back to article Faux Disk Encryption: Mobile phone crypto not a magic bullet

Full-disk encryption on mobile devices is nowhere near as secure as commonly believed and Android offers less granular control than iOS, according to security researchers from NCC Group. Daniel Mayer and Drew Suarez debunked some commonly held but inaccurate beliefs about smartphone crypto as well as presenting a comparison …

  1. James 51

    It would be interesting to see how the blackphone and priv do compared to standard andriod handsets and how BB10 compares overall.

  2. Semtex451
    Gimp

    Is no one starting the...

    usual Android vs iOS bun fight?

    Is everyone still loitering in Amsterdam after last weeks conference...

    ....for the same reason as me?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is no one starting the...

      Is no one starting the usual Android vs iOS bun fight?

      Nah. I'm just waiting for the next paper that will exclusively focus on iOS problems. If you can't recognise a trend you have no business being in security in the first place.

      In my opinion, it is possible to get any platform up to a reasonable standard, what differs is the amount of effort it requires to establish and maintain that. Even a vault with walls made from butter can be made secure if you're prepared to waste a fortune on cooling, but why should you?

      I had good hopes for Blackberry, but although I understand the motivation to sing along with Android I am far from enthusiastic about that. It's a shame, I rather like their priv hardware, but I understand it's hard to maintain your own platform if people are not interested enough, going the Android route means there is at least a ready amount of apps out there.

      The blunt reality is that security is not a volume argument - it is still only of interested to a small percentage of users.

  3. gollux

    Sounds about right. Real world applications always trump academic air castle building.

    Encryption is easy, good encryption and its implementation is really, really hard.

  4. Anonymous Coward
    Anonymous Coward

    One Apple issue

    Moreover, locally stored data often includes authentication tokens that are, typically, long-lived than browser applications.

    I recently had to disable an account of a member of staff who left in less than perfect circumstances. You would think that resetting their domain account password would suffice? Nope their iPhone could still connect for at least 2 days. I felt like a right plonker, I'm not sure if disabling the account would have worked but meh I'm busy. Tried it on an S5 linked account and it lost access straight away, go figure.

    Was exchange 2007 but now 2013, those remote wipe features are looking worth the money !

    1. Synonymous Howard

      Re: One Apple issue

      So are you saying that the issue is with iOS or that Microsoft Domain accounts are not synchronising in a timely manner?

      You can't blame a client for caching authentication tokens if the server side does not expire/invalidate their use immediately everywhere when requested to.

    2. Anonymous Coward
      Anonymous Coward

      Re: One Apple issue

      I'd say the blame lies in the server moreso than the phone. Maybe iOS is ignoring or otherwise incorrectly handling a message telling it to expire that token, but proper security means that you cannot depend on the client to behave.

      Otherwise one could take advantage of that misplaced trust by deliberately coding a malicious client that maintains access even after the account is locked. This would be a rather severe security problem in the event of disgruntled employees etc.

    3. Anonymous Coward
      FAIL

      Re: One Apple issue

      The blame here lies with you. You left the account enable for what reason? You didn't do what you state you had to do, yet blame iOS? Now if the account was disabled and somehow iOS managed to connect the fault would be with Microsoft, but again, not the iPhone.

    4. Anonymous Coward
      Anonymous Coward

      Another Apple issue

      Oh, there is more that can be improved. Try to reset the certificate store when the user has stupidly accepted one of those certs hotels keep serving to allow connections to their idea of Internet (enabling a Man In The Middle risk).

      If anyone has an idea how to do that without resetting the phone I'd be grateful. I have to find a way to lock the phone down so it's simply not possible, but I haven't found a way yet. I'm a bit new to iOS yet I have to somehow keep this thing from going unsafe. So far, not good.

      I may just sling a VPN on it and be done with it.

      1. Sel

        Re: Another Apple issue

        Settings -> General -> Profiles

        Select the 'bad' Profile (certificate)

        Click 'Delete Profile'

        This is also where your VPN certificate will appear once served to the device.

        If you don't own the IOS device then there is not much you can do to stop users doing insecure things.

        If your company owns the IOS device and a Mac (with restricted access) then there is OSX Server Profile Manager.

        http://www.apple.com/uk/osx/server/features/#profile-manager

        There are other BYOD provisioning systems that can speak to IOS too if you don't have a Mac.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like