{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T08:43:03Z","timestamp":1780044183334,"version":"3.53.1"},"reference-count":200,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"1","license":[{"start":{"date-parts":[[2021,11,20]],"date-time":"2021-11-20T00:00:00Z","timestamp":1637366400000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,1,1]]},"abstract":"Abstract<\/jats:title>\n Mobile devices have become an indispensable component of modern life. Their high storage capacity gives these devices the capability to store vast amounts of sensitive personal data, which makes them a high-value target: these devices are routinely stolen by criminals for data theft, and are increasingly viewed by law enforcement agencies as a valuable source of forensic data. Over the past several years, providers have deployed a number of advanced cryptographic features intended to protect data on mobile devices, even in the strong setting where an attacker has physical access to a device. Many of these techniques draw from the research literature, but have been adapted to this entirely new problem setting.<\/jats:p>\n This involves a number of novel challenges, which are incompletely addressed in the literature. In this work, we outline those challenges, and systematize the known approaches to securing user data against extraction attacks. Our work proposes a methodology that researchers can use to analyze cryptographic data confidentiality for mobile devices. We evaluate the existing literature for securing devices against data extraction adversaries with powerful capabilities including access to devices and to the cloud services they rely on. We then analyze existing mobile device confidentiality measures to identify research areas that have not received proper attention from the community and represent opportunities for future research.<\/jats:p>","DOI":"10.2478\/popets-2022-0029","type":"journal-article","created":{"date-parts":[[2021,11,21]],"date-time":"2021-11-21T02:43:42Z","timestamp":1637462622000},"page":"586-607","source":"Crossref","is-referenced-by-count":6,"title":["SoK: Cryptographic Confidentiality of Data on Mobile Devices"],"prefix":"10.56553","volume":"2022","author":[{"given":"Maximilian","family":"Zinkus","sequence":"first","affiliation":[{"name":"Johns Hopkins University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Tushar M.","family":"Jois","sequence":"additional","affiliation":[{"name":"Johns Hopkins University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Matthew","family":"Green","sequence":"additional","affiliation":[{"name":"Johns Hopkins University"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"35752","published-online":{"date-parts":[[2021,11,20]]},"reference":[{"key":"2022062314364304276_j_popets-2022-0029_ref_001","unstructured":"[1] S. O\u2019Dea. Number of smartphone users worldwide from 2016 to 2021. https:\/\/www.statista.com\/statistics\/330695\/number-of-smartphone-users-worldwide\/, 9 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_002","unstructured":"[2] Feliks Garcia. iCloud celebrity nude leak. Independent, 2016."},{"key":"2022062314364304276_j_popets-2022-0029_ref_003","unstructured":"[3] Paul Ruggiero and Jon Foote. Cyber Threats to Mobile Phones. https:\/\/us-cert.cisa.gov\/sites\/default\/files\/publications\/cyber_threats_to_mobile_phones.pdf, 2011."},{"key":"2022062314364304276_j_popets-2022-0029_ref_004","unstructured":"[4] DHS. Study on Mobile Device Security. https:\/\/www.dhs.gov\/sites\/default\/files\/publications\/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf, 2017."},{"key":"2022062314364304276_j_popets-2022-0029_ref_005","unstructured":"[5] Vladimir Katalov. The Art of iPhone Acquisition. https:\/\/blog.elcomsoft.com\/2019\/07\/the-art-of-iphone-acquisition\/, 7 2019. Accessed 2020-08-04."},{"key":"2022062314364304276_j_popets-2022-0029_ref_006","unstructured":"[6] James Comey. Going Dark. https:\/\/www.fbi.gov\/news\/speeches\/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course, 10 2014. Accessed: 2020-07-19."},{"key":"2022062314364304276_j_popets-2022-0029_ref_007","unstructured":"[7] Craig Timberg, Drew Harwell, and Reed Albergotti. Update your Apple devices now. New Pegasus hack prompts company to issue new software to fix iMessage vulnerability. https:\/\/www.washingtonpost.com\/technology\/2021\/09\/13\/pegasus-spyware-new-exploit-apple\/, 9 2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_008","unstructured":"[8] The Wire Staff. Spyware Like Pegasus Is \u2019Incompatible With Human Rights\u2019: UN\u2019s Michelle Bachelet. https:\/\/thewire.in\/world\/spyware-pegasus-incompatible-human-rights-un-michelle-bachelet, 9 2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_009","doi-asserted-by":"crossref","unstructured":"[9] Tobias Matzner. Why privacy is not enough privacy in the context of \u201cubiquitous computing\u201d and \u201cbig data\u201d. Journal of Information, Communication and Ethics in Society, 2014.10.1108\/JICES-08-2013-0030","DOI":"10.1108\/JICES-08-2013-0030"},{"key":"2022062314364304276_j_popets-2022-0029_ref_010","unstructured":"[10] Privacy International. Cloud extraction technology. https:\/\/privacyinternational.org\/long-read\/3300\/cloud-extraction-technology-secret-tech-lets-government-agencies-collect-masses-data, 1 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_011","unstructured":"[11] Oleg Alfonin. Accessing iCloud With and Without a Password in 2019. https:\/\/blog.elcomsoft.com\/2019\/07\/accessing-icloud-with-and-without-a-password-in-2019\/, 7 2019. Accessed 2020-09-10."},{"key":"2022062314364304276_j_popets-2022-0029_ref_012","unstructured":"[12] Cellebrite. Unlock cloud-based evidence to solve the case sooner. https:\/\/www.cellebrite.com\/en\/ufed-cloud\/, 9 2020. Accessed 2020-09-10."},{"key":"2022062314364304276_j_popets-2022-0029_ref_013","doi-asserted-by":"crossref","unstructured":"[13] Chad Spensky, Jeffrey Stewart, Arkady Yerukhimovich, Richard Shay, Ari Trachtenberg, Rick Housley, and Robert K Cunningham. Sok: Privacy on mobile devices\u2013it\u2019s complicated. Proceedings on Privacy Enhancing Technologies, 2016(3):96\u2013116, 2016.","DOI":"10.1515\/popets-2016-0018"},{"key":"2022062314364304276_j_popets-2022-0029_ref_014","unstructured":"[14] Maximilian Zinkus, Tushar M. Jois, and Matthew Green. Data security on mobile devices. https:\/\/arxiv.org\/abs\/2105.12613, 2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_015","doi-asserted-by":"crossref","unstructured":"[15] Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. SoK: Secure Messaging. In IEEE S&P \u201915. IEEE, 2015.10.1109\/SP.2015.22","DOI":"10.1109\/SP.2015.22"},{"key":"2022062314364304276_j_popets-2022-0029_ref_016","doi-asserted-by":"crossref","unstructured":"[16] Claude E Shannon. Communication theory of secrecy systems. The Bell system technical journal, 28(4):656\u2013715, 1949.10.1002\/j.1538-7305.1949.tb00928.x","DOI":"10.1002\/j.1538-7305.1949.tb00928.x"},{"key":"2022062314364304276_j_popets-2022-0029_ref_017","unstructured":"[17] Apple Inc. Answers to your questions about Apple and security. https:\/\/www.apple.com\/customer-letter\/answers\/, 2016. Accessed 2020-09-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_018","unstructured":"[18] Apple Inc. A Message to Our Customers. https:\/\/www. apple.com\/customer-letter\/, 2 2016."