Android vs iOS: The great security debate

Despite iOS being traditionally regarded as the safest platform, there are a number of reasons why that assumption may be becoming outdated. Firstly, occurrences of ransomware, malware, rotten apps on the iTunes store, and social engineering have been coming into the news far more often in recent times. Then there is the question of the iPhone's encryption being closed source firmware, meaning that any reliance on it is based on trust.

On the other hand, it is hard not to admit that for people with a limited understanding of the risks, Android can be somewhat of a digital gauntlet. With torch apps, for example, having been found to contain demanding permissions that allow for snooping, there would have to be prejudice involved not to admit that the platform has its problems.

Why is it, then, that Android feels like it has a fighting chance of holding its own in the battle between the platforms?

Apple asked to 'jailbreak' its own system

Widely reported in recent news, Apple was asked by the FBI to help break the passcode on the San Bernardino shooter’s phone. In fact, what really happened is that the FBI asked Apple not to decrypt the phone but rather ‘jailbreak’ its iOS operating system; to take off the time delays between failed attempts that make its 4-bit encryption ‘relatively’ safe. So, what does that mean?

With the 4-bit encryption on that particular iPhone, there are 10,000 unique possibilities for unlocking the phone. These days, that would actually be very easy for data cracking software to decrypt with brute force (trying each possible option one at a time).

It’s for this reason that in order to make a 4-bit encryption work, there must be a time delay security feature of exponentially increasing waiting periods between failed attempts.

When a person (or cracking software) fails five attempts of guessing the four digit passcode, the phone implements a 20 minute cool off period. Get it wrong another five times and there is a 40 minute wait, followed by 80 minutes and so on. It’s this security feature the FBI wanted Apple to ‘jailbreak’ (and not the encryption itself), because not having to wait for the delay between attempts would allow the phone to be decrypted vastly more quickly.

Social engineering

Apple refused. Cue John McAfee, a computer programmer famed for his antivirus company. He has offered to decrypt the phone in question for the FBI with social engineering. Many people were quick to dismiss the claims, calling McAfee mad for suggesting it, but in reality social engineering could indeed help to unblock the phone.

That is because ‘social engineering’ could, in this case, be as simple as using all available information on the San Bernadino shooter to decide what four digit codes to attempt first. These could include family birthdays, former house numbers, dates of graduating from schools, or perhaps numbers that relate to the man’s culture history and religion - all which can be considered as part of a social engineering hacking technique for narrowing the data field.

McAfee (or anybody else trying to hack the phone), would still be left with the problem of the iOS encryption’s extra security feature of an ever-increasing delay time between failed attempts. There are, of course, ways around this problem. Firstly, as the FBI asked Apple to do, the phone could be ‘jailbroken’ of this added security, and perhaps McAfee believes he could have done this with the resources at his disposal.

Another theoretical possibility is to make multiple copies or ‘emulations’ of the phone’s iOS within another computer: virtual machines. Running a thousand emulations of that phone's iOS, you would only have to wait for the delay between tries ten times, this would allow the cracking software to break into the iPhone much quicker. Make ten thousand virtual versions of the phone’s iOS and you would be able to crack it in one go.

A combination of social hacking (for more precise targeting) and the implementation of virtual emulations (or a ‘jail broken’ delay) would allow the phone to theoretically be cracked more quickly.

What about Android?

Firstly, Android users can make use of third party apps that are open source. This means that the encryption can be independently reviewed and means that there is no real trust involved; unlike with Apple. With Android, it is also much more likely that third-party developers will implement higher end encryption sooner, to gain a foothold in an encryption software market estimated to be worth $4.82bn (£3.46bn) by 2019.

Apple, on the other hand, is a multinational conglomerate that is more concerned with commercial marketing (delivering profits to shareholders) and by ruling with a tight corporate fist over its proprietary software. It is for this reason, that as time passes we can perhaps expect to see higher end encryption on Android sooner than on iOS.

The big question that we are left with, as to the future of the two platforms, is this:

Will Apple continue to make users rely on its word, and insist on making people trust that it is implementing safe encryption? Or will it dare to step into the world of open source, peer reviewed technology that would allow people to trust iOS encryption, and perhaps allow Apple to regain its place as the distinctively better platform on the market? If Apple clings to corporate secrecy, on the other hand, it could allow Android to leap ahead by benefiting from the surge of encryption.

Ray Walsh, Cyber Security Analyst, BestVPN

Image Credit: lucadp/Shutterstock