Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Android vs iOS physical security for power users
2 views
Skip to first unread message
xJumper
Sep 4, 2018, 2:13:16 AM9/4/18
to
Just gonna start off by saying that I'm not asking this question in the
traditional sense of iOS vs Android that's been done over numerous times.
It's pretty clear and accepted that for the average dumb user the Apple
walled garden, forced updates, overly restrictive app store, locked down
permissions, etc; actually keeps the phone more secure for most users. I
would call that "artificial" security in a sense but it's security
nevertheless.
My question is on the physical/software security/permission model of the
underlying software as it relates to security/privacy.
First thing is encryption. What kind of encryption does Android use? I
understand it uses dm-crypt (don't know too much about that) which is
something that's found in Linux and used in LUKS for FDE. Do we know
what kind of encryption scheme/ciphers/algorithms full disk encryption
in Android uses? Also do we know what iOS uses and how it compares to that?
I don't know the answer to the above but I have a feeling that both use
cryptographically sound systems that are equally secure provided the
user does their part. So why is it that iPhones seem to be considered
the staple of security e.g. the whole standoff with the FBI/San Bernardino?
Next is, does it even matter? Even if the encryption is solid, 99% of
phone users for the sake of convenience aren't going to pick a brute
force proof password. Setting your screen pin to 1337 or 1978 means it's
instantly brute forced. So really what's the point of good encryption then?
The only edge I see that iOS might have is the way Apple implements
their password policy. e.g. you can set a short 4 digit pin to unlock
your phone but after say 10 failed attempts you need to type in a full
20+ character password. This way the encryption can actually do it's job
and be brute force proof.
Other than the above, assuming you are going to be a power use, I can't
really see what makes a iPhone running iOS more "secure" than a power
user running LOS + root + Xposed, etc. Which is strange considering the
iPhone is always championed as the holy grail of security today with
Android phones being malware central.
iOS you are walled in regardless of being a power use or not. If you
are, running LOS + root + Xposed you have all the control possible, you
can completely gut the phone of Google/Analytics/Tracking, system wide
firewall, ad blocking, VPN using secure open source protocols like
OpenVPN 256, set defaults to cryptographically secure/backdoor free open
source software like Signal/Silence for communications, etc. You can
give an app the sensitive permissions it requires to install yet
actually deny it at the OS level through Privacy Guard permissions (this
one is huge). You can install only trusted open source apps from F-Droid
or even well known ones from the Play Store through Yalp, etc and as
long as you are smart about it you'll be as safe as iOS users running in
their walled garden app store.
Don't get me wrong, this is a question I'm asking. If there's something
I've overlooked or don't know about I'd love to know but as it stands I
can't really understand how iOS is considered more "secure" than Android
given the above situation and the "power user" preface. The only other
thing I could think of was maybe the cryptography they each implement
for FDE, (e.g one is better than the other) which is why I asked the
question earlier.
Last angle I can think of is that for Android phones running custom ROMs
require an unlocked boot loader which can open up an attack vector for
things like cold boot attacks and various other attacks that can be done
should an attacker have physical access to your phone. Then again the
San Bernardino iPhone was cracked as well since the FBI had physical
access to it so the iPhone doesn't really win out here either.
So if you're a power user, is iOS more "secure" than an Android phone?
Is there anything else in the software or the way something is
implemented in the software/permission model that makes iOS inherently
more secure than Android?
traditional sense of iOS vs Android that's been done over numerous times.
It's pretty clear and accepted that for the average dumb user the Apple
walled garden, forced updates, overly restrictive app store, locked down
permissions, etc; actually keeps the phone more secure for most users. I
would call that "artificial" security in a sense but it's security
nevertheless.
My question is on the physical/software security/permission model of the
underlying software as it relates to security/privacy.
First thing is encryption. What kind of encryption does Android use? I
understand it uses dm-crypt (don't know too much about that) which is
something that's found in Linux and used in LUKS for FDE. Do we know
what kind of encryption scheme/ciphers/algorithms full disk encryption
in Android uses? Also do we know what iOS uses and how it compares to that?
I don't know the answer to the above but I have a feeling that both use
cryptographically sound systems that are equally secure provided the
user does their part. So why is it that iPhones seem to be considered
the staple of security e.g. the whole standoff with the FBI/San Bernardino?
Next is, does it even matter? Even if the encryption is solid, 99% of
phone users for the sake of convenience aren't going to pick a brute
force proof password. Setting your screen pin to 1337 or 1978 means it's
instantly brute forced. So really what's the point of good encryption then?
The only edge I see that iOS might have is the way Apple implements
their password policy. e.g. you can set a short 4 digit pin to unlock
your phone but after say 10 failed attempts you need to type in a full
20+ character password. This way the encryption can actually do it's job
and be brute force proof.
