With reports of corporate data breaches popping up every day, users of mobile devices could be forgiven for worrying that their units will be next –particularly after NSA whistleblower Edward Snowden gives the impression that the American agency can break into any system.
So they may welcome news that next month’s release of the new version of Google’s Android operating system will have data encryption turned on by default. Word came out in an interview Thursday in the Washington Post.
Some Android devices have had the ability to have data encrypted since 2011, if the user knew how to do it. The new OS will make it automatic, unless its turned off. Users will only be able to access data only after entering a password.
Apple’s iOS 8, which began rolling out this week, does the same.
But before users of devices with those operating systems rejoice there are four things to remember:
— First, law enforcement agencies in Canada can legally get access to voice and data communications through court orders. If the device is password-protected, owners will have to provide the password if ordered by a judge or risk serious jail time for contempt of court, or the police can get the court’s permission to crack the password.
–Second, neither Canada’s electronic spy agency, Communications Security Establishment Canada (CSEC) nor the NSA has the authority to engage in random phone-cracking. They are more interested in, say, leaders of European countries and terrorists.
–Third, not every device gets the operating system level encryption. iOS 8, for example, runs only on iPhone 4S and up. Android encryption will only be available on handsets that manufacturers and carriers have approved for upgrading. Nexus phones and tablets always get upgrades. Otherwise, you may be out of luck. Those of you still running Android 4.1 on your handsets who can’t get version 4.4 know what I’m talking about.
–Fourth, encryption isn’t a defence against the collection of metadata.
Of course there are third party software encryption solutions.
But rather than worry about being hacked, mobile users should keep an eye out for phishing scams, which will introduce malware on their devices. Social engineering tricks, not intercepted communications, is the way attackers usually first get access to data. For example, on Thursday security writer Graham Cluley came across a warning about an eBay scam where people looking for iPhone bargain get directed to a page with a cross-site scripting vulnerability.
You do check the URL on every page that asks for a password, don’t you … ?