},{"key":"2022062314364304276_j_popets-2022-0029_ref_019","unstructured":"[19] James Comey. FBI Director Comments on San Bernardino Matter. https:\/\/www.fbi.gov\/news\/pressrel\/press-releases\/fbi-director-comments-on-san-bernardino-matter, 2 2016."},{"key":"2022062314364304276_j_popets-2022-0029_ref_020","unstructured":"[20] Encryption Working Group. Moving the Encryption Policy Conversation Forward. Technical report, Carnegie Endowment for International Peace, 9 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_021","unstructured":"[21] Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, and Harlan Yu. Mass Extraction. https:\/\/www.upturn.org\/reports\/2020\/mass-extraction\/, 10 2020. Accessed 2020-10-25."},{"key":"2022062314364304276_j_popets-2022-0029_ref_022","unstructured":"[22] Privacy International. A technical look at Phone Extraction. https:\/\/privacyinternational.org\/sites\/default\/files\/2019-10\/A%20technical%20look%20at%20Phone%20Extraction%20FINAL.pdf, 10 2019. Accessed 2020-09-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_023","unstructured":"[23] Joseph Cox. We Built a Database of Over 500 iPhones Cops Have Tried to Unlock. https:\/\/www.vice.com\/en_us\/article\/4ag5yj\/unlock-apple-iphone-database-for-police, 3 2020. Accessed 2020-09-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_024","doi-asserted-by":"crossref","unstructured":"[24] Steven M Bellovin, Matt Blaze, Sandy Clark, and Susan Landau. Going bright: Wiretapping without weakening communications infrastructure. IEEE Security & Privacy, 11(1):62\u201372, 2012.","DOI":"10.1109\/MSP.2012.138"},{"key":"2022062314364304276_j_popets-2022-0029_ref_025","doi-asserted-by":"crossref","unstructured":"[25] Harold Abelson, Ross Anderson, Steven M Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G Neumann, et al. Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1):69\u201379, 2015.","DOI":"10.1093\/cybsec\/tyv009"},{"key":"2022062314364304276_j_popets-2022-0029_ref_026","doi-asserted-by":"crossref","unstructured":"[26] Stefan Savage. Lawful device access without mass surveil-lance risk: A technical design discussion. In ACM CCS \u201918, 2018.10.1145\/3243734.3243758","DOI":"10.1145\/3243734.3243758"},{"key":"2022062314364304276_j_popets-2022-0029_ref_027","unstructured":"[27] Raymond Edward Ozzie. Providing low risk exceptional access, December 10 2019. US Patent 10,505,734."},{"key":"2022062314364304276_j_popets-2022-0029_ref_028","unstructured":"[28] Charles Wright. Crypto Crumple Zones: Protecting Encryption in a Time of Political Uncertainty. In Enigma \u201918. USENIX, 2018."},{"key":"2022062314364304276_j_popets-2022-0029_ref_029","unstructured":"[29] Matthew Green. A few thoughts on Ray Ozzie\u2019s \u201cClear\u201d proposal. https:\/\/blog.cryptographyengineering.com\/2018\/04\/26\/a-few-thoughts-on-ray-ozzies-clear-proposal\/, 4 2018. Accessed May 6, 2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_030","unstructured":"[30] Matthew Green, Gabriel Kaptchuk, and Gijs Van Laer. Abuse resistant law enforcement access systems. Cryptology ePrint Archive, Report 2021\/321, 2021. https:\/\/eprint.iacr.org\/2021\/321."},{"key":"2022062314364304276_j_popets-2022-0029_ref_031","unstructured":"[31] Joseph Cox and Izzie Ramirez. iPhone Warrant Database 2019. https:\/\/docs.google.com\/spreadsheets\/d\/1Xmh1QEXYJmVPFlqAdEIVGemvbkoZmk_WyAPGC4eY-eE\/edit#gid=0, 3 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_032","unstructured":"[32] Thomas Brewster. Apple Helps FBI Track Down George Floyd Protester Accused Of Firebombing Cop Cars. https:\/\/www.forbes.com\/sites\/thomasbrewster\/2020\/09\/16\/apple-helps-fbi-track-down-george-floyd-protester-accused-of-firebombing-cop-cars\/, 9 2020. Accessed 2020-09-21."},{"key":"2022062314364304276_j_popets-2022-0029_ref_033","unstructured":"[33] NIST. Mobile Device Forensic Tool Specification. https:\/\/www.nist.gov\/system\/files\/documents\/2019\/07\/11\/mobile_device_forensic_tool_test_spec_v_3.0.pdf, 5 2019. Accessed 2020-08-04."},{"key":"2022062314364304276_j_popets-2022-0029_ref_034","unstructured":"[34] DHS. Test Results for Mobile Device Acquisition. https:\/\/www.dhs.gov\/publication\/st-mobile-device-acquisition, 10 2019. Accessed 2020-08-04."},{"key":"2022062314364304276_j_popets-2022-0029_ref_035","unstructured":"[35] S.3398 - EARN IT Act of 2020. https:\/\/www.congress.gov\/bill\/116th-congress\/senate-bill\/3398, 3 2020. Accessed 2020-09-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_036","unstructured":"[36] Patrick Siewert. Apple iPhone Forensics: Significant Locations. https:\/\/www.forensicfocus.com\/articles\/apple-iphone-forensics-significant-locations\/, 5 2018. Accessed 2020-09-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_037","unstructured":"[37] Apple Inc. Apple Platform Security. https:\/\/github.com\/maxzinkus\/PhoneEncryptionDocumentArchive, 2019\u20132020. Archived."},{"key":"2022062314364304276_j_popets-2022-0029_ref_038","unstructured":"[38] Android Open Source Project. Full-Disk Encryption. https:\/\/source.android.com\/security\/encryption\/full-disk, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_039","unstructured":"[39] Android Open Source Project. File-Based Encryption. https:\/\/source.android.com\/security\/encryption\/file-based, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_040","unstructured":"[40] Troy Kensinger. Google and Android have your back by protecting your backups. https:\/\/security.googleblog.com\/2018\/10\/google-and-android-have-your-back-by.html, 10 2018. Accessed 2020-09-20."},{"key":"2022062314364304276_j_popets-2022-0029_ref_041","unstructured":"[41] Apple Inc. Transparency Report. https:\/\/www.apple.com\/legal\/transparency\/, 9 2020. Accessed 2020-09-21."},{"key":"2022062314364304276_j_popets-2022-0029_ref_042","unstructured":"[42] Google LLC. Global requests for user information. https:\/\/transparencyreport.google.com\/user-data\/overview, 2019. Accessed 2020-09-25."},{"key":"2022062314364304276_j_popets-2022-0029_ref_043","unstructured":"[43] Joseph Menn. Exclusive: Apple dropped plan for encrypting backups after FBI complained - sources. Reuters, 1 2020. Accessed 2020-09-13."},{"key":"2022062314364304276_j_popets-2022-0029_ref_044","unstructured":"[44] Purism. https:\/\/puri.sm\/, 2021. Accessed 05-24-2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_045","unstructured":"[45] Oded Goldreich. Foundations of cryptography: volume 2, basic applications. Cambridge university press, 2009."},{"key":"2022062314364304276_j_popets-2022-0029_ref_046","unstructured":"[46] Apple Inc. Legal Process Guidelines. https:\/\/www.apple.com\/legal\/privacy\/law-enforcement-guidelines-us.pdf, 12 2018. Accessed 2020-09-21."