Head of Android Security Says Locking Out Law Enforcement Is an ‘Unintended Side Effect’
In 2016, the FBI asked Apple to help the law enforcement agency get into the iPhone of the alleged terrorist who killed 14 people in San Bernardino with a malicious update, but the company said it couldn't because it was an unreasonable request that would undermine the security of all iPhone users. Apple's position helped solidify its image as a company that values security, and the iPhone as a more secure device than various Android phones.
But in a talk at the USENIX Enigma conference in Burlingame, California on Tuesday, Rene Mayrhofer, Google's Director of Android Platform Security, made clear that Google is taking technical steps to be able to make the same argument in case the FBI comes knocking.
Mayrhofer was referring to the way the latest version of the Android operating system, Pie, which is baked into Google's flagship phone, the Pixel 3, deals with updates and data encrypted on the device. Thanks to these new security features-announced last year-Google can't push out a malicious software update to an Android phone. Nor, Mayrhofer said, can Google modify its firmware to disable security features and make it easier for someone like the FBI to guess or brute force the passcode and get to the user's personal data.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com
"We want to make it impossible for insiders to get this kind of access for whatever reasons, whatever motivation," Mayrhofer said. "And law enforcement is, I would say-the inability to react to legal requests here is an unintended side effect of this mitigation.".
In his talk, Mayrhofer specifically mentioned a theoretical scenario where "insiders" with access to cryptographic keys could create firmware to modify certain security features and bypass an Android phone's PIN, passcode, unlocking pattern, or other unlocking mechanism. With Android Pie and on the Pixel 3 phone specifically, the update system is now engineered in a way that even Google can't push out a malicious update without the user's passcode or unlocking pattern.
Even if the government did force Google to push a malicious update in order to access a phone, the user's personal data-and the keys that encrypt their data-will be wiped or made inaccessible, according to Mayrhofer.
[A slide of Mayrhofer's talk at the Usenix Enigma conference. Image: Ashkan Soltani]
After Mayrhofer's talk, Ashkan Soltani, an independent researcher and former FTC chief technology officer, asked him whether Google was going "the Apple route" and making it harder for the feds and Google itself to write custom software to access user's data.
"The risk for insider attack in the long chain, in the whole ecosystem is-I think-currently bigger than the few cases where legitimate law enforcement access would happen to have to break the chain," Mayrhofer said.
While this is obviously a rare scenario-not everyone needs to worry about the FBI breaking into their phones-implementing such protections will arguably be good for all Android users.
This is what Apple faced in the landmark legal dispute colloquially known as Apple v. FBI in early 2016. At the time, a judge ordered Apple to help the feds unlock the iPhone of an alleged terrorist to access the data within. At the time, Apple fought the request arguing that complying with it would effectively mean writing new software to disable or circumvent existing security features.
For many cybersecurity and cryptography experts, this was equivalent to inserting a backdoor or creating a legal precedent for a one-time malicious update-a nightmare scenario in cybersecurity because it would erode trust in updates, which are key to keeping your devices secure.
While Mayrhofer did not announce any new features, he made it clear that the Android platform security team is working on additional features to make it harder for anyone to hack Android phones. A Google spokesperson told Motherboard in an email that the company had nothing to add to Mayrhofer statement.
Soltani told Motherboard that Google's position speaks to the need to prioritize security for all users, rather than trying to appease one stakeholder, like law enforcement agencies.
"Like Apple, it appears Google is making a very principled decision to prioritize the safety of a large group of individuals rather than address exaggerated claims around terrorism by law enforcement," he said in an online chat. "The likelihood of a crime occurring where the ONLY means of investigation is via data on a cell phone is much lower than the likelihood of a phone being lost or stolen and vulnerable to someone wanting to access users' data."
In late 2016, the then director of Android security Adrian Ludwig said that an Android phone is as secure as the iPhone. Now if you own a Pixel 3 phone, you may have very similar protections when it comes to an attacker with physical access trying to get data stored on your device by bypassing your pin or passcode.
That's great not only if you're worried about the government, but also if anyone steals your phone and tries to access it. As Soltani noted, that's the case where this change will have the biggest impact. Without your passcode or a presumably expensive and hard to get unknown exploit, it will be very hard for the crooks to access your personal data.
There are security challenges for Android beyond the operating system or hardware. Mayrhofer admitted that Android's app ecosystem has "issues" that need to be resolved. But he called for the whole Android developer ecosystem to do better and think about insider threats in a broad sense and the supply chain of software on Android. Last year, more than 1 million people downloaded various fake and malicious WhatsApp lookalikes from the official Google Play Store.
"We're aware that we're not quite there yet, but we're getting closer step by step," Mayrhofer said.
Listen to CYBER, Motherboard's new weekly podcast about hacking and cybersecurity.