With more than 100 million Apple iPhone users, the demand to secure them has never been greater. The latest version of iOS 7.x has matured a great deal from its predecessors. This iOS version comes with numerous security features that you can leverage if you’re interested in protecting your iPhone and the data it stores and processes.
Take a minute to think about the applications that you have running on your iPhone and the nature of information it processes. You will quickly come to the realization that it stores confidential and private information such as account numbers, pass-words to websites, corporate emails, pictures and videos, browser search history, stocks you track, recent places you visited, and much more. It’s imperative that this information be protected at all times. Although a lot of stress is placed on protecting personal computers, most people fail to take even the basic security precautions on their iPhones.
This article offers guidelines on securing your iPhone using features provided by iOS and by following other security best practices. It begins by discussing basic security settings for novice users and then continues to discuss advanced techniques for expert users. This paper is intended for users who want to take proactive measures to secure their iPhones, companies willing to train their employees and administrators working on developing strong policies. It confines its discussion to iPhone security features only and does not discuss similar features that may be available in other mobile device platforms such as Android and Windows Phone. However, some of the concepts and standards apply across all these devices.
The model device used for this paper is an iPhone running iOS 7.x some of these settings and features may not be present in the older or newer versions of iOS.
Enable Passcode Lock on Your iPhone
The most basic precaution you can take is to enable passcode lock and set it to automatically engage after a brief period of inactivity. By default, a passcode is not required to unlock the iPhone. Most people would put off this security measure for ease of use and convenience. However, the truth is that once you have it enabled, it becomes second nature and you would not notice any difference. It is recommended that you set a strong passcode. In the event of a physical theft, this will increase the effort required to compromise your iPhone. Also, for some other security applications to work such as Find My iPhone, a passcode is mandatory.
How to setup a passcode lock
- Navigate to Settings > General > Passcode Lock.
- Tap Turn Passcode On.
- You will be prompted to enter a four-digit passcode twice. Choose a passcode that’s difficult to guess. See the guidelines on choosing hard passcodes below.
Choosing a Passcode that’s Difficult to Guess
According to research done by Daniel Amity, the most common passcodes used are: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, and 1998. While 1234, 0000, and 2580 are easy to remember and thus picked, 5683 is the number representation of “LOVE,” once again mimicking a very common Internet password: “iloveyou.” Avoid using these commonly used or other easy-to-guess passcodes such as your birthdate.
The iPhone can be configured to auto-lock after a predefined period of inactivity. The most secure setting is Immediately. This is also the default setting, unless changed by the user. It is recommended that this setting not be changed from its default value to anything greater and less secure, such as five minutes. Setting it to immediately will reduce the time window that the iPhone is in an unlocked state and ensure that it will be mostly locked in case of a physical security breach.
It is trivial for a thief to guess the four-digit passcode through brute force attempts. The Erase Data setting could be configured on iPhone to erase all the user’s data and settings if 10 failed attempts have been reached. This will thwart all brute force attempts to guess the correct passcode. This setting is disabled by default, but it is recommended that you enable it. If enabled, your iPhone will completely wipe all the data after 10 failed attempts have been recorded. This may sound scary at first, as you don’t want your data to be accidentally deleted by a child or prankster. However, after the first few wrong attempts, it stops you from trying for a minute, then on the next failed attempt, it increases the delay to five minutes, and keeps on increasing it till 30 minutes for the last few attempts, before wiping the data of the device. It is unlikely that someone would have all this time unless your phone is lost. Also, remember this information can always be restored from Apple iTunes if it is accidentally wiped out.
Disable Features That Could Be Accessed Without Entering the Passcode
Disable the Voice Dial and Siri Feature
By default, the Voice Dial and Siri feature of an iPhone can be accessed without unlocking it first. To access this feature, press the Home button on a locked iPhone. It will start Voice Dial and prompt you to enter a command. This feature can be used to call anyone from the contact list, play songs, and use other functions. Apple has now provided an option for the users to disable it.
To disable it:
- Navigate to Settings > Passcode
- Turn Voice Dial to OFF.
- Turn Siri to OFF
Disable SMS Preview
Messages can be previewed on a locked iPhone by default. Although this is a convenient feature, there are security ramifications when it is used. Many applications send sensitive secondary authentication information such as authentication codes via text message. This information, if compromised, could further compromise your banking and other application credentials through the use of the Reset Password functionality. It is recommended that this feature be disabled at all times.
This feature can be disabled by navigating to Settings > Notification Center > Messages > Show Preview and then toggling it to OFF.
Overcoming Privacy Issues Due to the Inherent Design of the iPhone
How to prevent sensitive information from being captured as screen shots
If an application displays sensitive information such as Social Security numbers, account numbers, and other data in full, then avoid using such an application on the iPhone. However, the risk is still present for built-in applications such as Messaging, Safari, and other common functions. In this case, be mindful of this design flaw and avoid tapping the Home button while viewing sensitive information on the screen. Go to a different page not displaying sensitive information before tapping the Home button. Advanced users can follow the steps5 below to disable screen shot writing permanently. Basic users should skip this section as it requires jailbreaking the iPhone. Jailbreaking has its own security issues that are outlined later on. Unless you are familiar with the process and aware of the security issues, you should not try this.
- Use OpenSSH application to gain root privileges to your jailbroken iPhone.
- Using the OpenSSH application, enter the following commands in the prompt:
rm -rf /var/mobile/Library/Caches/Snapshots
ln -s /dev/null /var/mobile/Library/Caches/Snapshots
These commands will disable screenshot writing permanently. However, if you wish to undo this action in the future, delete the symlink and the directory will get re-created.