},{"key":"2022062314364304276_j_popets-2022-0029_ref_047","doi-asserted-by":"crossref","unstructured":"[47] Yonatan Aumann and Yehuda Lindell. Security against covert adversaries: Efficient protocols for realistic adversaries. In TCC \u201907, pages 137\u2013156. Springer, 2007.10.1007\/978-3-540-70936-7_8","DOI":"10.1007\/978-3-540-70936-7_8"},{"key":"2022062314364304276_j_popets-2022-0029_ref_048","unstructured":"[48] Apple Inc. iCloud Security Overview. https:\/\/support.apple.com\/en-us\/HT202303, 7 2020. Accessed 2020-07-28."},{"key":"2022062314364304276_j_popets-2022-0029_ref_049","unstructured":"[49] Xiaowen Xin. Titan M makes Pixel 3 our most secure phone yet. https:\/\/www.blog.google\/products\/pixel\/titan-m-makes-pixel-3-our-most-secure-phone-yet\/, 10 2018. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_050","unstructured":"[50] Joshua Lund. Technology Preview for secure value recovery. https:\/\/signal.org\/blog\/secure-value-recovery\/, 12 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_051","doi-asserted-by":"crossref","unstructured":"[51] Awanthika R Senarath and Nalin Asanka Gamagedara Arachchilage. Understanding user privacy expectations: A software developer\u2019s perspective. Telematics and Informatics, 35(7):1845\u20131862, 2018.","DOI":"10.1016\/j.tele.2018.05.012"},{"key":"2022062314364304276_j_popets-2022-0029_ref_052","doi-asserted-by":"crossref","unstructured":"[52] Majid Hatamian, Jetzabel Serna, and Kai Rannenberg. Revealing the unrevealed: Mining smartphone users privacy perception on app markets. Computers & Security, 83: 332\u2013353, 2019.","DOI":"10.1016\/j.cose.2019.02.010"},{"key":"2022062314364304276_j_popets-2022-0029_ref_053","doi-asserted-by":"crossref","unstructured":"[53] Paul Van Schaik, Jurjen Jansen, Joseph Onibokun, Jean Camp, and Petko Kusev. Security and privacy in online social networking: Risk perceptions and precautionary behaviour. Computers in Human Behavior, 78:283\u2013297, 2018.","DOI":"10.1016\/j.chb.2017.10.007"},{"key":"2022062314364304276_j_popets-2022-0029_ref_054","doi-asserted-by":"crossref","unstructured":"[54] Josephine Lau, Benjamin Zimmerman, and Florian Schaub. Alexa, are you listening? privacy perceptions, concerns and privacy-seeking behaviors with smart speakers. Proceedings of the ACM on Human-Computer Interaction, 2(CSCW): 1\u201331, 2018.10.1145\/3274371","DOI":"10.1145\/3274371"},{"key":"2022062314364304276_j_popets-2022-0029_ref_055","unstructured":"[55] Dirk Van Bruggen. Studying the impact of security awareness efforts on user behavior. PhD thesis, University of Notre Dame, 2014."},{"key":"2022062314364304276_j_popets-2022-0029_ref_056","unstructured":"[56] Elissa M Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L Mazurek. A comprehensive quality evaluation of security and privacy advice on the web. In USENIX Security \u201920, pages 89\u2013108, 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_057","doi-asserted-by":"crossref","unstructured":"[57] Mary Ellen Zurko and Richard T Simon. User-centered security. In Proceedings of the 1996 workshop on New security paradigms, pages 27\u201333, 1996.10.1145\/304851.304859","DOI":"10.1145\/304851.304859"},{"key":"2022062314364304276_j_popets-2022-0029_ref_058","doi-asserted-by":"crossref","unstructured":"[58] Anne Adams and Martina Angela Sasse. Users are not the enemy. Communications of the ACM, 42(12):40\u201346, 1999.10.1145\/322796.322806","DOI":"10.1145\/322796.322806"},{"key":"2022062314364304276_j_popets-2022-0029_ref_059","unstructured":"[59] Alma Whitten and J Doug Tygar. Why johnny can\u2019t encrypt: A usability evaluation of pgp 5.0. In USENIX Security \u201999, 1999."},{"key":"2022062314364304276_j_popets-2022-0029_ref_060","unstructured":"[60] A. Gibson et al. NSA targets the privacy-conscious. https:\/\/daserste.ndr.de\/panorama\/aktuell\/NSA-targets-the-privacy-conscious,nsa230.html, 3 2014."},{"key":"2022062314364304276_j_popets-2022-0029_ref_061","doi-asserted-by":"crossref","unstructured":"[61] Aya Fukami, Saugata Ghose, Yixin Luo, Yu Cai, and Onur Mutlu. Improving the reliability of chip-off forensic analysis of nand flash memory devices. Digital Investigation, 20: S1\u2013S11, 2017.10.1016\/j.diin.2017.01.011","DOI":"10.1016\/j.diin.2017.01.011"},{"key":"2022062314364304276_j_popets-2022-0029_ref_062","unstructured":"[62] Apple Inc. Touch ID, Face ID, passcodes, and passwords. https:\/\/support.apple.com\/guide\/security\/touch-id-face-id-passcodes-and-passwords-sec9479035f1\/web, 2020. Accessed 2020-11-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_063","unstructured":"[63] Lorenzo Franceschi-Bicchierai and Joseph Cox. Here Are Detailed Photos of iPhone Unlocking Tech GrayKey. https:\/\/www.vice.com\/en_us\/article\/v7gkpx\/graykey-grayshift-photos-iphone-unlocking-tech, 9 2020. Accessed 2020-09-20."},{"key":"2022062314364304276_j_popets-2022-0029_ref_064","unstructured":"[64] Thomas Reed. GrayKey iPhone unlocker poses serious security concerns. MalwareBytes SecurityWorld, 3 2018. Accessed 2020-09-19."},{"key":"2022062314364304276_j_popets-2022-0029_ref_065","unstructured":"[65] Robert Palazzo. FCC ID 2AV7EGK01. https:\/\/fccid.io\/2AV7EGK01, 7 2020. Published by the FCC, accessed via unofficial viewer. Images archived."},{"key":"2022062314364304276_j_popets-2022-0029_ref_066","doi-asserted-by":"crossref","unstructured":"[66] Shuzhe Yang and G\u00f6khan Bal. Balancing security and usability of local security mechanisms for mobile devices. In Dimitris Gritzalis, Steven Furnell, and Marianthi Theoharidou, editors, Information Security and Privacy Research, pages 327\u2013338, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg. ISBN 978-3-642-30436-1.10.1007\/978-3-642-30436-1_27","DOI":"10.1007\/978-3-642-30436-1_27"},{"key":"2022062314364304276_j_popets-2022-0029_ref_067","doi-asserted-by":"crossref","unstructured":"[67] Matthew Green and Matthew Smith. Developers are not the enemy!: The need for usable security apis. IEEE Security & Privacy, 14(5):40\u201346, 2016.","DOI":"10.1109\/MSP.2016.111"},{"key":"2022062314364304276_j_popets-2022-0029_ref_068","unstructured":"[68] Apple Inc. Apple Security Updates. https:\/\/support.apple.com\/en-us\/HT201222, 2003\u20132020. Accessed 2020-06 through 2020-07."},{"key":"2022062314364304276_j_popets-2022-0029_ref_069","doi-asserted-by":"crossref","unstructured":"[69] Hui Lu, Xiaohan Helu, Chengjie Jin, Yanbin Sun, Man Zhang, and Zhihong Tian. Salaxy: Enabling usb debugging mode automatically to control android devices. IEEE Access, 7:178321\u2013178330, 2019.","DOI":"10.1109\/ACCESS.2019.2958837"},{"key":"2022062314364304276_j_popets-2022-0029_ref_070","unstructured":"[70] Tielei Wang, Hao Xu, and Xiaobo Chen. Pangu 9 Internals. https:\/\/papers.put.as\/papers\/ios\/2016\/us-16-Pangu9-Internals.pdf, 8 2016. Accessed 2020-08-11."