Why Not FBI Versus Android?

April 14th, 2016

When it comes to reports about the government having problems recovering data from a smartphone as part of a criminal investigation, it was all about the iPhone. You know the story: The Department of Justice was granted a court order demanding that Apple build software to bypass brute force protections on an encrypted iPhone 5c used by a terrorist in the San Bernardino attacks.

The day before a court hearing intended to deal with Apple’s protests, claiming they were being ordered to build an insecure operating system they referred to as “govOS,” the DOJ called it off. They asserted that they had been approached with a third-party solution. The following week, that solution supposedly succeeded, with the iPhone being unlocked within 26 minutes.

While there was early speculation that an Israeli mobile forensics company, Cellebrite, was given the task, it turns out that this was not so. The FBI was approached by a team of hackers that used a zero-day exploit that apparently only worked on an iPhone 5c.

Thus ensued fear-mongering that iPhones were no longer safe; well at least the iPhone 5c. But it’s not known what sort of exploit is involved, nor about the conditions required for it to work. It no doubt requires direct access to the iPhone. So unless your iPhone is stolen, or you deliberately hand it off to a hacker, there’s nothing to worry about. But the FBI isn’t explaining exactly which flaw is involved, though I’m sure Apple’s security team is busy trying to make a good guess.

Meantime, there is an elephant in the room that is not being discussed: the Android platform. Since it is highly doubtful that the iPhone is the sole choice of criminals everywhere, it would seem that many are using Android smartphones. So just how does the Department of Justice and local law enforcement authorities treat those devices? Do they need to send court orders to Google, or one of the smartphone makers, such as Samsung or HTC? If they do obtain those court orders, is there a legal scuffle over the methods used to unlock those devices, or does Google or one of its manufacturing partners simply agree to the request?

More to the point, is there any problem at all retrieving data from an Android smartphone? Yes, some are encrypted, using a software-based scheme. From a user standpoint, it means slower performance as you might expect. Apple’s encryption is hardware based. To imagine the difference, consider how poor OS X’s graphics performance was before Apple was able to add support for hardware acceleration some years back.

Since most Android smartphones aren’t encrypted, there should be little trouble getting at the data. Well, assuming the app doesn’t encrypt its own data. The popular messaging app, WhatsApp, recently advanced the platform to provide end-to-end encryption on all supported platforms. What this means is that, even if a suspect’s smartphone is unlocked, if the criminals are using WhatsApp to send messages to fellow criminals, the authorities have to get in touch with that company to work things out. But since there hasn’t been a public case involving WhatsApp, it’s hard to know how it might turn it. Would they provide a backdoor, or take Apple’s approach and just say no?

I wonder if the question is even being asked.

Now I do not pretend to be a security expert, but there are known security faults on the Android platform. Unfortunately, getting updates on an Android handset may be near impossible. Yes, Google can update the Google Play app store as needed. But Google hasn’t been able to make much progress in getting handset makers to offer critical OS updates. That’s why the percentage of upgrades to the latest and greatest version of Android may be in the single digits for months after it’s released.

So years later, hundreds of millions of Android users are running an OS that’s up to several years old, with known security holes, with no way to have them fixed.

If you have a Nexus gadget, it will run the unvarnished version of Android, without handset maker or carrier mods. In other words, no junkware. And it will receive first priority for updates. For other gear, the manufacturer needs to decide whether to issue a update and how it will be deployed. For tablets it may not be as much of an issue, but for smartphones, it’s up to the carrier to push such updates. They haven’t been historically inclined to do so for most users.

Apple achieved one key advantage when they set up their contracts with the carriers. They do not allow any tampering with your iPhone by the carrier, where they might install their own proprietary and usually poorly designed software, and Apple pushes all its updates direct to the end user. Indeed, Apple has expanded support for up to five years after a device ships. This means, as an example, that an iPhone 4s can be upgraded to the latest iOS 9 release.

To be fair, both Google and WhatsApp supported Apple in the encryption fight. But how would they react if either company found itself on the receiving end of a court order demanding they decrypt the data on a mobile device by creating some sort of backdoor? If the issue has come up, it isn’t being discussed.

In short, why must it always be about Apple?

| Print This Article Print This Article

Leave Your Comment