Other than the above, assuming you are going to be a power use, I can't
really see what makes a iPhone running iOS more "secure" than a power
user running LOS + root + Xposed, etc. Which is strange considering the
iPhone is always championed as the holy grail of security today with
Android phones being malware central.
iOS you are walled in regardless of being a power use or not. If you
are, running LOS + root + Xposed you have all the control possible, you
can completely gut the phone of Google/Analytics/Tracking, system wide
firewall, ad blocking, VPN using secure open source protocols like
OpenVPN 256, set defaults to cryptographically secure/backdoor free open
source software like Signal/Silence for communications, etc. You can
give an app the sensitive permissions it requires to install yet
actually deny it at the OS level through Privacy Guard permissions (this
one is huge). You can install only trusted open source apps from F-Droid
or even well known ones from the Play Store through Yalp, etc and as
long as you are smart about it you'll be as safe as iOS users running in
their walled garden app store.
Don't get me wrong, this is a question I'm asking. If there's something
I've overlooked or don't know about I'd love to know but as it stands I
can't really understand how iOS is considered more "secure" than Android
given the above situation and the "power user" preface. The only other
thing I could think of was maybe the cryptography they each implement
for FDE, (e.g one is better than the other) which is why I asked the
question earlier.
Last angle I can think of is that for Android phones running custom ROMs
require an unlocked boot loader which can open up an attack vector for
things like cold boot attacks and various other attacks that can be done
should an attacker have physical access to your phone. Then again the
San Bernardino iPhone was cracked as well since the FBI had physical
access to it so the iPhone doesn't really win out here either.
So if you're a power user, is iOS more "secure" than an Android phone?
Is there anything else in the software or the way something is
implemented in the software/permission model that makes iOS inherently
more secure than Android?
123456789
Sep 4, 2018, 10:53:50 AM9/4/18
to
On 9/3/2018 11:13 PM, xJumper wrote:
> 99% of phone users for the sake of convenience aren't going to pick a
> brute force proof password. Setting your screen pin to 1337 or 1978
> means it's instantly brute forced.
One thing I like about my Android phone and tablets is being able to use
> 99% of phone users for the sake of convenience aren't going to pick a
> brute force proof password. Setting your screen pin to 1337 or 1978
> means it's instantly brute forced.
a pattern instead of a pin. It's seems easier to me, YMMV. I don't know
how it compares in security. I suppose it depends on the complexity of
the pattern chosen.
> So if you're a power user, is iOS more "secure" than an Android
> phone?
to report the phone's loss and change my app passwords.
Theo
Sep 6, 2018, 3:43:54 AM9/6/18
to
xJumper <suga...@mailinator.com> wrote:
> So if you're a power user, is iOS more "secure" than an Android phone?
> Is there anything else in the software or the way something is
> implemented in the software/permission model that makes iOS inherently
> more secure than Android?
Read:
> So if you're a power user, is iOS more "secure" than an Android phone?
> Is there anything else in the software or the way something is
> implemented in the software/permission model that makes iOS inherently
> more secure than Android?
https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
In short, Android doesn't have the System Security section - Android phones
are Just Another Linux Box. Android's disc encryption is just software,
while on iOS it's part of the trusted path to the flash. If you have a
kernel exploit or root you completely own an Android system - but not an
iOS one.
Theo
xJumper
Sep 6, 2018, 10:09:50 AM9/6/18
to
On 09/06/2018 03:43 AM, Theo wrote:
> In short, Android doesn't have the System Security section - Android phones
> are Just Another Linux Box. Android's disc encryption is just software,
> while on iOS it's part of the trusted path to the flash. If you have a
> kernel exploit or root you completely own an Android system - but not an
> iOS one.
>
> Theo
Thats the kind of stuff I'm talking about. Upon posting this I stumbled
> In short, Android doesn't have the System Security section - Android phones
> are Just Another Linux Box. Android's disc encryption is just software,
> while on iOS it's part of the trusted path to the flash. If you have a
> kernel exploit or root you completely own an Android system - but not an
> iOS one.
>
> Theo
upon that .pdf by Apple. It does seem that they do implement an
extensive hardware encryption model not found on any other phones right now.
On the flip side I've never been one to trust "hardware" encryption and
neither do many other power users, e.g. VeraCrypt is considered the gold
standard vs all the random companies making hardware/tpm based encrypted
flash memory USB dongles. The main negative being that we have no idea
how it is actually implemented/if the encryption is what they say it is
(e.g. I think it was Sandisk, the controversy with their encrypted USB
flash drives and a generic admin password bypassing everything). Then
again, we have seen real life examples of Apple tech withstanding three
letter agencies in the real world and their refusal to input in kind of
backdoor.
0 new messages