},{"key":"2022062314364304276_j_popets-2022-0029_ref_071","unstructured":"[71] a1exdandy. Technical analysis of the checkm8 exploit. https:\/\/habr.com\/en\/company\/dsec\/blog\/472762\/, 10 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_072","unstructured":"[72] Roee Hay and Noam Hadad. Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals. https:\/\/alephsecurity.com\/2018\/01\/22\/qualcomm-edl-1\/, 1 2018. Accessed 2020-09-25."},{"key":"2022062314364304276_j_popets-2022-0029_ref_073","unstructured":"[73] Nitay Artenstein. Broadpwn. Black Hat USA, 2017."},{"key":"2022062314364304276_j_popets-2022-0029_ref_074","unstructured":"[74] Fenghao Xu, Wenrui Diao, Zhou Li, Jiongyi Chen, and Kehuan Zhang. Badbluetooth: Breaking android security mechanisms via malicious bluetooth peripherals. In NDSS \u201919, 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_075","unstructured":"[75] Timothy Vidas, Daniel Votipka, and Nicolas Christin. All your droid are belong to us: A survey of current android attacks. In Woot, pages 81\u201390, 2011."},{"key":"2022062314364304276_j_popets-2022-0029_ref_076","doi-asserted-by":"crossref","unstructured":"[76] Danny Dolev and Andrew Yao. On the security of public key protocols. IEEE Transactions on information theory, 29 (2):198\u2013208, 1983.10.1109\/TIT.1983.1056650","DOI":"10.1109\/TIT.1983.1056650"},{"key":"2022062314364304276_j_popets-2022-0029_ref_077","doi-asserted-by":"crossref","unstructured":"[77] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Annual international cryptology conference, pages 232\u2013249. Springer, 1993.10.1007\/3-540-48329-2_21","DOI":"10.1007\/3-540-48329-2_21"},{"key":"2022062314364304276_j_popets-2022-0029_ref_078","unstructured":"[78] Cellebrite. What Happens When You Press that Button? https:\/\/smarterforensics.com\/wp-content\/uploads\/2014\/06\/Explaining-Cellebrite-UFED-Data-Extraction-Processes-final.pdf, 6 2014. Accessed 2020-09-26."},{"key":"2022062314364304276_j_popets-2022-0029_ref_079","unstructured":"[79] Philipp Markert, Daniel V Bailey, Maximilian Golla, Markus D\u00fcrmuth, and Adam J Aviv. This pin can be easily guessed. arXiv preprint arXiv:2003.04868, 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_080","unstructured":"[80] Sergei Skorobogatov. The bumpy road towards iphone 5c nand mirroring. arXiv preprint arXiv:1609.04327, 2016."},{"key":"2022062314364304276_j_popets-2022-0029_ref_081","unstructured":"[81] Sarah Scheffler and Mayank Varia. Protecting cryptography against compelled self-incrimination. Usenix Security 2021, 2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_082","unstructured":"[82] Apple Inc. What does iCloud back up? https:\/\/support.apple.com\/en-us\/HT207428, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_083","unstructured":"[83] Google LLC. Google Mobile Services. https:\/\/www.android.com\/gms\/, 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_084","unstructured":"[84] Alex Hernandez. Man steals over 600K iCloud photos searching for nudes. https:\/\/techaeris.com\/2021\/09\/11\/man-steals-over-600k-icloud-photos-searching-for-nudes\/, 9 2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_085","unstructured":"[85] Russell Brandom. Police are filing warrants for Android\u2019s vast store of location data. https:\/\/www.theverge.com\/2016\/6\/1\/11824118\/google-android-location-data-police-warrants, 6 2016. Accessed 2020-09-25."},{"key":"2022062314364304276_j_popets-2022-0029_ref_086","unstructured":"[86] Apple Inc. Learn more about iCloud in China mainland. https:\/\/support.apple.com\/en-us\/HT208351, 5 2020. Accessed 2020-12-03."},{"key":"2022062314364304276_j_popets-2022-0029_ref_087","unstructured":"[87] Apple Inc. Privacy. https:\/\/www.apple.com\/privacy\/, 9 2020. Accessed 2020-09-25."},{"key":"2022062314364304276_j_popets-2022-0029_ref_088","unstructured":"[88] Lewis Leong. Chinese developers release untethered iOS 7.1.X jailbreak to much controversy. https:\/\/en.softonic.com\/articles\/pangu-ios-7-1-x-jailbreak, 6 2014. Accessed 2020-07-29."},{"key":"2022062314364304276_j_popets-2022-0029_ref_089","unstructured":"[89] unc0ver jailbreak. https:\/\/unc0ver.dev\/, 2 2021. Accessed 2021-02-27."},{"key":"2022062314364304276_j_popets-2022-0029_ref_090","unstructured":"[90] Milan Broz. DMCrypt. https:\/\/gitlab.com\/cryptsetup\/cryptsetup\/-\/wikis\/DMCrypt, 9 2020. Accessed 2020-12-02. dm-crypt documentation."},{"key":"2022062314364304276_j_popets-2022-0029_ref_091","unstructured":"[91] Android Open Source Project. Rollback Resistance. https:\/\/source.android.com\/security\/keystore\/implementer-ref# rollback_resistance, 9 2020. Accessed 2021-02-28."},{"key":"2022062314364304276_j_popets-2022-0029_ref_092","doi-asserted-by":"crossref","unstructured":"[92] Li Yang, Teng Wei, Fengwei Zhang, and Jianfeng Ma. Sadus: Secure data deletion in user space for mobile devices. Computers & Security, 77:612 \u2013 626, 2018. ISSN 0167-4048. https:\/\/doi.org\/10.1016\/j.cose.2018.05.013.10.1016\/j.cose.2018.05.013","DOI":"10.1016\/j.cose.2018.05.013"},{"key":"2022062314364304276_j_popets-2022-0029_ref_093","unstructured":"[93] Nirvan Tyagi, Muhammad Haris Mughees, Thomas Risten-part, and Ian Miers. Burnbox: Self-revocable encryption in a world of compelled access. In USENIX Security \u201918, pages 445\u2013461, 2018."},{"key":"2022062314364304276_j_popets-2022-0029_ref_094","unstructured":"[94] Shijie Jia, Luning Xia, Bo Chen, and Peng Liu. Deftl: Implementing plausibly deniable encryption in flash translation layer. In ACM CCS \u201917, pages 2217\u20132229, 2017."},{"key":"2022062314364304276_j_popets-2022-0029_ref_095","doi-asserted-by":"crossref","unstructured":"[95] Bing Chang, Yao Cheng, Bo Chen, Fengwei Zhang, Wen-Tao Zhu, Yingjiu Li, and Zhan Wang. User-friendly deniable storage for mobile devices. computers & security, 72: 163\u2013174, 2018.10.1016\/j.cose.2017.09.005","DOI":"10.1016\/j.cose.2017.09.005"},{"key":"2022062314364304276_j_popets-2022-0029_ref_096","doi-asserted-by":"crossref","unstructured":"[96] Chen Chen, Anrin Chakraborti, and Radu Sion. Infuse: Invisible plausibly-deniable file system for nand flash. Proceedings on Privacy Enhancing Technologies, 2020(4): 239\u2013254, 2020.","DOI":"10.2478\/popets-2020-0071"},{"key":"2022062314364304276_j_popets-2022-0029_ref_097","unstructured":"[97] Android Open Source Project. Fingerprint HIDL. https:\/\/source.android.com\/security\/authentication\/fingerprint-hal, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_098","unstructured":"[98] Apple Inc. FaceID Security. https:\/\/github.com\/maxzinkus\/PhoneEncryptionDocumentArchive, 11 2017. Archived."