Data and device encryption on iOS, Android, Windows Phone and BlackBerry

The major mobile operating systems all have different data and device encryption options. Enable the right features to keep devices and data safe.

Data and device encryption are critical pieces of an overall mobile security initiative. Implementing encryption...

is vital to ensuring that sensitive data is kept safe.

Mobile devices are now as commonplace as paper clips in the enterprise, and the fear that IT pros and organizations share is a breach of confidential data if a device is lost or stolen. At their introduction, many mobile devices and operating systems had only tepid support for security, but as the popular platforms matured, more data and device encryption options have become available.

A key element in the defense of data breaches is encrypting data so no one can abscond with sensitive corporate information. Encryption is one tool in this arsenal because it allows IT administrators to remotely command the secure destruction of data. But there are significant differences in mobile OSes' implementations of data and device encryption, and it's important that admins managing mobile devices know what encryption features they get from each OS.

Apple iOS 6

Apple iOS applications are sandboxed from each other, meaning they do not share data with each other on the device. App interaction is possible, however, when employees use cloud-based services such as iCloud.

Apple's encryption feature, Data Protection, classifies every file according to sensitivity. The most secure classification is Complete Protection, which encrypts with a key derived from a hardware code unique to each device and its passcode. Within 10 seconds of the device locking, the decryption keys for files in this class are discarded. The built-in iOS mail application uses Complete Protection for all email and attachments.

Other encryption classes are progressively less secure, and even with Data Protection enabled, it is up to application developers to use a secure class to encrypt files. Choosing the No Protection class, for example, offers little security because it makes all keys to decrypt files available to whoever is in possession of the device. 

Other sensitive items use the Apple Keychain, which users may be familiar with from Mac OS X computers. Items that are typically stored in the keychain are small data items such as cached passwords or other security tokens. This keychain data is stored in a small encrypted SQLite database.

Google Android 4.2 Jelly Bean

Android runs applications in a kernel-level application sandbox, and at the foundation of Android is a Linux kernel. Every application runs as a separate user, and in Linux, users can't access other users' files unless that permission is explicitly granted. So an application will only share files with other apps if the developer decides to allow it to. Unlike in iOS, this sharing is application vendor-neutral.

When device encryption is enabled, the entire file system is protected, but turning encryption on doesn't mean other file systems are protected. Some Android devices have microSD cards, which have to be deliberately secured. MicroSD cards also make the media difficult to plug in to other devices, because both devices need the same keys to use the media. 

Starting with Android 4.0 Ice Cream Sandwich, there is a keychain that serves a similar function to the one in iOS.

Microsoft Windows Phone 8 

Windows Phone 8 (WP8) uses the Unified Extensible Firmware Interface facilities for Secure Boot, which ensures that devices do not load rooted or unauthorized system images.

WP8 apps run in isolated "chambers," which are similar to sandboxes. Chambers keep applications and their data separate from one another, but they differ from iOS and Android sandboxes because they only share data between applications in the cloud and not on the device itself. 

More on device encryption

On-device and on-the-go: Mobile data encryption techniques

Windows 7 mobile device encryption

Using mobile encryption to avoid data breaches    

Both admins and users can turn device passcodes on and off, assuming an admin hasn't disabled the user from accessing this option. But enabling passcode security on a Windows Phone is exclusive of storage encryption. If an admin secures a Windows Phone with a passcode, storage isn't encrypted. Enabling storage encryption only encrypts the internal storage.

Windows phones also have SD cards. SD cards are not encrypted, but an admin can block employees from using them.

The passcode option can be turned on without enabling internal storage encryption, which affects the entire storage system and BitLocker protection. WP8 uses the onboard trusted platform module to store the encryption key. The architecture closely echoes a Windows PC in this way. 

WP8 supports Windows information rights management (IRM) classifications. If IRM classifies data as sensitive, that could prevent the data from being leaked through email or getting saved to external storage, for example.

BlackBerry 10

BlackBerry 10 (BB10) is BlackBerry's new OS for smartphones and tablets. BB10 introduces BlackBerry Balance, which allows organizations to create isolation between personal and work environments on a device. BlackBerry Balance sets up an additional logical security fence, keeping personal applications, files and networks separate from work counterparts. The Work Space data is encrypted in its entirety. The Personal Space can also be fully encrypted.

Work data is not permitted to be saved to SD media or to the Personal Space. The SD card can also be encrypted if desired. An advanced enterprise mobile management system from BlackBerry (BlackBerry Enterprise Service 10, scheduled to be released in the second quarter of 2013) will give IT specific polices that can be enforced to improve control over data leakage.

BlackBerry is the currently the only mobile OS with a Federal Information Processing Standard 140-2 security rating. 

Dig Deeper on Enterprise mobility strategy and policy