
A database of over 500 iPhones cops have tried to unlock - colinprince
https://www.vice.com/en_us/article/4ag5yj/unlock-apple-iphone-database-for-police
======
dimator
serious question: all of the reporting around the FBI and its intentions
focuses on iPhones. There is not much reporting about android phones, though.
Is this because they are generally not as airtight in design as iphones are?
Is it because iPhones are more likely to be up-to-date in terms of patches and
security updates, and hence android is easier to crack? Is it because Samsung,
Google, etc, have been more willing to play ball, so the FBI has not had to
wage a public battle?

the article mentions it but not much detail:

> Android devices, on the other hand, end up having large variations in the
> security of devices from different manufacturers, which may have their own
> vulnerabilities or may have difficulty distributing security and Android
> operating system updates to phones quickly.

~~~
kipchak
My understanding is iPhones enable full disk encryption when a pass-code is
created, even if it's fairly weak (1112), you can't have a passcode or
password and not have full disk encryption. Android Devices past 9 do not
support full disk encryption and instead use file based encryption, and as far
as I know just having a password doesn't necessarily mean FBE is turned on.

~~~
tialaramex
If you have a modern Google branded device (say, a Pixel) encryption is
mandatory out of the box. Something older (and so insecure by default because
it isn't receiving security updates) like the Nexus 10 tablet has an actual
user interaction step to enable encryption.

------
erikig
This is useful but it would also be helpful to have a similar database of the
opposite cases too.

Having a list of the times when a warrant was served and a phone unlocked with
details of which OS+version, which jurisdiction and which unlock method would
balance out the research.

~~~
DyslexicAtheist
it would be incredibly difficult to get data on this. LE is on a budget, and
they're not the NSA. In Switzerland for example LE (such as Europol) uses the
lab facility from "Kudelski Security" to crack mobile devices and help with
forensics. Outsourcing this to a consultancy allows them to hide things like
invoices to offsec shops (FinFisher, HackingTeam et al). So this is like a
poor-mans NSA where exploits get sold/brokered with these companies who then
help compromise the device. Still the budget means that they're using tools
which might do all sorts of things. e.g. if you sell off-sec tools you might
offer a feature that allows LE to copy (read) things from the device
memory/storage.

The problem is that these tools not only allow you to read but actually write
to the device. ("if you're a dev working for HackingTeam why on earth would
you limit the feature to reading when you can provide r/w access?")

The implication is that it's as easy to plant things on a device as it is to
retrieve info. And if you know that the device has 99.9% child porn on it but
end up not finding any why not plant something that gets you to court order
you desperately need to convict the suspect?

What you're asking for is transparency in a world that is very much opposed to
this because they consider themselves the good guys. And the response from
them is always: _" how dare you?!"_

~~~
voz_
You build up a rather imposing strawman! Do you really think there are
authorities planting evidence on phones?

~~~
DyslexicAtheist
if a device that is taken from me by whoever without my consent would
automatically lead me to assume that it has been compromised. whether that's
the case or not is beside the point. if you're only worried about
surveillance-capitalism maybe it isn't in part of your threat model. for me it
is. there are plenty of people in LE who overstep simply because they can.

> Do you really think there are authorities planting evidence on phones?

I don't think so I know it. please read the HackingTeam leaks and other OSINT
sources. you'll find plenty of attempts in them making every effort to do so.
You don't need a tinfoil hat, just travel to an area that is hostile to your
passport.

~~~
ColanR
> HackingTeam leaks and other OSINT sources

I would love to read more about this if you can point me in the direction of
those leaks and sources.

~~~
aspenmayer
[https://theintercept.com/2015/07/07/leaked-documents-
confirm...](https://theintercept.com/2015/07/07/leaked-documents-confirm-
hacking-team-sells-spyware-repressive-countries/)

[https://wikileaks.org/hackingteam/emails/](https://wikileaks.org/hackingteam/emails/)

------
jaytaylor
All this talk of iPhones, but what about Android? Is it trivial (or possible)
for a nation-state to access the data from an encrypted android device?

~~~
panpanna
I think the "fragmentation" in Android land is actually helping security. It's
not economical to maintain hundreds of exploits for different vendors, CPU
architectures and OS and patch versions.

For iOS, you need 2-3 up to date exploits to cover 80% of all devices.

------
ggffryuuj
I use a long diceware password for my iPhone. It prevents police from
bypassing the rate limiter and brute forcing your password quickly. There’s
supposed to be a machine that allows them to do that.

Unlocking my phone throughout the day is done with Touch ID. If I think I’m
going to encounter the police or be away from my phone, I press the lock
button five times which disables Touch ID. I’ve been doing this for two years
and it works great.

~~~
Nerada
I've often heard this said, but my iPhone 8 doesn't operate like this at all.
Touch ID still works regardless of how many times I press the lock button. Is
there a setting I'm missing? I've looked around and couldn't find anything.

~~~
wlesieutre
It ought to, this is an iOS 11 feature which is what the iPhone 8 shipped
with.

I don’t see any option for it in the passcode settings either.

On my iPhone SE it takes me to a screen with power off, medical ID, and
emergency SOS sliders. To get back to the home screen after that I need to
enter my passcode.

[https://www.imore.com/how-quickly-disable-touch-id-when-
you-...](https://www.imore.com/how-quickly-disable-touch-id-when-you-need-
extra-security)

~~~
Nerada
>volume and lock buttons simultaneously

Aha, that does it!

