Securing Smartphones a Digital Forensic Perspective

Written by Amber Schroader

November 13, 2020

When you look at the best means to secure your smartphone there are a few key areas to look at.

  • Hardware
  • System
  • Apps

Each of these areas can be applied to both iOS (Apple) and Android. When selecting a device, they can be used to determine if you have the best fit or need to look for third party additions for your device to make it more secure. At the end of the day, there is no perfectly secure smartphone, but there are good habits the device user can follow that can make it more secure.


Many times, the first thing to remember about smartphones is they are considered embedded devices. Many of the communications that happen are sent directly to the chips on the smartphone circuit board.

When conducting digital forensics on smartphones, many times the opportunity for different bypass options are found through direct communication to the device chipset.  This reality can affect your choice of the device especially if you are trying to stop digital forensics from being done on your smartphone.


All modern Apple devices to include iOS, iPadOS, macOS, watchOS, or tvOS are secured based on the silicon in the device. The Apple T2 Security Chip has become the latest challenge for digital forensic professionals wanting to exploit Apple devices for data acquisitions. However, when it comes to the security of the device, they are the best knight in shining armor for what it can offer the consumer.

“All modern iPhone, iPad, and Mac computers with a T2 chip include a dedicated AES hardware engine to power line-speed encryption as files are written or read. This ensures that Data Protection and FileVault protect users’ files without exposing long-lived encryption keys to the CPU or operating system.” (

The value of this design is that it stops any changes in the boot process which will stop many of the common exploits trying to gain access into the Apple iOS system. There are many other hardware designs in Apple such as the Secure Enclave, which ensures the data is secure to start.  However, this does not mean there are no flaws in Apple devices that can leave you vulnerable, but it does mean the device is built on a solid foundation.


With the large variety of Android devices available worldwide, it is difficult to address the hardware variations of different devices from one manufacturer to another.  This creates challenges when trying to guarantee that the device itself is always built on a secure foundation.  However, there are good protections in place, at the hardware level, that shows the user that the hardware is designed well.  The first protection, as it is with Apple, is a verified boot option that occurs on the device. This protection was designed to stop bootloaders from being loaded into the device, which is a common first vector of attack. Although the use of bootloaders was common in digital forensics, they have lost much of their accessibility as upgraded devices have emerged.

Android, instead of standardizing to a single chip that would prohibit availability to a larger range of devices, has instead added additional layers to the operating system layer.  This allows Android to offer a secure foundation that is desirable in a device.  Since the release of Android Nougat all Android hardware, regardless of the manufacturer, offer hardware-based lock screen verification where the OS and the hardware are used as a dual authentication to one another.


The most difficult part of creating a secure device is to find a balance between security and usability for a wide range of smartphone users.  This is always a challenge and one of the fundamental reasons why there is usually a small flaw or exploit that can be used to conduct digital forensic processes. This reality will be addressed for both iOS and Android cumulatively.

The first key to securing a system is to make sure the operating system is up to date. This might not be noticed by many users, but it is critical to make sure the device is always properly patched.  The value in the system patches is they always come from the manufacturer directly so you are not dealing with a 3rd party implementation you are getting it straight from the source.   Patches from the manufacturer check the validity of the connections as part of the process.  This is like an inspection of the smart devices to ensure there are no vulnerabilities the user may be unaware of.   Patches can affect the data that is able to be retrieved during a forensic examination, but when looking at the device strictly from a security perspective, patches are critical.  If you want to be more security-aware and are running Android, then invest in devices that will receive system-level patches first.  With Apple devices, all the device types will receive updates simultaneously.


The biggest challenge with smartphone security is the Apps running on the device.   Apps are created by 3rd parties, not the manufacturer, and therefore create the largest security exposure.  To maintain security while allowing so many different data sources to work on their devices, the operating system uses sandboxing.    Wikipedia defines Sandbox as:

Sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control. (Wikipedia) 

Smartphones will use this process to allow the App only to run in the sandbox thereby preventing the spill of any potentially harmful data to the rest of the system. Both iOS and Android use this method to protect the core system from harmful Apps.


iOS runs Apps that are loaded into the device directly from the App Store. The approval process for the App store is based on the permissions of the App and purpose of the App rather than a direct review of source code.  Each manufacturer must request an App evaluation for addition to the App store and fill out the associated permission forms.   The App is then reviewed, based on these permission forms, and access is granted or denied.  With iOS, if you do not have your App in the App Store, your ability to install onto a device is limited to only devices that are Jailbroken.


