With more than 100 million Apple iPhone
users, the demand to secure them has never been greater. The latest version of
iOS 7.x has matured a great deal from its predecessors. This iOS version comes
with numerous security features that you can leverage if you’re interested in
protecting your iPhone and the data it stores and processes.
Take a minute to think about the
applications that you have running on your iPhone and the nature of information
it processes. You will quickly come to the realization that it stores
confidential and private information such as account numbers, pass-words to
websites, corporate emails, pictures and videos, browser search history, stocks
you track, recent places you visited, and much more. It’s imperative that this information
be protected at all times. Although a lot of stress is placed on protecting personal
computers, most people fail to take even the basic security precautions on their
iPhones.
This article offers guidelines on securing
your iPhone using features provided by iOS and by following other security best
practices. It begins by discussing basic security settings for novice users and
then continues to discuss advanced techniques for expert users. This paper is
intended for users who want to take proactive measures to secure their iPhones,
companies willing to train their employees and administrators working on
developing strong policies. It confines its discussion to iPhone security
features only and does not discuss similar features that may be available in
other mobile device platforms such as Android and Windows Phone. However, some
of the concepts and standards apply across all these devices.
The model device used for this paper is
an iPhone running iOS 7.x some of these settings and features may not be
present in the older or newer versions of iOS.
Enable Passcode Lock on Your iPhone
The most basic precaution you can take
is to enable passcode lock and set it to automatically engage after a brief
period of inactivity. By default, a passcode is not required to unlock the
iPhone. Most people would put off this security measure for ease of use and
convenience. However, the truth is that once you have it enabled, it becomes
second nature and you would not notice any difference. It is recommended that
you set a strong passcode. In the event of a physical theft, this will increase
the effort required to compromise your iPhone. Also, for some other security
applications to work such as Find My iPhone, a passcode is mandatory.
How to setup a passcode lock
- Navigate to Settings > General > Passcode Lock.
- Tap Turn Passcode On.
- You will be prompted to enter a four-digit passcode twice. Choose a passcode that’s difficult to guess. See the guidelines on choosing hard passcodes below.
Choosing a Passcode that’s Difficult to
Guess
According to research done by Daniel Amity,
the most common passcodes used are: 1234, 0000, 2580, 1111, 5555, 5683, 0852,
2222, 1212, and 1998. While 1234, 0000, and 2580 are easy to remember and thus
picked, 5683 is the number representation of “LOVE,” once again mimicking a very
common Internet password: “iloveyou.” Avoid using these commonly used or other
easy-to-guess passcodes such as your birthdate.
Set
Auto-Lock Timeout
The
iPhone can be configured to auto-lock after a predefined period of inactivity.
The most secure setting is Immediately. This is also the default setting, unless
changed by the user. It is recommended that this setting not be changed from
its default value to anything greater and less secure, such as five minutes.
Setting it to immediately will reduce the time window that the iPhone is in an
unlocked state and ensure that it will be mostly locked in case of a physical
security breach.
Enable
Erase Data
It is
trivial for a thief to guess the four-digit passcode through brute force
attempts. The Erase Data setting could be configured on iPhone to erase all the
user’s data and settings if 10 failed attempts have been reached. This will
thwart all brute force attempts to guess the correct passcode. This setting is
disabled by default, but it is recommended that you enable it. If enabled, your
iPhone will completely wipe all the data after 10 failed attempts have been
recorded. This may sound scary at first, as you don’t want your data to be
accidentally deleted by a child or prankster. However, after the first few
wrong attempts, it stops you from trying for a minute, then on the next failed
attempt, it increases the delay to five minutes, and keeps on increasing it
till 30 minutes for the last few attempts, before wiping the data of the
device. It is unlikely that someone would have all this time unless your phone
is lost. Also, remember this information can always be restored from Apple
iTunes if it is accidentally wiped out.
