Limitations of Data Protection in iOS 4

Data Protection at work in iOS 4

Apple’s recently released iOS 4 provides enhanced “data protection”, but there is very little on the web now that explains what this really means. In this post I clarify what data protection is and what some of its limitations are.

What Data Protection Is

First of all, it’s important to note what encryption capability the iPhone already had (which I discussed here. The release of the iPhone 3GS (and later iPod Touch 3rd Generation) brought hardware-based full disk encryption (FDE) to the iPhone. This was designed to accomplish one thing: instantaneous remote wipe. While the iPhone 3G had to overwrite every bit in flash memory (sometimes taking several hours), disk wiping on the 3GS worked by simply erasing the 256-bit AES key used to encrypt the data.

Unfortunately, disk encryption on the iPhone did little beyond enabling remote wipe. Mobile forensicator Jonathan Zdziarski found that the iPhone OS automatically decrypts data when a request for data is made, effectively making the encryption worthless for protecting data.

So I was curious to learn what encryption improvements were made in iOS 4. Apple calls its new encryption scheme “data protection”, a substantial improvement in security design. Data protection has the primary advantage of using the user’s passcode or password to derive a key that is used to encrypt data on the device. When the phone is locked or turned off, the key is immediately erased, making data secured on the device inaccessible.

Limitations of Data Protection

The details of how data protection works are described in Apple’s recently released videos from its world-wide developers conference (see Session 209 “Securing Application Data”). This information is protected by an NDA, but I’ll summarize at a high level five basic limitations.

First, to make data encryption work a user must have an iPhone 4, iPhone 3GS, or iPod Touch 3rd Gen (previous iPhones don’t support hardware encryption). Importantly, 3GS users who upgrade to iOS must restore the device as the iOS 3 file system doesn’t support the new data protection scheme. The steps to do this are described here.

Second, files are encrypted individually by software classes that implement data protection. This means that developers must deliberately choose to use data encryption in their apps, otherwise data is unprotected. Currently, Apple says that so far only Mail is setup to use data encryption, although they say they will eventually bring data encryption to other applications. This means that even with data encryption enabled, text messages, contacts, photos, web history—in short, everything else—is left unprotected.

Third, a user must use a passcode or password. The strength of the password is up to the user, which is generally a good thing for forensicators.

Fourth, to mitigate the threat of a brute force attack, the file encryption requires a key generated by the device itself, in addition to the key derived from the user’s password. This slows brute forcing because the encryption key generation process is slow by design: the iPhone 4 takes about 50 milliseconds to derive the key once the user submits a password. This means an attacker can guess only about 20 passwords per second.

This might not sound like much of a speed reduction, but this actually compares well with software-based encryption products. By comparison, I’ve used AccessData’s Password Recovery Toolkit to guess up to 900,000 passwords a second for encrypted Microsoft Office files. Encrypted PGP files allow about 900 password guesses per second.

Fifth, a weakness in the data protection system is something called the “Escrow Keybag”, which is a collection of keys necessary to decrypt every file on the device without requiring the user’s password. This was done to allow computers to sync with the iPhone without asking the user for the password.

This was a deliberate trade-off to enhance user experience. Apple’s rationale was that if the PC containing the escrow keybag was obtained, an attacker most likely already had the user’s important data anyway. For forensicators, this means that if a user’s computer is obtained along with the iPhone, it will be much easier to decrypt the user’s protected data.

Updated August 6, 2010: Elcomsoft has announced that its iPhone Password Breaker tool can recover iPhone keychains (probably the escrow keybag) from password-protected iPhone backups.

Summary

Currently, data protection in iOS 4 is still limited. Apps must be updated to use data protection and currently only Mail does so. All other data can be easily obtained without the users password.

Even so, data protection in iOS 4 represents a significant improvement over encryption in iOS 3. It is clear that Apple is striving to iteratively improve security on the iPhone, which is a good thing.

In the meantime, it looks like forensicators won’t have to worry too much about getting the data they need off of an iPhone.

7 thoughts on “Limitations of Data Protection in iOS 4

  1. Pingback: Core Data and Enterprise iPhone Applications – Protecting Your Data « Nick Harris

  2. Clive

    Great article – One of the few ios 4 data protection write ups I could find via google. One question. Clearly there are limitations with successfully executing a remote wipe, however how secure is using the erase all data and settings feature with iPhone 4? Your article indicates that the 256-bit encryption key is erased, but does this process truly secure personal data from being recovered? Any idea if the device writes over the deleted key? Trying to gauge the risk of using the device for business and inevitably selling it in the future when the next “best” thing comes out or the dropped calls push me over the edge first – Thanks

  3. admin Post author

    Clive:

    I haven’t tested this, but my understand is that the “Erase All Content and Settings” option does erase the 256-bit key used to encrypt the file system. Once the encryption key is erased, the data on the phone is unrecoverable.

  4. Pingback: Forrester’s iPhone Article | HackerSafe Security Related Blog for all

  5. Pingback: Apple and their elusive Full Disk Encryption solution - Encryptsolutions

  6. Daan

    Anthony,

    Do you know if this is still the case for iOS 4.2.1 and the on all platforms like the iPad.
    The security documentation of Apple on the iPhone does mention the fact that data protection is only enabled for Email and its attachments and/or applications that uses the Data Protection API.
    http://images.apple.com/iphone/business/docs/iPhone_Security.pdf
    An acknowledgement of this fact was the vulnerability where one could call/access the addressbook by the ### emergency call showing that not all data was actually encrypted with the users key/password.

    This is however no longer mentioned in the documentation for the iPad:
    “iPad offers 256-bit AES encoding hardware-based encryption to protect all data on the device. Encryption is always enabled and cannot be disabled by users.”
    http://images.apple.com/ipad/business/docs/iPad_Security.pdf

  7. Paul

    I think that admin is right.

    Long story short, I misplaced my iPod for 3 weeks, thought it was gone for good, and initiated remote wipe via Exchange server to wipe the iPod. I had given it permission earlier to do so on the iPod side. Unfortunately the iPod had powered off and never got the message until I happily found it and re-entered my new Exchange password… As soon as it connected the wipe went through, device powered off.

    Turned it on and it needed to be reconnected to iTunes. I re-added the device and didn’t resync any of data or music. I then jail broke it and made a disk image with dd, ran PhotoRec on it. I’ve tried it with Intel (Mac i386) partition type as the option and I was unable to recover any of my photos. I’m trying it again now with “Mac” partition selected.

    Not looking good though.

Comments are closed.