The storage of location-based data in the form of latitude and longitude inside the images is called geotagging. It is essentially tagging your photograph with the geographic location information. Though most digital cameras do not have GPS hardware built in, smartphones are exceptions. The iPhone has both the camera and GPS locator technology. Thus, the iPhone camera is equipped with automatically adding geolocation information to the pictures it takes. By default, all pictures taken by an iPhone contain this information unless it is manually disabled. Imagine you took some pictures of your house or your car parked in front of it and uploaded this to the social networking sites. Anyone viewing these images could identify the location of your house (if geotagging was not disabled). Now imagine if you were a celebrity hiding from paparazzi and took a photo of your house with your iPhone—you would reveal your whereabouts to them by publishing these pictures.
Disable Geotagging on the iPhone
Apple iOS allows users to turn off location services on a per-application basis. It is recommended that you disable location services for the camera application. This will prevent geotagging. Navigate to Settings > Privacy > Location Services. Toggle the Camera to OFF as shown below.
Erase All the Data before Return,
Repair, or Resale of Your iPhone
Imagine you bought a new iPhone and want to sell your old one on eBay. You can use the Restore option available in iTunes to reset the iPhone to its factory state. However, that does not use a secure delete function, allowing it to persist data on the device, which could be later recovered with the use of proper forensic tools. A detective from Oregon State Police managed to recover a user’s personal data like emails, photos, and more from an out-of-the-box refurbished iPhone that he had bought. All personal data that was available on the phone before being restored was still left in the unallocated blocks of iPhone’s NAND memory.
How to Securely Erase Data from Your iPhone
- Change all your passwords for emails, social networking sites, and banking sites that you have configured on your iPhone.
- Navigate to Settings > General > Reset.
- Tap on Reset All Settings as shown below and confirm the warning.
- Next, navigate to Settings > General > Reset, and tap on Erase All Content and Settings.
- Now restore the iPhone using iTunes.
- Using iTunes uncheck all Sync options for photos, videos, music, email, and other content.
- Create three separate playlists as large as the storage capacity of your iPhone.
- On the Music tab, select the first of your three playlists to sync. Make sure that the storage bar at the bottom looks full after syncing. This will guarantee that the complete memory on the iPhone is overwritten with the contents of your playlist and there are no unallocated blocks left.
- Repeat this process three times for each of the playlists. This technique is referred to as the unofficial way of three-pass overwrite.
- Now restore the iPhone again using iTunes.
Regularly Update the iPhone’s Firmware
iOS Firmware is the operating system embedded in the iPhone. The iPhone ships with the version of firmware that was current at the time of manufacturing. Apple provides frequent firmware updates that are not limited to bug fixes and security fixes, but also include additional security features. The current firmware version is 7.1.1. It is recommended that you always have the latest version of firmware running on your iPhone. By doing so, you will not be vulnerable to the security issues identified in the previous versions.
How to Check the Current Firmware Version on Your iPhone
To check the current firmware version, navigate to Settings > General > About. Check the version information available on this screen. As show in the figure below, the current version running on the my iPhone is 7.1.1.
How to Track Latest Firmware Updates Released
To track the latest firmware updates, navigate to Settings > General > Software Update. This will automatically check firmware updates, if available Click Download & Install to install latest firmware. Currently my iPhone running the most latest firmware as show in the figure below, the current version running on the my iPhone is 7.1.1.
To Jailbreak or Not to Jailbreak?
What Is Jailbreaking?Jailbreaking is hacking of iOS through the use of custom kernels to bypass limitations imposed by Apple. It allows users to run any application not authorized by Apple, via installers such as Cydia. Jailbreaking was made legal in the US under DMCA of 2010. Thus, there are no legal restrictions preventing users from
jailbreaking their iPhones. However, there are some serious security ramifications.
- Jailbreaking makes you more susceptible to worms and other malicious applications.
Although identified vulnerabilities for iOS put users equally at risk, there are certain vulnerabilities that only target jailbroken iPhones. For example, the Dutch Ransom worm targeted users with them default SSH password on jailbroken iPhones. Thus, using a jailbroken device may increase your risk.
2. Applications on a jailbroken device run as root outside of the iOS sandbox.
By default, all the applications on a non-jailbroken iPhone run as a least-privileged mobile user, jailed in the sandbox architecture of iOS. However, applications on jailbroken iPhones can run as root and do whatever they please. Also, any self-signed applications can run on the device without being validated by Apple first. Although the primary goal of code signing introduced by Apple was not security per se, it does provide some level of security by limiting the number of malicious applications that are available on the AppStore.
3. It de-motivates you from regularly updating your iOS firmware.
When you update your iOS, you lose the jailbreaking advantage and need to re-jailbreak it. You also need to re-install all jailbroken applications and extensions. There are tools like PkgBackup that could be used to restore all the applications and hacks, but it is still cumbersome and may prevent you from frequently updating your iOS firmware. As discussed earlier, not running the latest version of iOS may make your iPhone vulnerable to defects and bugs identified in the older versions.
Although there are definite usability advantages to jailbreaking an iPhone, we are only discussing security benefits. The jailbreaking community has provided faster fixes than the iPhone development team in several instances. For example, when the zero-day vulnerability in the mobile Safari browser (related to the way it handles PDF documents) was identified, the jailbreaking community quickly released PDF Patcher 2 to remediate it. This protected the users who had jailbroken their iPhones (about 10 percent of the total iPhone user population), while others who didn’t were left waiting for Apple to release a fix. Thus, having a jailbroken iPhone may, in fact, work to your advantage by reducing the window of exposure to zero-day vulnerabilities.
To jailbreak your iPhone or not is a very controversial topic. You will find supporters from both sides.Jailbreaking is definitely not for everyone. If you are a novice user with limited knowledge of security,
then you should try to avoid jailbreaking.