Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile

January 15th, 2018 by Oleg Afonin
Category: «Security», «Software»

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device.

As a rule, Apple always signs the latest stable version of iOS as well as the current beta version, if one is available. In addition, the company leaves a short window of about two weeks, during which Apple signs the current iOS build as well as the previous build, in order to allow users to roll back if they don’t like the update (rolling back wipes data).

Note: while users may save blobs from the previous version of iOS and then use them to go back at any time, this approach only works for the particular device from which the blobs have been captured from.

There could be exceptions. For example, on January 11, 2018, Apple accidentally allowed downgrades all the way back to iOS 6. This was a server-side glitch that didn’t last long.

From the user’s perspective, installing an iOS update requires a passcode, meaning that updating from a less vulnerable version of iOS to a more vulnerable one (e.g. updating to iOS 11 for resetting the iTunes backup password) will require the passcode.

This update policy has the following forensic consequences:

  1. Most Apple devices will be running an up to date version of iOS (which may not have a jailbreak available).
  2. If updating a device is needed during the investigation, you can only update to the allowable version of iOS, which is the latest version (sometimes updating to the build before the last version is possible).
  3. If the device is passcode-protected, the passcode will be required to update from iOS 10 to iOS 11 (for the purpose of resetting the iTunes backup password).

Android: a Bizarre Mess

While Apple is in charge of designing and manufacturing and its devices as well as the operating system, things are different on the other side of the pond. Smartphones and tablets powered by Android have a wild range of chip sets, models, and carrier variants, all requiring different versions of software.

Updates are a sore point of most Android smartphones and tablets, with the only exception being unlocked Google Pixel devices and the few phones participating in the Android One program.

It is also interesting to mention that Android OEMs may distribute updates through different channels depending on carrier branding, geographical designation of the model and the user’s current location. As an example, a Chinese or Brazilian Moto Z could be running Android 8.0 Oreo with December 2017 security patch, while Moto Z’s for the rest of the world would still be running Android 7.1.1 with the same December 2017 security patch, except for Verizon (USA) models that would receive the Oreo update. Weird? It’s just the beginning.

In Android land, the same phone may have several different models designed for different markets and carriers. Even if using identical hardware, those models may differ in supported radio bands. Manufacturers may have different policies regarding bootloader unlock for the different versions. No wonder the different versions of the same model will also have differences in software, making physical acquisition a gamble.

For a typical Android smartphone (or tablet), the following parties are involved in making a software update happen.

  1. The company releases Android sources for everyone to use. By this time, Google’s own Pixel smartphones will be already running the latest version of Android.
  2. Chipset manufacturer. The chipset manufacturer (Qualcomm, MediaTek, NVIDIA, Rockchip etc.) must make chipset drivers for the new version of Android and distribute it among its customers (OEMs). The chipset manufacturer may refuse making drivers for the new version of Android, meaning that all devices powered by that particular chipset will not be updated. This can happen to flagship chipsets, too, as in Qualcomm refusing to make Snapdragon 800/801 drivers for Android 7.
  3. Once the OEM receives the drivers from the chipset manufacturer, it may start adapting Android for its devices. This is further slowed down by the fact that many manufacturers use their own “skins” on top of pure Android that must be adapted to the new version of the OS. Obviously, this takes time.
  4. After the OEM makes a working build of Android for a particular model, the update must be certified by one of Google-approved labs. This takes more time. For unlocked smartphones, this is it: the update could be distributed by the OEM. For carrier-locked devices, one
  5. For carrier-branded smartphones, the update must be reviewed and certified by the carrier, who may then push the update to its customers. Needless to say, this extra step may not only introduce additional delays (sometimes as long as 6-9 months), but may prevent the update entirely if the carrier does not feel it sold enough of those phones.

Android scattered update policy may have the following forensic implications:

  1. Many users will run outdated versions of Android, which makes them vulnerable to exploits leading to root access, making physical acquisition trivial. In addition, they may run versions of Android that do not force full-disk encryption, making chip-off acquisition possible.
  2. Due to the sheer number of models and software versions, including carrier versions, a certain model (e.g. Moto G5) is never guaranteed to run a given version of software. Even worse; even if you have a certain model (say, Mogo G5) that runs a certain build of Android (e.g. Android 7.0, September 2017 security patch level), there will still be differences if the two Moto G5’s are branded by different carriers. For the expert, this means different offsets for bootloader-level exploits, making physical acquisition via bootloader-level exploits work on one phone and fail on its sibling. This is never the case with the iPhone: all iPhone devices (of the same model) running the same version of iOS are susceptible to the same exploits.
  3. Since full-disk encryption was introduced in Android 5 and enforced since Android 6 (but only on devices shipped with Android 6 out of the box), low-level acquisition is a hit or miss. However, some versions of Android are vulnerable to exploits. Since most manufacturers ignore or severely delay Google’s monthly security patches, the chance of successfully exploiting a vulnerability on a given device is much higher compared to iOS or Windows 10 Mobile.

Microsoft Windows 10 Mobile: It’s Interesting

We have already covered two different approaches: Apple’s (who distributes updates directly and simultaneously for all models) and Android OEM’s (who are all over the place). While those policies are very different by all accounts, there is one thing in common between Apple and Android OEMs. iOS 11.2.2 is always newer than iOS 11.2.1, and once there is an Android 8 update for a given smartphone, ROMs based on Android 7.x are no longer maintained.

Microsoft, on the other hand, has a complex (and complicated) update structure for Microsoft-branded and third-party smartphones running Windows 10 Mobile.

For W10M devices, there are different branches of Windows. There are the first Windows 10 Mobile, the November Update, the Anniversary Update, the Creators Update, and the Fall Creators Update. According to Microsoft, each branch is set to receive extended support updates and security patches for a minimum of 24 months after the lifecycle start date.

Interestingly, Microsoft delivers security patches and minor updates directly to handset users, while major updates may still have to go through the carrier for approval. However, users can bypass carriers completely by opting into the Windows Insider program, in which case Microsoft will deliver all updates directly to users.

What does it mean in practical terms? Even if the phone (e.g. Lumia 930) is not officially receiving the Fall Creators Update and is still running the previous Windows branch, it will still see bug fixes and security for two years since the initial release of the Windows 10 branch that was last available to that device. However, users may opt in to the Windows Insider program, and receive insider builds of Windows 10 Fall Creators Update on their device, even if they are not “officially” supported. The insider branch will also receive bug fixes and security patches in parallel with the older branch (Creators Update).

This update policy means that two identical phones may be both running the latest version of Windows 10 Mobile, yet one will be the Creators Update with up to date security patches, while the other could be Fall Creators Update (again, with up to date security patches).

Forensic consequences:

  1. You may never know for sure which Windows branch the phone is running. However, in most cases, the phone will have the latest security patches installed regardless of the Windows branch.
  2. Microsoft has a solid track record supporting and updating its phones. Even if Windows 10 Mobile is discontinued, existing devices will receive updates for at least two more years (yes, even the Lumia 950/950 XL released back in 2015).

Conclusion

The three mobile operating systems have vast differences in how they are updated and maintained. Ranging from Apple’s tight grip over iOS and the company’s full control over its updates to Android’s bizarre mess, software updates affect mobile forensics. While in most cases the newer builds are more secure compared to the older ones, iOS 11 proved to be a major exception, so updating iPhones to the latest version of iOS may be worth it.