I want to share this post because I was disappointed to see this popular smartphone cracking tool works very well across Android versions and devices while iPhone enjoys relative security.
The graphic also shows premium devices specifically are vulnerable to their tools, so one cannot argue that the problem is funding or cheap devices getting owned because of dumb changes by the vendor – premium devices fare not much better. Even Google controlling the hardware and the software of their Pixel line remains vulnerable to data extraction while the latest iPhone versions aren’t.
To me, this sounds like the state of Android physical security might be inferior. Why? What can be done to fix this? Perhaps is it because Android is more popular globally so they get more work targeting Android?
It could also be coincidental that at the time the documents leaked, the iPhone stuff was being finished up and there is actually not that much difference if you have an attacker who has lots of time and money.
EDIT: Removed wrong information. EDIT: Added more material for discussion.
The attack vector for brute forcing encryption passwords doesn’t have much to do with the freedom and features. What does matter, is that Apple has control over the entire production chain. Few companies do.
Google mostly does, but their software isn’t as good as Apple’s. However, GrapheneOS on a Pixel is resistent against Cellebrite the same way iPhones are.
I wish Android vendors took security more seriously, but I don’t think they care much, because their users don’t really care. They’ll care as long as they use the security features to force you to use their ad ridden software (like how Samsung will refuse to load the camera firmware properly if you unlock the bootloader on some devices).
Google tries, but seems to prefer usability over security in small ways that GrapheneOS doesn’t. Things like “disable the USB connector when the device is locked”, breaking plenty of work flows but protecting against whole classes of exploits.
No way graphene isn’t leagues stronger than iPhone no?
They’ve even submitted their hardened malloc to upstream Linux, which is definitely more secure