Android is an OS based on Linux and many of the same security techniques are used in both operating systems.   A Sandbox in Android allows an App to have limited access to user data. This permission-based access allows the end-user to control whether an App has per request access or ongoing access.   As with many security recommendations often the most secure is not the most convenient and it is always recommended to grant access per request instead of ongoing access. Different versions of Android will also change what level of access the Sandbox might have.  Ensure that you read the dialog box requesting access to understand what you may or may not be granted.

Unlike Apple, Android Apps can come from different App stores and each has a different approval process. The Google Play store has the most stringent approval process, and it is a good recommendation to use this store as your primary source for Apps. Google claims that all Apps are scanned daily for any potential malware with Google machine learning. However, neither store is completely foolproof, and it is possible for Apps to miss inspection and cause harm to your data or device. 

Along with the previously mentioned methods and safeguards, there are additional techniques and methods that can be done by you, the user, to protect what you allow access to.

Digital Forensics

When a digital forensic examiner looks at a device it starts with the imaging process. iOS and Android have very different types of imaging options because of the closed nature of iOS and the more open structure of Android. Neither of these imaging options makes one device more secure than another. However, when you look at the available data that can be recovered that might give some security pause when selecting a device. Reviewing App permission data as seen below from a forensic perspective really gives you an idea of what data is sharing where.

Digital Forensics

When a digital forensic examiner looks at a device it starts with the imaging process. iOS and Android have very different types of imaging options because of the closed nature of iOS and the more open structure of Android. Neither of these imaging options makes one device more secure than another. However, when you look at the available data that can be recovered that might give some security pause when selecting a device.

 iOS Android

Apple Keychain Data

App Data

Recovered Data

All standard data such as contacts, SMS, call logs, notes, etc.



Activity Timeline

App Data

Recovered Data

All standard data such as contacts, SMS, call logs, notes, etc.


It is important to note that data that can be recovered from digital forensic techniques can vary based on the technique used. For example, with Android devices, you will get different data if the device is rooted. A rooted device will access all the data including app data, recovered data, system data. Whereas the not rooted Androids, will not allow accessing the most app and system data so you are limited to items such as contacts, SMS, etc. Each device with Android will change the root options and a variety of techniques are available to root all the way through the latest versions of the OS firmware.

Also, it is very important to remember the other storage options. With Android devices, it is common to have a media card that can have storage of images, videos, and even App data. This data is typically not protected by the same means as the device and can be readily accessible for a digital forensic examination. In addition, to physical storage, there is also cloud storage with both types of devices. This storage can be accessed through credentials provided by a user of the device and also with keys that can be recovered from the device.

This data can capture backups and other data that might not be accessible through the standard imaging procedure. Even when a user controls the access to their cloud storage the keys that can be recovered through a digital forensic process are not something that a user can prohibit and control.

In conclusion there is always some data that is going to be left out and available for recovery in a digital forensic process. Keeping good access controls and good choices when it comes to Apps is more important than any other aspect of use when it comes to keeping the most secure smartphone.

Watch a recording of our webinar that goes into more details here and subscribe to us on YouTube.

Forensic-Impact Articles

Investigating and Capturing Google Data

Investigating and Capturing Google Data

There are so few people on the planet now that don’t have something to do with Google. With parents selecting Gmail accounts for their kids prior to being born to the proliferation of Google in the classroom the searching giant is everywhere. With this level of...

What is Android ADB with smartphone forensics?

What is Android ADB with smartphone forensics?

There is a lot of trust put into your digital forensic tools when it comes to processing data. Many times, the “magic” of the tool remains someone unknown to the end-user. Each company claims to have a special means to capture the data that is seen in the acquisition....

Forensically Imaging Bitlocker

Forensically Imaging Bitlocker

Guest Blogger, Michael Zinn with Micro Systems Management BitLocker is Microsoft’s Full Volume Encryption (FVE) feature in Windows. BitLocker can be used to encrypt operating system volumes, non-Operating System fixed drive volumes, and removable drive volumes.[1]...