Mobile Security

Google Pixel and Apple iPhone security

Kyle Brosseau

January 19, 2017 - Posted by Kyle Brosseau to Security Insight

Phone Security

As we begin the New Year, many of us are still enjoying the new toys received during the holiday season — toys such as a new iPhone 7 or maybe even the new Google Pixel. Cell phones, like anything else, come with a variety of choices based on size, OS, manufacturer, storage space, screen clarity, etc. But do most people consider which devices are the most secure?

In our industry, people tend to make this the focal point of research before purchasing a new phone. But most of the time, others outside IT security do not. In this blog, I’m going to review some of the security features that the iPhone7 and Google Pixel offer, as well as a few of the areas where they are lacking in security or have vulnerabilities.

Google Pixel Security Features

First, let’s take a look at the Google Pixel and some of its security features. Unlike other smartphones, the Pixel uses file-based encryption rather than full disk encryption. This allows files to be encrypted with different keys. In addition, the Pixel uses ARM’s TrustZone software to secure the phone if stolen or compromised. Trustzone uses a Verified Boot process to decrypt the OS and also extends the time between incorrect login attempts, increasing that delay after each incorrect attempt. According to Google, with 1624 valid four-point patterns, and the waiting period described above, it would take more than four years to go through all possible passwords.

Google went in a different direction than the industry-standard eCryptfs encryption. Google instead built encryption directly into the ext4 file system to support the performance standards of the device. Google will also be managing all OS updates, which will be delivered more promptly than with other Android devices. In previous Android models updates were pushed by the manufacturer, taking several weeks or months, and leaving those devices vulnerable due to lack of updated patches.

iPhone 7 Security Features

The iPhone 7 offers many different security features, both hardware and software based. One of the biggest hardware features is the fingerprint scanner or use of a four or six-digit passcode. Using either of these features adds an encryption key, and if neither is entered then the key cannot be recovered.  Another security feature is the iOS itself. The iOS platform only allows Apple-signed software to run on the devices, and if unauthorized software is observed the boot chain is terminated. The iPhone 7 and iOS offer disk encryption, app encryption and iMessage encryption (to make sure that private messages stay private). 

Lastly, Apple has refused to build in a backdoor to their devices, even when asked by the government. This shows that Apple puts the user security first, even with external pressure. This is a very important security feature for the iPhone and Apple.    

Both the Pixel and iPhone devices are different in the security options that they offer, but both have made advances and offer good security for the user in their own ways. Now that we’ve discussed some of the features, let’s discuss some of the flaws that have been discovered on both platforms.

Apple iOS Security Flaws

Apple addressed 12 vulnerabilities in its latest iOS update, some of which could have allowed for arbitrary code execution. As described by Threatpost in a recent blog, one of the vulnerabilities allowed memory corruption that could cause code execution, by way of a certificate crafted by an attacker in Apple Mail or Safari.  Another issue was a vulnerability to trick Siri or Apple’s accessibility feature, VoiceOver, into bypassing the lock screen. By doing this, an attacker with physical access to an iPhone could gain access to photos and contacts. 

Two other vulnerabilities that were addressed were for the application SpringBoard, which manages the home screen on iOS devices. The first vulnerability allowed an attacker to gain access by resetting the password. The second allowed an attacker to use Springboard to keep the phone unlocked. In conjunction with those two vulnerabilities, if an attacker had a device that was unlocked, they could also disable the Find My iPhone setting. 

Google Pixel Security Flaws

The first and most well-known issue was seen at the PwnFest hacking competition, where a white hat hacking group called Qihoo 360 gained remote access to the Google Pixel in less than 30 seconds.  This was attributed to a remote code execution attack against Chrome.  The details have not been released, as the zero-day exploit is still being addressed and patched. 

Another security flaw is the use of the serial number for the HTC made front facing camera sensor as it switches between apps. While this isn’t as critical as a zero-day exploit, it could be used to track devices, which is very concerning in regard to personal privacy and security.

Other noteworthy vulnerabilities that were identified and patched at the beginning of the year were for remote code execution, elevation of privilege and information disclosure vulnerabilities found in Mediaserver, denial of service vulnerabilities found in telephony and remote code execution vulnerabilities found in Framesequence. A full list of these can be seen at: http://source.android.com/security/bulletin/2017-01-01.html

Both devices are solid choices and are the state of the art when it comes to technology. Apple has always focused on security in their devices and continues to improve upon that with each new release. Google has boasted that the Pixel is just as secure as the iPhone 7. They are both solid choices and both will continue to improve.

References:

https://security.googleblog.com/2016/11/pixel-security-better-faster-stronger.html?utm_source=ausdroid.net
http://www.androidauthority.com/google-pixel-security-features-explained-730143/
https://threatpost.com/apple-fixes-12-vulnerabilities-in-ios-10-2/122428/
http://source.android.com/security/bulletin/2017-01-01.html

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS