Mobile Device Security: Data Protection on iOS and Android

Mobile device security is an important consideration in the digital age, given the high amount of time many of us spend using phones and tablets to conduct personal and corporate business. You may already know that you can turn your own Android device into a hacking machine by using termux for windows, but this just goes to show how careful you need to be. If you can do that by downloading some software, imagine what professional hackers can do to access your personal data. Android and iOS devices employ various security measures to keep data safe. If you use a mobile phone for business use, it might be in your best interest to invest in Mobile Threat Defense beyond the built in systems for extra security.
In this post we compare two security methods used on both devices: data encryption and data accessibility. We’ll wrap up with recommendations for steps you can take to protect your data and improve your mobile device security.

Data Encryption and Mobile Device Security

Encryption is the process of encoding user data on a device using encryption keys, and it is the primary method by which mobile device security is achieved. After initial encryption, user-created data is automatically encrypted before being saved locally on your device. Encryption ensures that your data will be unreadable if any unauthorized party tries to access it.

How is Data Encrypted on Android?

After an Android device is initially encrypted, data stored on the device is secure behind the passcode known only to the owner. Android uses both full-disk encryption and file-based encryption. Full-disk encryption uses a single key, protected with the user’s device password, to protect the entirety of the data on the device. Upon start up, the user must provide their credentials before any part of the disk is accessible. File-based encryption is separate from this, and allows different files to be encrypted with different keys that can be unlocked independently. Information about these two types of encryption (and more) can be found on Android’s Source.

With the introduction of Android 5.0 Lollipop in 2014, the default setting for encryption was turned on, but phone makers were not required by Google to enable encryption as the default. That changed in 2015 when Android 6.0 Marshmallow was released. At that time, Google required device manufacturers to enable encryption as the default, but they also allowed some manufacturers to disable this feature for devices that couldn’t handle the workload. In addition, each phone manufacturer can modify the look of Android by adding or removing features, which may introduce bugs or security vulnerabilities in the process. As a result, due to the number of Android device makers and different requirements for some, security can be compromised.

How is Data Encrypted on iOS?

For iOS, you can choose to encrypt the contents of your phone, tablet, or watch by adding a passcode to the device. With the release of iOS 8 in 2014, Apple began encrypting iOS devices, making items stored on the phone inaccessible to anyone without the device’s passcode. Apple took mobile device security one step further by requiring multiple pieces of information to unlock data stored within the device. One piece, the passcode, is known only by the device owner and the other is embedded inside the device and unknown to anyone. Technical information about iOS security can be found on the most recent iOS Security white paper.

Data Accessibility and Mobile Device Security

As it pertains to mobile device security, the concept of data accessibility refers to whether the data saved on your device is accessible to other apps. Android and iOS approach this accessibility a bit differently.

Data Accessibility on Android Devices

Each Android app is housed in a virtual sandbox that keeps personal data safe. Apps are able to access photos and location only if owners give permission. However, app data is sometimes saved external to the app and may be accessible by other apps, creating a potential security concern.

Data can be saved in three ways for Android apps: internal storage, external storage, or by a content provider. Files created on internal storage are accessible only to the app and Android implements this protection, which is sufficient, for most apps. Additional security can be provided by encrypting local files using a key that is not accessible to the app through file-based encryption. Files created on external storage, such as SD cards, are globally readable and writable and therefore sensitive information should not be stored there. Content providers (e.g. services like Dropbox) offer structured storage that can be limited to one app or exported to allow access by other apps.

In Android, app developers are able to programmatically query device information, including the device phone number. Apps can request permission to allow read access to your phone’s information, and can then use this permission to monitor the call status of your device, for example, to behave correctly when you receive an incoming call. However, this permission also enables apps to have access to your phone’s identifying information, such as IMEI, phone number, and cellular network information.

Data Accessibility on iOS Devices

Like Android, every app on an iOS device runs in its own sandbox. App Sandbox is designed to contain damage to the system and the user’s data if an app becomes compromised. The app has access only to its own data and code, and as far as it knows, it’s the only thing running on that device. Well-defined protocols exist to exchange data between apps on an iOS device, but both apps have to agree, and a specific conversation has to happen between the apps for the data to be transferred securely.

Apple controls the underlying device infrastructure and does not hand any of this control over to developers. iOS blocks apps from reading phone number or device identification from the device. This control is a major difference between iOS and Android. At InspiringApps, we have occasionally received requests to develop an app that will change the behavior of another app, such as iMessage, which is impossible to do with iOS.

The steps that Apple has taken should give users comfort that they are running apps from known developers and that those developers have created apps that play by the rules on the platform.

How Should You Protect Data on Your Mobile Device?

Android Users

Check the encryption status of your device by opening the Settings app and selecting Security. The Encryption section will contain the encryption status of your device. If it is not encrypted, find a time when you do not need your device for about an hour, then tap the option to encrypt it. Depending on your device model and data, it may take up to an hour to encrypt your device. In addition, keep your OS up-to-date as security enhancements are included in new OS releases.

iOS Users

Set up Touch ID & Passcode under Settings. Use an alphanumeric passcode containing at least six digits. The longer password is more time-consuming to enter, but with Touch ID enabled, you will not have to enter it too often. Keep your OS up-to-date. Apple will remind you regularly when a new version is available to install.

Interested in learning more about data security and protecting your personal information? Over the past month we’ve discussed several ways to protect your privacy in the digital age. Check out our post on the practice of behind-the-scenes data tracking (and how to opt out if you desire), as well as the post on protecting personal information you pro-actively provide.