Android, iOS on Opposite Sides of Encryption Divide

Consumers’ understanding of what encryption does apparently doesn’t determine whether they use the technology, with iPhone owners much more likely to use encryption than Android users.

Most Android phones are not encrypted, either by user choice or manufacturer design. According to a report in The Wall Street Journal, about 95 percent of all iPhones are encrypted, compared with less than 10 percent of Android phones.

Why? Google has been slow in mandating full-disk encryption. The feature generally is turned off by default in Android smartphones that have it.

According to a survey released this month by ZixCorp, a majority of consumers perceive encryption positively, and 95 percent believe their sensitive information should be encrypted online.

More than 500 users responded to the poll. When asked if they had ever used encryption, 43 percent said no, 25 percent said they weren’t sure, and just 32 percent said they had.

The survey did not match respondents as Apple or Android users.

The Value of Encryption

Seventy-five percent of respondents said they provided sensitive personal information such as credit card numbers, addresses, and social security numbers when online shopping, banking, and sending or receiving email, the survey found. Respondents associated encryption with privacy (24 percent) and security (72 percent).

“Smartphones and tablets are a window into our lives. They contain sensitive data — from our location to bank account information to personal communication with friends and loved ones,” said David Wagner, CEO of ZixCorp.

“Based on survey results, I am pleased people in the U.S. understand the value of encryption and how it is used to secure their data and, more importantly, their privacy,” he told LinuxInsider.

Understanding vs. Acting

The encryption issue may be the root of a new category between the haves and the have-nots.

“When it comes to security threats on mobile devices, there is no comparison. Studies show that as much as 97 percent of all mobile malware targets Android, while iOS suffers from functionally none,” said Alex Pezold, CEO of TokenEx.

“This is deeper than just encrypting data. Android phones are outright sitting ducks to a degree,” he told LinuxInsider.

According to Jason L. Bauman, SEO associate at Trinity Insight Philadelphia, users on only a handful of Android phones that launched with encryption have their data secured.

“While whole-device encryption is actually available on any Android phone starting with Gingerbread — Android 2.3 — which was released in 2011, most users won’t have it because the option is buried deep in the device settings,” he told LinuxInsider.

What’s the Difference?

Several critical differences exist in encryption technology applied to Apple and Android phones, noted Navroop Mitter, CEO of ArmorText. Android smartphone owners have to take extra steps to encrypt their data.

“Apple puts out a single device variant at a time and controls how the operating system updates work with older devices,” he told LinuxInsider. “This determines if certain new security features will be available for older iOS devices or not and if the user experience impact is acceptable.”

Manufacturers often use the Android OS on lower-end devices. Mitter said those cheaper smartphones lack the processing power to encrypt the device without destroying the user experience.

Apple has simplified the process of encrypting its devices and their contents, but it requires using a passcode.

“This is something more than 64 percent of smartphone users do not do,” said Mitter.

Why the Difference?

Google does not require manufacturers of Android-based phones to encrypt their devices. That’s partly because of a long-standing concern from manufacturers that performance would be impacted, according to Nathan Wenzler, executive director of security at Thycotic.

“Since Google’s Android business model relies on as many manufacturers as possible building and selling Android phones, they are not in a good position to require the manufacturers to encrypt everything,” he told LinuxInsider.

“It should be noted that Google does use encryption on its own Android devices and has publicly discussed how it would prefer if its partners did the same,” Wenzler said.

Design is another factor. According to Robert Grapes, vice president of marketing and operations at Graphite Software, the Android OS has long supported encryption, although it is not enabled by default on most Android devices.

“Android users have been capable of enabling the encryption on their devices since Android 4.x. While Apple, as the sole provider of iOS, can declare encryption by default, it is more difficult for an open ecosystem like Android to enforce encryption by default across all of the OEMs,” he told LinuxInsider.

“Perhaps without consumer demand, the OEMs simply chose performance over a feature that may or may not have been valued,” Grapes added.

Impact on Users

Users of unsecured Android devices have no way to protect their data from criminal activity or government reconnaissance, Wenzler said. Users in countries that are notorious for disregarding the privacy of their citizens are at greater risk of having their personal information compromised.

That is where the encryption controversy comes into play, with Apple opposing federal efforts to require a backdoor into the iPhone of one of the shooters in last year’s San Bernardino, California, attack.

A multitude of malware exists for Android devices, Wenzler said.

When data is encrypted, even if hackers intercept traffic or infect a device with malware, what they are able to retrieve is virtually useless, according to Vishal Gupta, CEO of Seclore.

“When the data is not encrypted, this final defense is removed, making these devices much more lucrative targets for cybercriminals,” he told LinuxInsider. “Google is all in on encryption, but the same cannot be said for the various device manufacturers who produce Android-powered phones.”

Graphite Software’s Grapes suggested that if you ask any phone user, including iPhone users, if their device is encrypted, only a small percentage will know.

“Encryption by default is simply a good thing, and the performance of devices today supports that direction,” he said.

Making It Public

The FBI may have engineered the public fight with Apple as part of an effort to block better privacy software development, according to Wendell Adams, CEO of AB Mobile Apps.

“The case defiantly seems engineered by the FBI, as Apple requested the case to be sealed, and the FBI wanted it public,” he told LinuxInsider.

That view is supported by Thycotic’s Wenzler. The FBI had little reason to take the case public, and Apple made similar requests in other encryption cases not to go public.

Wenzler suggested that the FBI may have attempted to gain public support and force Apple’s hand before encryption and security measures in iOS devices became so good that it would be impossible for Apple to unlock and decrypt its devices under any circumstances.

“To me, this is the gambit the FBI chose to take, and the only path they had to try and gain support was to take it public,” he said.

However, he concluded, public sentiment is shifting toward Apple and protecting user data.