Remember that promise Apple made about not turning your data over to police in iOS 8? It’s not a lie! But as iPhone security experts point out, that does not mean police can’t access your data. It’s actually not even that hard.
This week, iOS forensics expert Jonathan Zdziarski published a sobering reminder that iOS 8 is not infallible to intruders, especially government-funded intruders. Zdziarski has actually trained police on how to access data on iPhones in the past and didn’t have any trouble pulling almost all third party data off of a locked iPhone in a recent test. That includes everything from Facebook, Twitter, Instagram, banking apps and so forth. “I can do it. I’m sure the guys in suits in the governments can do it,” Zdziarski told Wired. “And I’m sure that there are at least three or four commercial tools that can still do this too.”
Of course Apple never said your data was unreachable. Just that it could no longer cooperate with government requests for access to iPhone data, because it could not access that data itself. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8,” the statement reads.
Not too surprisingly, government agencies — from local police to the FBI to the NSA to the CIA — can do the job just fine without Apple’s help. Zdziarski takes pains to point out how even though security is greatly improved in iOS 8, holes still exist. The intruder only needs access to a powered on device and a computer that has exchanged data with that device in the past. That means if your computer and phone are seized together at the airport, for instance, your data is vulnerable. Data from native iOS applications, including call records and text messages were protected, but all third party data is up for grabs.
So if you want to keep prying eyes off your iPhone, use a passcode, for one. You should also power down the device at airports or any other time it could intercepted. Finally, encrypt your hard drive so hackers can’t access sync data. In fact, you should just go ahead encrypt everything. It can’t hurt. [Wired]