New research by cryptographers at Johns Hopkins University has found that governments and law enforcement agencies around the world already have methods and tools that let them access locked smartphones by exploiting security flaws in iOS and Android devices (via Wired).
“It just really shocked me, because I came into this project thinking that these phones are really protecting user data well,” says Matthew Green, who oversaw the study.
Researchers explained that when an iPhone has been off and boots up, all the data is in a state Apple calls “Complete Protection.” But once you’ve unlocked your phone that first time after a reboot, a lot of data moves into a mode called “After First Unlock” or AFU.
Android also has a similar setup to iOS but with one crucial difference. Android has a version of “Complete Protection” that applies before the first unlock. After that, the phone data is essentially in the AFU state.
The main difference between Complete Protection and AFU relates to how quick and easy it is for applications to access the keys to decrypt data. When data is in the Complete Protection state, the keys to decrypt it are stored deep within the operating system and encrypted themselves. But once you unlock your device the first time after reboot, an attacker could find and exploit certain types of security vulnerabilities.
The researchers have also provided technical recommendations for how the two major mobile operating systems can continue to improve their protections. You can read the full report at the source page.