and needless to say, not all of those customers work in law enforcement. Airports, private companies, border patrols, and even some schools have used this technology to scan the data on locked devices.

Even though the protections currently in place on our smartphones are adequate for a number of threat models, researchers concluded that they would not stop specialized forensic tools. Apple representatives pointed out that the types of attacks mentioned by the researchers are very costly to develop, plus they require physical access to the target device and only work until the vulnerabilities are patched.

Android representatives doubled the sentiment of their colleagues, but added that we can expect to see additional security features being added to the new releases. Android does need to step their game up, as they do not provide an option to keep some data under Complete Protection like iOS.

Plus they have more ground to cover, looking over a larger attack surface.

Should Law Enforcement Have the Ability to Access Encrypted Communications?

All this begs a very real question “if the state of mobile security is so underwhelming, why do governments of US, UK, India, Australia have spent so much time mounting attacks on encryption?”

And the answer is really simple - encryption works, and does it so well that governments worldwide feel the need to tie up national security as a reason to plant backdoors. 

Some researchers consider current AFU state shortcomings as a “necessary evil” and a way to “throw intelligence companies a bone”, stalling the progression of anti-encryption acts.Use a longer alphanumeric password and abstain from TouchID and FaceID if security means more to you than convenience. And if you want another layer of encryption security for your personal data, you should take advantage of StealthTalk, available for both iOS and Android.