Mobile encryption: How to protect data on the go
There’s a persistent belief only large and prominent organizations are targets for hackers, but unfortunately that’s not the case. In fact, hackers often target small- and medium-sized businesses precisely because they generally have weaker security practices and often have relationships with larger enterprises. The 2013 data breach that exposed the credit card data of more than 40 million Target accounts began when hackers infiltrated the systems of a contractor Target used to monitor its HVAC systems.
While many smaller organizations are finally beginning to take IT security seriously, there’s still one area where they often lag behind: mobile security. Besides common steps like enabling two-factor authentication, ensuring that their mobile data is properly encrypted is one of the best steps organizations of any size can take to protect themselves from hackers.
Why mobile encryption matters
Mobile encryption is about more than individual privacy. It’s also been at the center of some major legal disputes around digital privacy and security. Specifically, the FBI has taken Apple to court at least 11 times to compel it to extract user data (as in photos, texts, emails and contacts) from locked iPhones. In the most famous instance, the FBI sued Apple in 2016 to develop software that could unlock the work phone of one of the San Bernardino attackers. Apple’s objection had less to do with the particulars of this case than with its strong reluctance to develop a digital backdoor that would make it easier for law enforcement to access locked phones and encrypted data.
The problem, is that backdoors make it easier for anyone, including malicious actors, to access that same data. These disputes are about more than the specifics of one high-profile criminal investigation – they reveal exactly how vulnerable sensitive data remains even on encrypted mobile devices.
As mobile devices become more and more central to the way people work, organizations need to develop or in some cases adapt their IT security policies. In this article, we’ll take a brief overview of mobile encryption, compare hardware- and software-based encryption techniques, and consider the additional challenges of mobile encryption and the cloud.
The basics of mobile encryption
There are lots of different ways to encrypt a mobile device, but they all fall under two broad categories of approaches: hardware-based and software-based. Software encryption uses special software installed on the host system to produce and verify the keys to encrypt data, while hardware encryption uses a dedicated piece of hardware called an encryption engine to perform those same calculations.
Note: It just so happens that Apple and Google have taken broadly different approaches to mobile encryption, with Apple choosing a hardware-based approach for iOS while Google opts for software-based encryption for Android, so we’ll refer to each while discussing their respective approaches. Just note that these approaches aren’t exclusive to either OS: Some Android devices use hardware encryption and iOS also uses software encryption for some features.
The software approach: Economical, universal
Software-based encryption is a broad category encompassing an array of different techniques, the specifics of which we won’t go into here. What they generally have in common is that they rely on the host system’s resources to generate the keys used to encrypt and decrypt the device’s data. The most important considerations when it comes to software-based encryption are whether data is encrypted at the level of disks, partitions, or individual files while at rest, and at what point the data is encrypted while in transit.
As of Android 7.0, Google supports both full-disk and file-based encryption. With the former, a single key protects the device’s userdata partition and can only be unlocked using the device’s passcode, while the latter allows individual files to be secured with different keys that are unlocked independently of one another.
Software-based encryption has a lot going for it, and many security professionals choose it as their default approach for mobile encryption. For one, it’s an economical solution that provides IT with a convenient way to protect all devices across an organization, no matter what operating systems or devices individual users are running. While it needs to be periodically updated, changing your encryption software won’t require you to trade in your old device.
Because software-based encryption relies on the host system’s hardware, performance can be an issue. Encryption is a computationally complex process, which can cause significant slowdowns while data is being encrypted and while individual files are being decrypted.
Another, potentially more serious drawback to the software approach is that it’s generally considered more vulnerable to being compromised than devices using hardware-based encryption. That’s because the device is only as secure as the host system. If a hacker is able to get into a device by way of an OS vulnerability or similar route, software-based encryption won’t help.
The hardware approach: Increased security at a cost
This is the approach preferred by Apple and some high-end Android phones. These devices contain dedicated cryptographic engines (in the case of iOS devices, this engine sits between the flash storage and main memory) to generate encryption keys. This lets them do their thing without impacting the rest of the device’s performance.
The other advantage to using separate hardware for generating keys is that it’s generally considered much more secure, since it’s almost impossible for a hacker to penetrate it. In the case of iOS devices, every step of the boot process is cryptographically signed to ensure that no part has been tampered with, making it pretty much immune to contamination by malware.
That said, hardware encryption comes with its tradeoffs as well. While hardware encryption may be convenient for individual users who don’t need to manage or update anything, from IT’s perspective it may be harder to apply policies across an organization - especially one where people might be bringing their own devices, as encryption is handled at the level of individual devices. A final consideration is cost: encryption engines aren’t cheap, which is why they’re generally only found on iPhones and more expensive Android devices. Depending on how scrappy your organization is trying to be, it may simply not be feasible to issue every team member a high-end smartphone.
What about the cloud?
Whatever approach one chooses for encrypting data on their mobile devices, there’s another major factor to keep in mind, which is that lots of mobile data is backed up on an external server, either in the cloud or on-site. While most cloud storage services offer some level of protection from hackers, no system is invulnerable. Because the files from different tenants are often stored next to one another, a vulnerability in another organization’s system could potentially expose your data as well.
Also note that while most cloud servers are encrypted to prevent external intrusion, they are still accessible to service provider itself. Meaning if the provider were to be served with a valid warrant, they could still decrypt and produce data to the relevant authorities.
What if you need a way to protect your data even when it’s stored on a public cloud service? There are a number of services, both proprietary and open-source, that offer end-to-end encryption for files stored on the cloud. That way, even if Google's or Apple’s service suffers a data breach, your files will remain inaccessible. Cryptomator is one such service that offers open-source client-side encryption for most of the major cloud storage services, including Dropbox, Google Drive and iCloud.
Need help developing a mobile encryption strategy?
The first step to protecting your organization against cyberattacks is developing a comprehensive security strategy. Protecting sensitive data on mobile devices can require different strategies and types of encryption from data stored on physical servers or data in transit. If you’re looking to ensure your data is as safe as possible, you might consider hiring a mobile security expert to help you identify the best ways to protect your data without negatively impacting device performance.
Learn how AT&T Tech Support 360SM staffed by cybersecurity experts, can help you save time, money and perhaps your data.