},{"key":"2022062314364304276_j_popets-2022-0029_ref_099","unstructured":"[99] Android Open Source Project. Face Authentication HIDL. https:\/\/source.android.com\/security\/biometric\/face-authentication, 9 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_100","unstructured":"[100] Android Open Source Project. Authentication. https:\/\/source.android.com\/security\/authentication, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_101","unstructured":"[101] Android Open Source Project. Gatekeeper. https:\/\/source.android.com\/security\/authentication\/gatekeeper, 9 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_102","unstructured":"[102] ARM Holdings. Arm TrustZone Technology. https:\/\/developer.arm.com\/ip-products\/security-ip\/trustzone, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_103","unstructured":"[103] Android Open Source Project. Trusty TEE. https:\/\/source.android.com\/security\/trusty, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_104","unstructured":"[104] Liang Kai. Guard your data with the Qualcomm Snapdragon Mobile Platform. https:\/\/github.com\/maxzinkus\/PhoneEncryptionDocumentArchive, 4 2019. Accessed 2020-09-09. Archived."},{"key":"2022062314364304276_j_popets-2022-0029_ref_105","unstructured":"[105] Google LLC. Android keystore system. https:\/\/developer.android.com\/training\/articles\/keystore, 10 2020. Accessed 2021-02-28."},{"key":"2022062314364304276_j_popets-2022-0029_ref_106","unstructured":"[106] Google LLC. Behavior changes: all apps. https:\/\/developer.android.com\/about\/versions\/pie\/android-9.0-changes-all, 12 2019. Documentation for Android 9, accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_107","unstructured":"[107] Tarjei Mandt, Mathew Solnik, and David Wang. Demystifying the secure enclave processor. Black Hat Las Vegas, 2016."},{"key":"2022062314364304276_j_popets-2022-0029_ref_108","unstructured":"[108] Elcomsoft. iOS Forensic Toolkit 6.50: jailbreak-free extraction without an Apple Developer Account. https:\/\/www.elcomsoft.com\/news\/762.html, 9 2020. Accessed 2020-09-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_109","unstructured":"[109] Cellebrite. Cellebrite Advanced Services. https:\/\/cf-media.cellebrite.com\/wp-content\/uploads\/2020\/09\/SolutionOverview_CAS_2020.pdf, 9 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_110","unstructured":"[110] Clemens Fruhwirth. New methods in hard disk encryption. na, 2005."},{"key":"2022062314364304276_j_popets-2022-0029_ref_111","unstructured":"[111] CPSC. IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std. 1619-2018, 1 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_112","doi-asserted-by":"crossref","unstructured":"[112] Moses Liskov, Ronald L Rivest, and David Wagner. Tweakable block ciphers. In Annual International Cryptology Conference, pages 31\u201346. Springer, 2002.10.1007\/3-540-45708-9_3","DOI":"10.1007\/3-540-45708-9_3"},{"key":"2022062314364304276_j_popets-2022-0029_ref_113","doi-asserted-by":"crossref","unstructured":"[113] Luther Martin. Xts: A mode of aes for encrypting hard disks. IEEE Security & Privacy, 8(3):68\u201369, 2010.","DOI":"10.1109\/MSP.2010.111"},{"key":"2022062314364304276_j_popets-2022-0029_ref_114","doi-asserted-by":"crossref","unstructured":"[114] Carlo Meijer and Bernard Van Gastel. Self-encrypting deception: weaknesses in the encryption of solid state drives. In IEEE S&P \u201919. IEEE, 2019.10.1109\/SP.2019.00088","DOI":"10.1109\/SP.2019.00088"},{"key":"2022062314364304276_j_popets-2022-0029_ref_115","doi-asserted-by":"crossref","unstructured":"[115] Eoghan Casey and Gerasimos J Stellatos. The impact of full disk encryption on digital forensics. ACM SIGOPS Operating Systems Review, 42(3):93\u201398, 2008.10.1145\/1368506.1368519","DOI":"10.1145\/1368506.1368519"},{"key":"2022062314364304276_j_popets-2022-0029_ref_116","unstructured":"[116] Oleg Afonin. This $39 Device Can Defeat iOS USB Restricted Mode. https:\/\/blog.elcomsoft.com\/2018\/07\/this-9-device-can-defeat-ios-usb-restricted-mode\/, 7 2018. Accessed 2020-09-23."},{"key":"2022062314364304276_j_popets-2022-0029_ref_117","unstructured":"[117] Vladimir Katalov. Working Around the iPhone USB Restricted Mode. https:\/\/blog.elcomsoft.com\/2020\/05\/iphone-usb-restricted-mode-workaround\/, 5 2020. Accessed 2020-11-07."},{"key":"2022062314364304276_j_popets-2022-0029_ref_118","unstructured":"[118] Kanad Basu, Deepraj Soni, Mohammed Nabeel, and Ramesh Karri. Nist post-quantum cryptography-a hardware evaluation study. IACR Cryptol. ePrint Arch., 2019: 47, 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_119","doi-asserted-by":"crossref","unstructured":"[119] Paul Crowley and Eric Biggers. Adiantum: length-preserving encryption for entry-level processors. IACR Transactions on Symmetric Cryptology, pages 39\u201361, 2018.10.46586\/tosc.v2018.i4.39-61","DOI":"10.46586\/tosc.v2018.i4.39-61"},{"key":"2022062314364304276_j_popets-2022-0029_ref_120","doi-asserted-by":"crossref","unstructured":"[120] Levent Demir, Mathieu Thiery, Vincent Roca, Jean-Michel Tenkes, and Jean-Louis Roch. Optimizing dm-crypt for xtsaes: Getting the best of atmel cryptographic co-processors (long version). In SECRYPT \u201920, 2020.10.5220\/0009767802630270","DOI":"10.5220\/0009767802630270"},{"key":"2022062314364304276_j_popets-2022-0029_ref_121","unstructured":"[121] Oleg Afonin. Smartphone Encryption: Why Only 10 Per Cent of Android Smartphones Are Encrypted. https:\/\/blog.elcomsoft.com\/2016\/03\/smartphone-encryption-why-only-10-per-cent-of-android-smartphones-are-encrypted\/, 3 2016."},{"key":"2022062314364304276_j_popets-2022-0029_ref_122","doi-asserted-by":"crossref","unstructured":"[122] Matt Blaze. A cryptographic file system for unix. In ACM CCS \u201993, 1993.10.1145\/168588.168590","DOI":"10.1145\/168588.168590"},{"key":"2022062314364304276_j_popets-2022-0029_ref_123","unstructured":"[123] Michael Austin Halcrow. ecryptfs: An enterprise-class encrypted filesystem for linux. In Proceedings of the 2005 Linux Symposium, volume 1, pages 201\u2013218, 2005."},{"key":"2022062314364304276_j_popets-2022-0029_ref_124","doi-asserted-by":"crossref","unstructured":"[124] Timothy M Peters, Mark A Gondree, and Zachary NJ Peterson. Defy: A deniable, encrypted file system for log-structured storage. In NDSS \u201915, 2 2015.10.14722\/ndss.2015.23078","DOI":"10.14722\/ndss.2015.23078"},{"key":"2022062314364304276_j_popets-2022-0029_ref_125","doi-asserted-by":"crossref","unstructured":"[125] Aviad Zuck, Yue Li, Jehoshua Bruck, Donald E. Porter, and Dan Tsafrir. Stash in a flash. In FAST \u201918. USENIX, 2018.10.1145\/3211890.3211906","DOI":"10.1145\/3211890.3211906"},{"key":"2022062314364304276_j_popets-2022-0029_ref_126","doi-asserted-by":"crossref","unstructured":"[126] Joel Reardon, David Basin, and Srdjan Capkun. Sok: Secure data deletion. In IEEE S&P \u201913. IEEE, 2013.10.1109\/SP.2013.28","DOI":"10.1109\/SP.2013.28"},{"key":"2022062314364304276_j_popets-2022-0029_ref_127","doi-asserted-by":"crossref","unstructured":"[127] Ross Anderson, Roger Needham, and Adi Shamir. The steganographic file system. In International Workshop on Information Hiding, pages 73\u201382. Springer, 1998.10.1007\/3-540-49380-8_6","DOI":"10.1007\/3-540-49380-8_6"},{"key":"2022062314364304276_j_popets-2022-0029_ref_128","doi-asserted-by":"crossref","unstructured":"[128] Johannes G\u00f6tzfried, Moritz Eckert, Sebastian Schinzel, and Tilo M\u00fcller. Cache attacks on intel sgx. In Proceedings of the 10th European Workshop on Systems Security, pages 1\u20136, 2017.10.1145\/3065913.3065915","DOI":"10.1145\/3065913.3065915"},{"key":"2022062314364304276_j_popets-2022-0029_ref_129","unstructured":"[129] Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In USENIX Security \u201918, pages 991\u20131008, 2018."