Android now secures its cloud backups better than iOS



[ad_1]

It is a nice snub to the police. Google offers on Android a new encryption technology for online backups of smartphone data. As a reminder, the online backup service allows users to store encrypted data on their Google Drive space: application data: text, images, personal data, settings, etc. The problem is that these backups were not encrypted end-to-end. In some cases, US law enforcement could access it. For example in the context of a judicial inquiry or a request for information via the Patriot Act.

With Android Pie, smartphone online backup is now encrypted end-to-end. The data can only be decrypted with the knowledge of the unlock code of the user. "That means no one else, not even Google, can access the saved app data.", we read in a blog post of the giant.

Security guaranteed by the Titan chip

Technically, the process is quite complex. The application data is encrypted with a 256 bit AES key, called the "Application key" and generated randomly on the user's phone. Before being transferred to Google Drive, it is encrypted through a recovery key called "Recovery key", also generated randomly on the phone. This recovery key is also transferred to Google's cloud, but only after being encrypted using a cryptographic derivative of the unlock code of the smartphone.

Note that this encrypted recovery key is not simply deposited on the hard drive of the server. It is stored in one of the Titan cryptographic chips that Google has built into its servers and is the most secure place in its cloud. In the case of a data recovery, the Titan chip will only deliver this recovery key from the moment the user has shown that he knows the unlock code. Obviously, the number of attempts is limited, which prevents brute force attacks.

At Apple, conversely, iPhone backups are not encrypted end-to-end. Apple can get its hands on the decryption key and, if necessary, transmit the saved data to the police. The Cupertino company specifies it in an official document. "ICloud content, as it exists in the subscriber's account, may be provided in response to a search warrant"can we read there. Apple has nevertheless made the effort to apply end-to-end encryption on some particularly sensitive application data. This is the case for payment data, Wi-Fi connection data, pbadwords managed by Keychain, as well as data managed by Siri, Home and Health.

[ad_2]
Source link