I’m not writing this for the benefit of any criminals or would-be terrorists out there. There are many more law abiding citizens that value their 4th amendment and Bill of Rights right to privacy out there than there are spies, terrorists and criminals looking to exploit security flaws. Now that that disclaimer is out of the way, here is a quick analysis into security, encryption and your options to keep your iPhone (and any mobile device) safe from those that seek to capture your data without consent. If you want to skip directly to the need-to-know steps, skip down a few paragraphs.
Tim Cook nailed it when he said our smartphones have more personal information about us than any other device. That includes personal messages, banking information and the location of people’s children and other family members. Yes, Cook played the “think of the children” card. Up until now, Apple’s argument was mostly technical (encryption technology), a little corporate (writing an entire GOVT OS is an undue burden) and a smidge legal (All Writs Act is how old?). Now they’ve turned the FBI’s emotional arguments against the FBI by invoking the possibility of foreign and terrorist states knowing the whereabouts of our children (never mind our own government). This is all worst case scenario stuff but let’s look at a few degrees between the “boycott Apple” hysterics of a Trump and the “single iPhone” downplaying of the Feds.
Encryption is Perfect But Security is Not
Encryption is mathematically perfect but it serves the greater purpose of security which is not perfect. After all, The best security simply serves as a deterrent for thieves to move onto easier targets. But there are some patterns and facts we can sort through regarding encryption. Apple uses both software and hardware end-to-end encryption on all of their devices since iPhone 5s. This is because iPhone 5s and newer all contain a separate co-processor that Apple calls the secure enclave. In this secure enclave are not only the keys (your passcode) to that particular device but also a hash of your Touch ID biometric fingerprint identity. So the secure enclave is a separate, encrypted repository for secure data – very tough to crack. Apple holds this distinct advantage over Google who enables only software encryption in all Android devices. Google would love to enable hardware encryption in all Android devices but they cannot possibly control the hardware in every Android manufacturer because of the fragmentation that exists in that ecosystem. So is hardware necessarily better than software only? It depends who you ask?
Notable iPhone hacker, Jonathon Zdziarski and a handful of other famous hackers and professors have filed Amici Curiae as a show of support for Apple in their stance against the FBI saying, “Obtaining the “GovtOS” software will be an attractive target for authoritarian states, hackers, spies, and criminals. Users of iPhones and other mobile devices would lose trust in automatic software updates, which are a crucial means of maintaining device security. In short, the court’s order jeopardizes the security of everyone in the name of breaking into a single device.“
Hackers like Zdziarski go onto say that Apple holds the consumer smartphone industry’s highest level of security because their users upgrade devices more current and frequently than any other large portion of smartphone users. And since Apple is the only one who can sign and approve any security updates for their devices, users will begin to ignore or even avoid security updates from Apple if they believe Apple is working with the US government to give free reign over all of our data. But aren’t they already working with the government on many cases?
Apple has unlocked 70 iPhones to date and have stated they will continue to assist the US government in any way when presented with legal court orders or warrants. They will however, fight those requests that require them to re-write their own code to weaken their own security and that is what brings us to this case. But what about iCloud security? Didn’t Apple offer to hand over the alleged terrorist’s secure iCloud data?
Just Because iCloud is Encrypted Doesn’t Mean it’s Absolutely Secure
In their iOS security white paper, Apple assigns “Data Protection” and “No Protection” security classes to iCloud data depending upon the type of data. All data is encrypted but Apple does have the keys for some of this data. The reasoning for these security inconsistencies comes back to the original purpose of iCloud which is to allow for convenient backups and retrieval of data. Another feature of iCloud is the ability of Apple to retrieve account information for users who have lost or forgotten their passwords. If they did not help out these forgetful souls, you would have many angry users who have forever lost access to their first born’s birth or deceased grandmothers last photos or text messages. So it is impossible to securely encrypt an entire iPhone over iCloud when Apple holds the key to some of that data. However, Apple does encrypt things like your wifi password, keychain and health data in such a way so they could not give you that info even if they were forced to by anyone – they do not have that key. Apple does encrypt lots of other data but it is encrypted with a key that only they have to retrieve data for the user – Apple has the key to this data. Of course Apple also doesn’t bother to encrypt many files such as music and movies because those are all readily re-downloadable to their rightful owner with the correct Apple ID. So what options does that leave a privacy and security paranoid user like me and you?
Backup and Encrypt Locally
The only way to ensure that no one has access to your private iPhone data is to backup locally and encrypt using iTunes. Oh, and do not update your iPhone ever because if it’s possible for the government to compel Apple to create a backdoor, it’s feasible that regular security OS updates contain a key to unlock your encrypted data. Remember, we’re talking worse case scenario here and in that case Apple is complying with the wishes of the Feds. And since we’re talking worst case, remember that by backing up locally you remove Apple as a buffer – it’s just you against the law at that point so have a sledgehammer handy to smash that iMac hard drive beyond repair when you hear the battering ram outside your door.
Currently Apple wields an impressive list of big wig backers for their legal stance but they are all trying to keep customers and while law enforcement and politicians are all trying to make their jobs much easier and get votes respectively. The only faction that can be trusted wholly are the ones that answer to math – security experts. Of course they have their own agendas but as a discipline, security experts must all obey the same laws of mathematics and encryption. There is no interpretation or corruption of these processes, that we leave up to users, corporations, politicians, law enforcement, etc.
Apple has always been about balancing user convenience with features and in that respect, this case bears some similarities. The only problem is that it appears that a security balance was already in place and that the FBI (and many other agencies) are now looking to shift the balance so that they hold all the keys and make their jobs easier in an effort to protect us all.
It’s not hard to imagine the FBI winning this and forcing Apple and every smartphone maker to create back doors. After all, the Patriot Act was passed primarily due to fear of terrorism and it’s not hard to find opposition to that legislation these days. But it’s not fair to lay blame on past circumstances and decisions when discussing future precedents so I will let Benjamin Franklin take us out…
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”