Disable Features That Could Be Accessed Without Entering the Passcode
Disable the Voice Dial and Siri Feature
By
default, the Voice Dial and Siri feature of an iPhone can be accessed without unlocking
it first. To access this feature, press the Home button on a locked iPhone. It
will start Voice Dial and prompt you to enter a command. This feature can be
used to call anyone from the contact list, play songs, and use other functions.
Apple has now provided an option for the users to disable it.
To disable it:
- Navigate to Settings > Passcode
- Turn Voice Dial to OFF.
- Turn Siri to OFF
Disable SMS Preview
Messages can be previewed on a locked iPhone by default. Although this is a convenient feature, there are security ramifications when it is used. Many applications send sensitive secondary authentication information such as authentication codes via text message. This information, if compromised, could further compromise your banking and other application credentials through the use of the Reset Password functionality. It is recommended that this feature be disabled at all times.
This feature can be disabled by navigating to Settings > Notification Center > Messages > Show Preview and then toggling it to OFF.
Overcoming Privacy Issues Due to the Inherent Design of the iPhone
How to prevent sensitive information from being captured as screen shots
If an application displays
sensitive information such as Social Security numbers, account numbers, and other
data in full, then avoid using such an application on the iPhone. However, the
risk is still present for built-in applications such as Messaging, Safari, and
other common functions. In this case, be mindful of this design flaw and avoid
tapping the Home button while viewing sensitive information on the screen. Go
to a different page not displaying sensitive information before tapping the
Home button. Advanced users can follow the steps5 below to disable screen shot
writing permanently. Basic users should skip this section as it requires
jailbreaking the iPhone. Jailbreaking has its own security issues that are
outlined later on. Unless you are familiar with the process and aware of the
security issues, you should not try this.
- Use OpenSSH application to gain root privileges to your jailbroken iPhone.
- Using the OpenSSH application, enter the following commands in the prompt:
rm -rf
/var/mobile/Library/Caches/Snapshots
ln -s /dev/null
/var/mobile/Library/Caches/Snapshots
These commands will disable
screenshot writing permanently. However, if you wish to undo this action in the
future, delete the symlink and the directory will get re-created.
Geotagging
The
storage of location-based data in the form of latitude and longitude inside the
images is called geotagging. It is essentially tagging your photograph with the
geographic location information. Though most digital cameras do not have GPS
hardware built in, smartphones are exceptions. The iPhone has both the camera
and GPS locator technology. Thus, the iPhone camera is equipped with
automatically adding geolocation information to the pictures it takes. By
default, all pictures taken by an iPhone contain this information unless it is
manually disabled. Imagine you took some pictures of your house or your car
parked in front of it and uploaded this to the social networking sites. Anyone
viewing these images could identify the location of your house (if geotagging
was not disabled). Now imagine if you were a celebrity hiding from paparazzi
and took a photo of your house with your iPhone—you would reveal your
whereabouts to them by publishing these pictures.
How to
Disable Geotagging on the iPhone
Apple
iOS allows users to turn off location services on a per-application basis.
It is recommended
that you disable location services for the camera application. This will
prevent geotagging. Navigate to Settings > Privacy > Location Services.
Toggle the Camera to OFF as shown below.
Erase All the Data before Return,
Repair, or Resale of Your iPhone
Imagine you bought a new iPhone
and want to sell your old one on eBay. You can use the Restore option available
in iTunes to reset the iPhone to its factory state. However, that does not use
a secure delete function, allowing it to persist data on the device, which
could be later recovered with the use of proper forensic tools. A detective
from Oregon State Police managed to recover a user’s personal data like emails,
photos, and more from an out-of-the-box refurbished iPhone that he had bought. All
personal data that was available on the phone before being restored was still
left in the unallocated blocks of iPhone’s NAND memory.
How to Securely Erase Data from Your iPhone
First
method
- Change all your passwords for emails, social networking sites, and banking sites that you have configured on your iPhone.
- Navigate to Settings > General > Reset.
- Tap on Reset All Settings as shown below and confirm the warning.
- Next, navigate to Settings > General > Reset, and tap on Erase All Content and Settings.
- Now restore the iPhone using iTunes.