},{"key":"2022062314364304276_j_popets-2022-0029_ref_130","unstructured":"[130] J Taylor. Security for the next generation of safe real-time systems. In Proceedings of Embedded World Conference, 2016."},{"key":"2022062314364304276_j_popets-2022-0029_ref_131","doi-asserted-by":"crossref","unstructured":"[131] Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et al. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, pages 207\u2013220, 2009.10.1145\/1629575.1629596","DOI":"10.1145\/1629575.1629596"},{"key":"2022062314364304276_j_popets-2022-0029_ref_132","unstructured":"[132] Apple Inc. Apple Pay security and privacy overview. https:\/\/support.apple.com\/en-us\/HT203027, 7 2020. Accessed 2020-07-30."},{"key":"2022062314364304276_j_popets-2022-0029_ref_133","unstructured":"[133] Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanovi\u0107, and Dawn Song. Keystone: An open framework for architecting trusted execution environments. In EuroSys \u201920. ACM, 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_134","unstructured":"[134] Krste Asanovi\u0107 and David A Patterson. Instruction sets should be free: The case for risc-v. EECS Department, University of California, Berkeley, Tech. Rep. UCB\/EECS-2014-146, 2014."},{"key":"2022062314364304276_j_popets-2022-0029_ref_135","doi-asserted-by":"crossref","unstructured":"[135] Michael Henson and Stephen Taylor. Beyond full disk encryption: protection on security-enhanced commodity processors. In International Conference on Applied Cryptography and Network Security, pages 307\u2013321. Springer, 2013.10.1007\/978-3-642-38980-1_19","DOI":"10.1007\/978-3-642-38980-1_19"},{"key":"2022062314364304276_j_popets-2022-0029_ref_136","doi-asserted-by":"crossref","unstructured":"[136] P. A. H. Peterson. Cryptkeeper: Improving security with encrypted ram. In IEEE HST \u201910, 2010.10.1109\/THS.2010.5655081","DOI":"10.1109\/THS.2010.5655081"},{"key":"2022062314364304276_j_popets-2022-0029_ref_137","doi-asserted-by":"crossref","unstructured":"[137] Alexander W\u00fcrstlein, Michael Gernoth, Johannes G\u00f6tzfried, and Tilo M\u00fcller. Exzess: Hardware-based ram encryption against physical memory disclosure. In International Conference on Architecture of Computing Systems, pages 60\u201371. Springer, 2016.10.1007\/978-3-319-30695-7_5","DOI":"10.1007\/978-3-319-30695-7_5"},{"key":"2022062314364304276_j_popets-2022-0029_ref_138","unstructured":"[138] Android Open Source Project. Verified Boot. https:\/\/source.android.com\/security\/verifiedboot, 9 2020. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_139","unstructured":"[139] Debnath Bhattacharyya, Rahul Ranjan, Farkhod Alisherov, Minkyu Choi, et al. Biometric authentication: A review. International Journal of u-and e-Service, Science and Technology, 2(3):13\u201328, 2009."},{"key":"2022062314364304276_j_popets-2022-0029_ref_140","unstructured":"[140] Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, and Konstantin Beznosov. On the Impact of TouchID on iPhone Passcodes. In SOUPS \u201915), 2015."},{"key":"2022062314364304276_j_popets-2022-0029_ref_141","doi-asserted-by":"crossref","unstructured":"[141] Silvio Barra, Maria De Marsico, Michele Nappi, Fabio Narducci, and Daniel Riccio. A hand-based biometric system in visible light for mobile environments. Information Sciences, 479:472\u2013485, 2019.10.1016\/j.ins.2018.01.010","DOI":"10.1016\/j.ins.2018.01.010"},{"key":"2022062314364304276_j_popets-2022-0029_ref_142","doi-asserted-by":"crossref","unstructured":"[142] Adrian-Stefan Ungureanu, Shejin Thavalengal, Timoth\u00e9e E Cognard, Claudia Costache, and Peter Corcoran. Unconstrained palmprint as a smartphone biometric. IEEE Transactions on Consumer Electronics, 63(3):334\u2013342, 2017.10.1109\/TCE.2017.014994","DOI":"10.1109\/TCE.2017.014994"},{"key":"2022062314364304276_j_popets-2022-0029_ref_143","doi-asserted-by":"crossref","unstructured":"[143] Ajita Rattani and Reza Derakhshani. Online co-training in mobile ocular biometric recognition. In IEEE HST \u201917). IEEE, 2017.10.1109\/THS.2017.7943490","DOI":"10.1109\/THS.2017.7943490"},{"key":"2022062314364304276_j_popets-2022-0029_ref_144","doi-asserted-by":"crossref","unstructured":"[144] Chiara Galdi and Jean-Luc Dugelay. Fire: fast iris recognition on mobile phones by combining colour and texture features. Pattern Recognition Letters, 91:44\u201351, 2017.","DOI":"10.1016\/j.patrec.2017.01.023"},{"key":"2022062314364304276_j_popets-2022-0029_ref_145","doi-asserted-by":"crossref","unstructured":"[145] Andrea F Abate, Silvio Barra, Luigi Gallo, and Fabio Narducci. Kurtosis and skewness at pixel level as input for som networks to iris recognition on mobile devices. Pattern Recognition Letters, 91:37\u201343, 2017.10.1016\/j.patrec.2017.02.002","DOI":"10.1016\/j.patrec.2017.02.002"},{"key":"2022062314364304276_j_popets-2022-0029_ref_146","doi-asserted-by":"crossref","unstructured":"[146] Karan Ahuja, Rahul Islam, Ferdous A Barbhuiya, and Kuntal Dey. Convolutional neural networks for ocular smartphone-based biometrics. Pattern Recognition Letters, 91:17\u201326, 2017.10.1016\/j.patrec.2017.04.002","DOI":"10.1016\/j.patrec.2017.04.002"},{"key":"2022062314364304276_j_popets-2022-0029_ref_147","doi-asserted-by":"crossref","unstructured":"[147] Fernando Alonso-Fernandez, Kiran B Raja, Christoph Busch, and Josef Bigun. Log-likelihood score level fusion for improved cross-sensor smartphone periocular recognition. In EUSIPCO \u201917. IEEE, 2017.10.23919\/EUSIPCO.2017.8081211","DOI":"10.23919\/EUSIPCO.2017.8081211"},{"key":"2022062314364304276_j_popets-2022-0029_ref_148","doi-asserted-by":"crossref","unstructured":"[148] Robin Tan and Marek Perkowski. Toward improving electrocardiogram (ecg) biometric verification using mobile sensors: A two-stage classifier approach. Sensors, 17(2): 410, 2017.","DOI":"10.3390\/s17020410"},{"key":"2022062314364304276_j_popets-2022-0029_ref_149","unstructured":"[149] Andrew Crocker. Victory: Pennsylvania Supreme Court Rules Police Can\u2019t Force You to Tell Them Your Password. https:\/\/www.eff.org\/deeplinks\/2019\/11\/victory-pennsylvania-supreme-court-rules-police-cant-force-you-tell-them-your, 11 2019. Accessed 2020-12-03."},{"key":"2022062314364304276_j_popets-2022-0029_ref_150","unstructured":"[150] Apple Inc. iOS Security. https:\/\/github.com\/maxzinkus\/PhoneEncryptionDocumentArchive,2012\u20132019. iOS Security Guides. Archived."