A professor of cryptography at John Hopkins, Matthew Green has argued Android is far behind Apple in terms of security, with Android app security risking the encryption profile and efforts made with Android app security testing. The use of full disk encryption on Android mirrors the encryption used on desktop computers, making it more vulnerable since smartphones are rarely shutdown. Hence, the cryptographic keys are still in the RAM most of the time. Apple, on the other hand, encrypts every fill separately by using file based encryption.
“Since phone batteries live for a day or more (a long time compared to laptops) encryption doesn’t really offer much to protect you against an attacker who gets their hands on your phone during this time,” says Green.
Apple’s approach to iOS security provides better protection than Android app security, with the introduction of “data protection” feature after the release of iOS 4. The file based encryption was made possible after the provision of an API to developers by which they can state a particular key class to be used while encrypting a file.
iOS comes with different classes for protection; like no protection, protected until first user authentication, and complete protection. There is a fourth class for protection of apps that make files encrypted when a class key is removed from the RAM.
Google has planned to improve Android app security with the release of Android 7.0 Nougat. This new version will introduce two protection classes i.e. device encrypted storage and credential encrypted storage. These are based on a new system called the Direct Boot which will allow Android devices to access some data before a user enters a passcode.
According to Matthew Green, Google does not lag behind in cryptography, but rather Android app security can be improved if Google gives correct guidance to developers, which it is currently lacking.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.