- Using iTunes uncheck all Sync options for photos, videos, music, email, and other content.
- Create three separate playlists as large as the storage capacity of your iPhone.
- On the Music tab, select the first of your three playlists to sync. Make sure that the storage bar at the bottom looks full after syncing. This will guarantee that the complete memory on the iPhone is overwritten with the contents of your playlist and there are no unallocated blocks left.
- Repeat this process three times for each of the playlists. This technique is referred to as the unofficial way of three-pass overwrite.
- Now restore the iPhone again using iTunes.
Regularly Update the iPhone’s Firmware
iOS Firmware is the operating
system embedded in the iPhone. The iPhone ships with the version of firmware that
was current at the time of manufacturing. Apple provides frequent firmware
updates that are not limited to bug fixes and security fixes, but also include
additional security features. The current firmware version is 7.1.1. It is
recommended that you always have the latest version of firmware running on your
iPhone. By doing so, you will not be vulnerable to the security issues
identified in the previous versions.
How to Check the Current Firmware Version on Your iPhone
To check the current firmware version, navigate to Settings > General > About. Check the version information available on this screen. As show in the figure below, the current version running on the my iPhone is 7.1.1.
How to Track Latest Firmware Updates Released
To track the latest firmware updates, navigate to Settings > General
> Software Update. This will automatically check firmware updates, if available Click Download & Install to install latest firmware. Currently my iPhone running the most latest firmware as
show in the figure below, the current version running on the my iPhone
is 7.1.1.
To Jailbreak or Not to Jailbreak?
What Is Jailbreaking?
Jailbreaking is hacking of iOS through the use of custom kernels to bypass limitations imposed by Apple. It allows users to run any application not authorized by Apple, via installers such as Cydia. Jailbreaking was made legal in the US under DMCA of 2010. Thus, there are no legal restrictions preventing users fromjailbreaking their iPhones. However, there are some serious security ramifications.
Cons
- Jailbreaking makes you more susceptible to worms and other malicious applications.
Although identified vulnerabilities for iOS put users equally at risk, there are certain vulnerabilities that only target jailbroken iPhones. For example, the Dutch Ransom worm targeted users with them default SSH password on jailbroken iPhones. Thus, using a jailbroken device may increase your risk.
2. Applications on a jailbroken device run as root outside of the iOS sandbox.
By default, all the applications on a non-jailbroken iPhone run as a least-privileged mobile user, jailed in the sandbox architecture of iOS. However, applications on jailbroken iPhones can run as root and do whatever they please. Also, any self-signed applications can run on the device without being validated by Apple first. Although the primary goal of code signing introduced by Apple was not security per se, it does provide some level of security by limiting the number of malicious applications that are available on the AppStore.
3. It de-motivates you from regularly updating your iOS firmware.
When you update your iOS, you lose the jailbreaking advantage and need to re-jailbreak it. You also need to re-install all jailbroken applications and extensions. There are tools like PkgBackup that could be used to restore all the applications and hacks, but it is still cumbersome and may prevent you from frequently updating your iOS firmware. As discussed earlier, not running the latest version of iOS may make your iPhone vulnerable to defects and bugs identified in the older versions.
Pros
Although there are definite usability advantages to jailbreaking an iPhone, we are only discussing security benefits. The jailbreaking community has provided faster fixes than the iPhone development team in several instances. For example, when the zero-day vulnerability in the mobile Safari browser (related to the way it handles PDF documents) was identified, the jailbreaking community quickly released PDF Patcher 2 to remediate it. This protected the users who had jailbroken their iPhones (about 10 percent of the total iPhone user population), while others who didn’t were left waiting for Apple to release a fix. Thus, having a jailbroken iPhone may, in fact, work to your advantage by reducing the window of exposure to zero-day vulnerabilities.
Conclusion
To jailbreak your iPhone or not is a very controversial topic. You will find supporters from both sides.
Jailbreaking is definitely not for everyone. If you are a novice user with limited knowledge of security,then you should try to avoid jailbreaking.
No comments: