Apple, Android, BlackBerry phones: What can’t be hacked?
Corrections & Clarifications: The phone the FBI is seeking to access was used, by not owned, by Syed Rizwan Farook.
SAN FRANCISCO — The tech world is holding its breath for the courtroom showdown between the FBI and Apple over a government request for a backdoor to the iPhone used by San Bernardino terrorist Syed Rizwan Farook.
The fight is one example of how security has long been a selling point in smart phones, dating back to the long-encrypted BlackBerry.
“The tech industry tries to build the most secure products possible,” says Harvey Anderson, chief legal officer at computer security company AVG Technologies.
There’s no real way for consumers to protect themselves against the privacy concerns raised by possible government-mandated backdoors in mainstream phones on the market today.
Which is why some say the Apple-FBI fight may give tech companies a long-term incentive to build products so secure that they cannot be hacked. “If Apple had done it right, and no backdoor was available (to iPhone 5c), this would not be an issue,” Anderson said.There’s no real way for consumers to protect themselves against the privacy concerns raised by possible government-mandated backdoors in mainstream phones on the market today.
Ultimately, the Farook case “compels Apple to build a next-generation, ultra-secure phone,” says Jonathan Zittrain, an Internet law professor at Harvard Law School.
Until such new, super-secure phones are built, the question for ordinary users’ concerned about privacy will be this — how secure is my phone compared with the other brands available? Here’s an overview:
Google’s Android:
Phones that use the Android operating system are the most popular worldwide and in the United States, with 53% of market share according to comScore MobiLens.
These Android phones come in multiple flavors. When it first launched Android in 2007, Google made the decision to give away its software and not tie it to any one device or carrier. That means that today there are literally dozens of slightly different types of the Android operating system running on phones built by multiple companies and using the cell networks of dozens of companies.
That openness makes Androids cheaper and popular. Globally, four out of five smart phones are powered by Android. However it also means the phones’ security can vary tremendously depending on what flavor of the operating system is being used, what the hardware is and which carrier the phone runs on.
On new phones using the latest version of Android, Marshmallow, released last October, the phone is fully encrypted on all devices that support a secure lock screen. Older phones that were updated to Marshmallow may not be fully encrypted as they may not meet the necessary requirements.
Android Marshmallow uses AES 128-bit encryption as the default, though stronger versions are possible. Advanced Encryption System is a standard first established by the U.S. National Institute of Standards and Technology and generally used in phones. The larger the bit number, the more difficult the key is to break. However, key length is generally not the weakest link in a phone’s security, so anything from 128-bit on up is considered reasonable.
Many agree that the biggest security threat to Android phones is the platform’s open app system. While Apple’s apps must all be vetted by the company to run on its phones, Google allows users to run unapproved apps as well. Apps not purchased from Google’s own app store can contain malicious code that could allow an outsider to access the phone.
Samsung’s Knox (presumably after the super-safe Fort Knox) is an example of a feature built around security. First announced in 2014, Knox only works with selected Samsung phones, because it integrates directly with the hardware.
Apple’s iPhone:
Apple is generally regarded as having the most secure mainstream phones on the market today, a place once held by BlackBerry. All Apple phones have been fully encrypted since the release of iOS 8 in 2014. From iOS 9 forward the system uses an AES 256-bit key.
Apple phones are protected from malicious apps by the company’s stringent vetting process and rigid sandboxing system, which keeps apps from accessing other apps.
Currently, Apple has about 41% of U.S. smartphone market share.
Microsoft’s Windows:
The Windows 8.1 operating system was the first version of Microsoft’s mobile platform that supported full-device encryption. However it comes disabled by default and the phone’s administrator must enable it.
Windows 10 Mobile also support encryption and must be turned on by the customer.
Windows handsets are not currently thought to be very vulnerable to app-based attacks, in part because the platform has a relatively small app library that is generally thought to be relatively free of malware.
BlackBerry Limited’s BlackBerry:
For years, the BlackBerry was the device of choice for those wanting strong security. They provided a secure network and chip-level hacking protections that others lacked. BlackBerrys have been fully encrypted for at least a decade.
However the phone’s market share had shrunk to less than 2% in the United States in 2015 so it’s no longer a viable option for many companies.
Hard-core security
For those for whom security is paramount, there’s a phone with high security and high prices to match.
Silent Circle’s $799 Blackphone 2 delivers full device encryption by default. The enterprise-grade phone works with Android and through Silent Circle’s own Silent OS, an operating system built around privacy.
Contributing: Jon Swartz.