},{"key":"2022062314364304276_j_popets-2022-0029_ref_151","doi-asserted-by":"crossref","unstructured":"[151] Adam J Aviv, Devon Budzitowski, and Ravi Kuber. Is bigger better? comparing user-generated passwords on 3x3 vs. 4x4 grid sizes for android\u2019s pattern unlock. In Proceedings of the 31st Annual Computer Security Applications Conference, pages 301\u2013310, 2015.10.1145\/2818000.2818014","DOI":"10.1145\/2818000.2818014"},{"key":"2022062314364304276_j_popets-2022-0029_ref_152","unstructured":"[152] Russell Brandom. A new hack could let thieves bypass the iPhone\u2019s lockscreen. https:\/\/www.theverge.com\/2015\/3\/30\/8311835\/iphone-lockscreen-hack-theft-find-my-iphone, 3 2015. Accessed 2020-09-09."},{"key":"2022062314364304276_j_popets-2022-0029_ref_153","unstructured":"[153] Adam J Aviv, Katherine L Gibson, Evan Mossop, Matt Blaze, and Jonathan M Smith. Smudge attacks on smart-phone touch screens. Woot, 10:1\u20137, 2010."},{"key":"2022062314364304276_j_popets-2022-0029_ref_154","doi-asserted-by":"crossref","unstructured":"[154] Man Zhou, Qian Wang, Jingxiao Yang, Qi Li, Feng Xiao, Zhibo Wang, and Xiaofeng Chen. Patternlistener: Cracking android pattern lock using acoustic signals. In ACM CCS \u201918, pages 1775\u20131787, 2018.10.1145\/3243734.3243777","DOI":"10.1145\/3243734.3243777"},{"key":"2022062314364304276_j_popets-2022-0029_ref_155","doi-asserted-by":"crossref","unstructured":"[155] Sebastian Uellenbeck, Markus D\u00fcrmuth, Christopher Wolf, and Thorsten Holz. Quantifying the security of graphical passwords: the case of android unlock patterns. In ACM CCS \u201913, pages 161\u2013172, 2013.10.1145\/2508859.2516700","DOI":"10.1145\/2508859.2516700"},{"key":"2022062314364304276_j_popets-2022-0029_ref_156","doi-asserted-by":"crossref","unstructured":"[156] Burt Kaliski. Pkcs# 5: Password-based cryptography spec-ification version 2.0. Technical report, RFC 2898, september, 2000.10.17487\/rfc2898","DOI":"10.17487\/rfc2898"},{"key":"2022062314364304276_j_popets-2022-0029_ref_157","unstructured":"[157] Oleg Afonin. Protecting Your Data and Apple Account If They Know Your iPhone Passcode. https:\/\/blog.elcomsoft.com\/2018\/06\/protecting-your-data-and-apple-account-if-they-know-your-iphone-passcode\/, 6 2018. Accessed 2020-09-22."},{"key":"2022062314364304276_j_popets-2022-0029_ref_158","doi-asserted-by":"crossref","unstructured":"[158] Adi Shamir. How to share a secret. Commun. ACM, 22 (11), November 1979.10.1145\/359168.359176","DOI":"10.1145\/359168.359176"},{"key":"2022062314364304276_j_popets-2022-0029_ref_159","doi-asserted-by":"crossref","unstructured":"[159] St\u00e9phanie Delaune, Steve Kremer, and Graham Steel. Formal analysis of pkcs# 11. In 2008 21st IEEE Computer Security Foundations Symposium, pages 331\u2013344. IEEE, 2008.10.1109\/CSF.2008.16","DOI":"10.1109\/CSF.2008.16"},{"key":"2022062314364304276_j_popets-2022-0029_ref_160","unstructured":"[160] Yubico. YubiKey 5 NFC. https:\/\/www.yubico.com\/se\/product\/yubikey-5-nfc\/, 9 2021."},{"key":"2022062314364304276_j_popets-2022-0029_ref_161","doi-asserted-by":"crossref","unstructured":"[161] Kasper Green Larsen and Jesper Buus Nielsen. Yes, there is an oblivious ram lower bound! In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO \u201918, 2018.10.1007\/978-3-319-96881-0_18","DOI":"10.1007\/978-3-319-96881-0_18"},{"key":"2022062314364304276_j_popets-2022-0029_ref_162","unstructured":"[162] Google LLC. Security. https:\/\/support.google.com\/android\/answer\/9075927, 2020. Accessed 2020-09-18."},{"key":"2022062314364304276_j_popets-2022-0029_ref_163","doi-asserted-by":"crossref","unstructured":"[163] Ahmed Mahfouz, Tarek M. Mahmoud, and Ahmed Sharaf Eldin. A survey on behavioral biometric authentication on smartphones. Journal of Information Security and Applications, 37, 2017.10.1016\/j.jisa.2017.10.002","DOI":"10.1016\/j.jisa.2017.10.002"},{"key":"2022062314364304276_j_popets-2022-0029_ref_164","doi-asserted-by":"crossref","unstructured":"[164] Sanjam Garg, Craig Gentry, Amit Sahai, and Brent Waters. Witness encryption and its applications. In STOC \u201913, 2013.10.1145\/2488608.2488667","DOI":"10.1145\/2488608.2488667"},{"key":"2022062314364304276_j_popets-2022-0029_ref_165","unstructured":"[165] Apple Inc. Use Handoff to continue tasks on your other devices. https:\/\/support.apple.com\/en-us\/HT209455, 2021. Accessed 2021-05-31."},{"key":"2022062314364304276_j_popets-2022-0029_ref_166","unstructured":"[166] Uday Savagaonkar, Nelly Porter, Nadim Taha, Benjamin Serebrin, and Neal Mueller. Titan in depth: Security in plaintext. https:\/\/cloud.google.com\/blog\/products\/gcp\/titan-in-depth-security-in-plaintext, 8 2017. Accessed 2020-09-25."},{"key":"2022062314364304276_j_popets-2022-0029_ref_167","doi-asserted-by":"crossref","unstructured":"[167] Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. Opaque: an asymmetric pake protocol secure against precomputation attacks. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 456\u2013486. Springer, 2018.10.1007\/978-3-319-78372-7_15","DOI":"10.1007\/978-3-319-78372-7_15"},{"key":"2022062314364304276_j_popets-2022-0029_ref_168","unstructured":"[168] Thomas D et al Wu. The secure remote password protocol. In NDSS, volume 98, pages 97\u2013111. Citeseer, 1998."},{"key":"2022062314364304276_j_popets-2022-0029_ref_169","doi-asserted-by":"crossref","unstructured":"[169] David M\u2019Raihi, Salah Machani, Mingliang Pei, and Johan Rydell. Totp: Time-based one-time password algorithm. Internet Request for Comments, 2011.10.17487\/rfc6238","DOI":"10.17487\/rfc6238"},{"key":"2022062314364304276_j_popets-2022-0029_ref_170","doi-asserted-by":"crossref","unstructured":"[170] David M\u2019Raihi, Mihir Bellare, Frank Hoornaert, David Nac-cache, and Ohad Ranen. Hotp: An hmac-based one-time password algorithm. The Internet Society, Network Working Group. RFC4226, 2005.10.17487\/rfc4226","DOI":"10.17487\/rfc4226"},{"key":"2022062314364304276_j_popets-2022-0029_ref_171","unstructured":"[171] Apple Inc. Two-factor authentication for Apple ID. https:\/\/support.apple.com\/en-us\/HT204915, 7 2020. Accessed 2020-07-28."},{"key":"2022062314364304276_j_popets-2022-0029_ref_172","unstructured":"[172] Juan Benet and Nicola Greco. Filecoin: A decentralized storage network. Protoc. Labs, pages 1\u201336, 2018."},{"key":"2022062314364304276_j_popets-2022-0029_ref_173","unstructured":"[173] Juan Benet. IPFS: Content addressed, versioned, P2P file system. arXiv preprint arXiv:1407.3561, 2014."},{"key":"2022062314364304276_j_popets-2022-0029_ref_174","unstructured":"[174] Adam Eijdenberg, Ben Laurie, and Al Cutter. Verifiable Data Structures. https:\/\/continusec.com\/static\/VerifiableDataStructures.pdf, 11 2015."},{"key":"2022062314364304276_j_popets-2022-0029_ref_175","doi-asserted-by":"crossref","unstructured":"[175] Joan Daemen and Vincent Rijmen. The block cipher rijndael. In International Conference on Smart Card Research and Advanced Applications, pages 277\u2013284. Springer, 1998.10.1007\/10721064_26","DOI":"10.1007\/10721064_26"},{"key":"2022062314364304276_j_popets-2022-0029_ref_176","doi-asserted-by":"crossref","unstructured":"[176] Craig Gentry. Fully homomorphic encryption using ideal lattices. In STOC \u201909, 2009.10.1145\/1536414.1536440","DOI":"10.1145\/1536414.1536440"},{"key":"2022062314364304276_j_popets-2022-0029_ref_177","unstructured":"[177] Sean W Smith and Vernon Austel. Trusting trusted hardware: Towards a formal model for programmable secure coprocessors. In USENIX Workshop on Electronic Commerce, 1998."