Android, iOS on Opposite Sides of Encryption Divide
Mar 18, 2016 10:17 AM PT
Consumers’ understanding of what encryption does apparently doesn’t determine whether they use the technology, with iPhone owners much more likely to use encryption than Android users.
Most Android phones are not encrypted, either by user choice or manufacturer design. About 95 percent of all iPhones are encrypted, compared with less than 10 percent of Android phones, according to a report in The Wall Street Journal.
Why? Google has been slow in mandating full-disk encryption. The feature generally is turned off by default in Android smartphones that have it.
A majority of consumers perceive encryption positively, and 95 percent believe their sensitive information should be encrypted online, according to a survey released this month by ZixCorp.
More than 500 users responded to the poll. When asked if they had ever used encryption, 43 percent said no and 25 percent said they weren’t sure. Just 32 percent said they had used encryption.
The survey did not match respondents as Apple or Android users.
The Value of Encryption
Seventy-five percent of respondents said they provided sensitive personal information such as credit card numbers, addresses and Social Security numbers when online shopping, banking, and sending or receiving email, the survey found. Respondents associated encryption with privacy (24 percent) and security (72 percent).
“Smartphones and tablets are a window into our lives. They contain sensitive data — from our location to bank account information to personal communication with friends and loved ones,” said David Wagner, CEO of ZixCorp.
“Based on survey results, I am pleased people in the U.S. understand the value of encryption and how it is used to secure their data and, more importantly, their privacy,” he told LinuxInsider.
Understanding vs. Acting
The encryption issue may be the root of a new category between the haves and the have-nots.
“When it comes to security threats on mobile devices, there is no comparison. Studies show that as much as 97 percent of all mobile malware targets Android, while iOS suffers from functionally none,” said Alex Pezold, CEO of TokenEx.
“This is deeper than just encrypting data. Android phones are outright sitting ducks to a degree,” he told LinuxInsider.
Users on only a handful of Android phones that launched with encryption have their data secured, according to Jason L. Bauman, SEO associate at Trinity Insight Philadelphia.
“While whole-device encryption is actually available on any Android phone starting with Gingerbread — Android 2.3 — which was released in 2011, most users won’t have it because the option is buried deep in the device settings,” he told LinuxInsider.
What’s the Difference?
Several critical differences exist in encryption technology applied to Apple and Android phones, noted Navroop Mitter, CEO of ArmorText. Android smartphone owners have to take extra steps to encrypt their data.
“Apple puts out a single device variant at a time and controls how the operating system updates work with older devices,” he told LinuxInsider. “This determines if certain new security features will be available for older iOS devices or not and if the user experience impact is acceptable.”
Manufacturers often use the Android OS on lower-end devices. Those cheaper smartphones lack the processing power to encrypt the device without destroying user experience, Mitter said.
Apple has simplified the process of encrypting its devices and their contents, but it requires using a passcode.
“This is something more than 64 percent of smartphone users do not do,” said Mitter.
Why the Difference?
Google does not require manufacturers of Android-based phones to encrypt their devices. That’s partly because of a long-standing concern from manufacturers that performance would be impacted, according to Nathan Wenzler, executive director of security at Thycotic.
“Since Google’s Android business model relies on as many manufacturers as possible building and selling Android phones, they are not in a good position to require the manufacturers to encrypt everything,” he told LinuxInsider.
“It should be noted that Google does use encryption on their own Android devices and has publicly discussed how they would prefer if their partners would do the same,” Wenzler said.
Design is another factor. The Android OS has supported encryption for a long time, although it has not been enabled by default on most Android devices, according to Robert Grapes, vice president of marketing and operations at Graphite Software.
“Android users have been capable of enabling the encryption on their devices since Android 4.x. While Apple, as the sole provider of iOS, can declare encryption by default, it is more difficult for an open ecosystem like Android to enforce encryption by default across all of the OEMs,” he told LinuxInsider.
“Perhaps without consumer demand, the OEMs simply chose performance over a feature that may or may not have been valued,” Grapes added.
Impact on Users
Users of unsecured Android devices have no way to protect their data from criminal activity or government reconnaissance, Wenzler said. Users in countries that are notorious for disregarding the privacy of their citizens are at greater risk of having their personal information compromised.
That is where the encryption controversy comes into play, with Apple opposing federal efforts to require a backdoor into the iPhone of one of the shooters in last year’s San Bernardino, California, attack.
A multitude of malware exists for Android devices, Wenzler said.
When data is encrypted, even if hackers intercept traffic or infect a device with malware, what they are able to retrieve is virtually useless, according to Vishal Gupta, CEO of Seclore.
“When the data is not encrypted, this final defense is removed, making these devices much more lucrative targets for cybercriminals,” he told LinuxInsider. “Google is all in on encryption, but the same cannot be said for the various device manufacturers who produce Android-powered phones.”
If you ask any phone user, including iPhone users, if their device is encrypted, only a small percentage would know, Graphite Software’s Grapes suggested.
“Encryption by default is simply a good thing, and the performance of devices today supports that direction,” he said.
Making It Public
The FBI may have engineered the public fight with Apple as part of an effort to block better privacy software development, according to Wendell Adams, CEO of AB Mobile Apps.
“The case defiantly seems engineered by the FBI, as Apple requested the case to be sealed and the FBI wanted it public,” he told LinuxInsider.
That view is supported by Thycotic’s Wenzler. The FBI had little reason to take the case public, and Apple made similar requests in other encryption cases to not go public.
It’s possible that the FBI attempted to gain public support and force Apple’s hand before encryption and security measures in iOS devices became so good that it would be impossible for Apple to unlock and decrypt its devices under any circumstances, Wenzler suggested.
“To me, this is the gambit the FBI chose to take, and the only path they had to try and gain support was to take it public,” he said.
However, he concluded, public sentiment is shifting toward Apple and protecting user data.