},{"key":"2022062314364304276_j_popets-2022-0029_ref_178","doi-asserted-by":"crossref","unstructured":"[178] Cynthia E Irvine and Karl Levitt. Trusted hardware: Can it be trustworthy? In 2007 44th ACM\/IEEE Design Automation Conference, pages 1\u20134. IEEE, 2007.10.1109\/DAC.2007.375041","DOI":"10.1109\/DAC.2007.375041"},{"key":"2022062314364304276_j_popets-2022-0029_ref_179","unstructured":"[179] Ivan Krstic. Behind the Scenes with iOS Security. https:\/\/www.blackhat.com\/docs\/us-16\/materials\/us-16-Krstic.pdf, 8 2016. Accessed 2020-09-07."},{"key":"2022062314364304276_j_popets-2022-0029_ref_180","doi-asserted-by":"crossref","unstructured":"[180] Udi Manber. A simple scheme to make passwords based on one-way functions much harder to crack. Computers & Security, 15(2):171\u2013176, 1996.10.1016\/0167-4048(96)00003-X","DOI":"10.1016\/0167-4048(96)00003-X"},{"key":"2022062314364304276_j_popets-2022-0029_ref_181","unstructured":"[181] Mart\u0131n Abadi, T Mark A Lomas, and Roger Needham. Strengthening passwords. Technical report, Citeseer, 1997."},{"key":"2022062314364304276_j_popets-2022-0029_ref_182","doi-asserted-by":"crossref","unstructured":"[182] John Kelsey, Bruce Schneier, Chris Hall, and David Wagner. Secure applications of low-entropy keys. In International Workshop on Information Security, pages 121\u2013134. Springer, 1997.10.1007\/BFb0030415","DOI":"10.1007\/BFb0030415"},{"key":"2022062314364304276_j_popets-2022-0029_ref_183","doi-asserted-by":"crossref","unstructured":"[183] J Alex Halderman, Brent Waters, and Edward W Felten. A convenient method for securely managing passwords. In WWW \u201905, pages 471\u2013479, 2005.10.1145\/1060745.1060815","DOI":"10.1145\/1060745.1060815"},{"key":"2022062314364304276_j_popets-2022-0029_ref_184","doi-asserted-by":"crossref","unstructured":"[184] Ian McQuoid, Mike Rosulek, and Lawrence Roy. Minimal symmetric pake and 1-out-of-n ot from programmable-once public functions. In ACM CCS \u201920, pages 425\u2013442, 2020.10.1145\/3372297.3417870","DOI":"10.1145\/3372297.3417870"},{"key":"2022062314364304276_j_popets-2022-0029_ref_185","doi-asserted-by":"crossref","unstructured":"[185] Jolyon Clulow. On the security of pkcs# 11. In CHES \u201903. Springer, 2003.10.1007\/978-3-540-45238-6_32","DOI":"10.1007\/978-3-540-45238-6_32"},{"key":"2022062314364304276_j_popets-2022-0029_ref_186","doi-asserted-by":"crossref","unstructured":"[186] Matteo Bortolozzo, Matteo Centenaro, Riccardo Focardi, and Graham Steel. Attacking and fixing pkcs# 11 security tokens. In ACM CCS \u201910, 2010.10.1145\/1866307.1866337","DOI":"10.1145\/1866307.1866337"},{"key":"2022062314364304276_j_popets-2022-0029_ref_187","unstructured":"[187] Google LLC. Stronger security for your Google Account. https:\/\/www.google.com\/landing\/2step\/, 2021. Accessed 2021-02-28."},{"key":"2022062314364304276_j_popets-2022-0029_ref_188","doi-asserted-by":"crossref","unstructured":"[188] Leslie Lamport, Robert Shostak, and Marshall Pease. The byzantine generals problem. ACM Transactions on Programming Languages and Systems, 4(3):382\u2013401, 1982.10.1145\/357172.357176","DOI":"10.1145\/357172.357176"},{"key":"2022062314364304276_j_popets-2022-0029_ref_189","unstructured":"[189] Diego Ongaro and John Ousterhout. In search of an understandable consensus algorithm. In USENIX ATC \u201914, 2014."},{"key":"2022062314364304276_j_popets-2022-0029_ref_190","unstructured":"[190] Gabriel Kaptchuk. New Applications of Public Ledgers. PhD thesis, The Johns Hopkins University, 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_191","doi-asserted-by":"crossref","unstructured":"[191] Ben Laurie. Certificate transparency. Commun. ACM, 57(10):40\u201346, September 2014. ISSN 0001-0782. URL https:\/\/doi.org\/10.1145\/2659897.10.1145\/2659897","DOI":"10.1145\/2659897"},{"key":"2022062314364304276_j_popets-2022-0029_ref_192","unstructured":"[192] Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, and Michael J. Freedman. CONIKS: Bringing key transparency to end users. In USENIX Security \u201915. USENIX, 2015."},{"key":"2022062314364304276_j_popets-2022-0029_ref_193","unstructured":"[193] Google. Key Transparency. https:\/\/github.com\/google\/keytransparency\/, 11 2020."},{"key":"2022062314364304276_j_popets-2022-0029_ref_194","unstructured":"[194] Russ Cox and Filippo Valsorda. Proposal: Secure the Public Go Module Ecosystem. https:\/\/go.googlesource.com\/proposal\/+\/master\/design\/25530-sumdb.md, 4 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_195","unstructured":"[195] Andy Greenberg. The Clever Cryptography Behind Apple\u2019s \u2019Find My\u2019 Feature. https:\/\/www.wired.com\/story\/apple-find-my-cryptography-bluetooth\/, 6 2019. Accessed 2020-07-19."},{"key":"2022062314364304276_j_popets-2022-0029_ref_196","doi-asserted-by":"crossref","unstructured":"[196] Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick. Who can find my devices? security and privacy of apple\u2019s crowd-sourced bluetooth location tracking system. arXiv preprint arXiv:2103.02282, 2021.","DOI":"10.2478\/popets-2021-0045"},{"key":"2022062314364304276_j_popets-2022-0029_ref_197","unstructured":"[197] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. Technical report, Manubot, 2019."},{"key":"2022062314364304276_j_popets-2022-0029_ref_198","unstructured":"[198] Tom Ritter. Private by Design: How we built Firefox Sync. https:\/\/hacks.mozilla.org\/2018\/11\/firefox-sync-privacy\/, 11 2018. Accessed 2021-05-30."},{"key":"2022062314364304276_j_popets-2022-0029_ref_199","unstructured":"[199] Google LLC. Back up user data with Auto Backup. https:\/\/developer.android.com\/guide\/topics\/data\/autobackup, 1 2020. Accessed 2020-09-25."},{"key":"2022062314364304276_j_popets-2022-0029_ref_200","doi-asserted-by":"crossref","unstructured":"[200] Dan Boneh, Amit Sahai, and Brent Waters. Functional encryption: Definitions and challenges. In TCC \u201911, pages 253\u2013273. Springer, 2011.10.1007\/978-3-642-19571-6_16","DOI":"10.1007\/978-3-642-19571-6_16"}],"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.sciendo.com\/pdf\/10.2478\/popets-2022-0029","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T16:31:58Z","timestamp":1658334718000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2022\/popets-2022-0029.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,20]]},"references-count":200,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2021,11,20]]},"published-print":{"date-parts":[[2022,1,1]]}},"alternative-id":["10.2478\/popets-2022-0029"],"URL":"https:\/\/doi.org\/10.2478\/popets-2022-0029","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,11,20]]}}}