General security

iPhone Security: 10 Tips and Settings

March 24, 2011 by Keatron Evans

The iPhone is one of the most popular mobile devices on the market with an array of downloadable apps for users to do any number of things. Its popularity and the users’ habit of downloading apps make it a popular target for malware developers and data thieves.

As I demonstrated in this video, there is an abundance of personal information stored on this device such as:

  • Browsing history.
  • Map and browser queries.
  • Even stored GPS data on newer iPhones.

And these are the risks if you don’t use your phone to manage your finances or make purchases online or use various apps that let you pay for things in person with your phone.

Setting up your phone to run as securely as possible is critical.  To help you do that, follow these steps:

  1. This is a no brainer, but turn on the auto-lock feature. First tap the settings icon. Then select General. In the resulting menu, select the Auto-lock button and set it to 5 Minutes. Also make sure the Passcode Lock option is enabled. While you’re here, make sure the Location Services option is turned off. While I’m sure you can think of 100 reasons to use it, I can tell you 101 reasons not to. For one, this geo-location information will be tagged to every photograph you take with your iPhone. Then depending on how you post these great photos to Facebook, and other locations on the web, someone could easily pull the pictures down and track your every move historically.
  2. This one is from Apple directly. Re-assign your home button. By default it goes to your favorite contacts. To do this, tap the settings icon again. Then select General. Now select Home. Change it from Phone Favorites to iPod. It is worth noting, that if you have an iPhone 4, this is not necessary.
  3. This one is important. Change your SIM PIN. This is not the same as the PIN you enter when the phone auto-locks. To get to the SIM PIN setting, do the following. Tap the settings icon. Next tap Phone. Then scroll down and select SIM PIN. Tap the option for ON. Then enter a code. This ensures that an individual can’t just take your SIM out of your iPhone and use it in another iPhone.
  4. You will find other tutorials elsewhere that instruct you to use a password storage app. Since I’m not a fan of single point of failure, I’m going to advise against using a password app. The concept sounds great; Store all your passwords in this app and you don’t have to worry about remembering a bunch of different passwords. A compromise of the iPhone could not only give up credentials to your iPhone, but also other passwords you’ll inevitably start to store there. I say, remember your passwords! It’s amazing how much our expectations, as far as intellect goes, has declined in the last 20 years.
  5. Stay up to date with security updates and iOS updates.
  6. Now I know I’m going to probably get some arguments on this one. But please read it entirely before chiming in; DO NOT Jailbreak your iPhone. Here’s why; What if someone told you to download a piece of software to your computer. You have no idea who the “real” person is responsible for writing this software. In addition to that, you probably have never looked at the source code or don’t have the capabilities to look at the source code. Also it’s very likely that this software has a backdoor. By installing this software you give the software complete control of your computer. And you just blindly trust that the unknown author hasn’t backdoored you. If you’re that trusting, then go for it. Otherwise read on. Essentially, the Digital Millennium Copyright Act (DMCA) pretty much made jailbreaking illegal before the technique even existed. However as of July 2010 it was deemed an “exemption”. To read more about the Electronic Frontier Foundation’s battle with The Librarian of Congress and the Copyright Office go here: https://www.eff.org/press/archives/2010/07/26 . In addition to not opening yourself up to potential ownage, you’ll keep yourself out of the Apple software update/jailbreak update merry-go-round. In other words, every time there’s a new release or major update to iOS, you won’t be able to get them without first un-jailbreaking your iPhone (restoring to factory), then installing the updates, then re-jailbreaking it again. Do you really want to go through all that? Repeatedly? Seriously? I didn’t think so.
  7. I’ll start this one with a simple question; Why do you use your iPhone for web browsing? You can actually enjoy your browsing with that tiny screen? No? Great! So don’t bother connecting your iPhone to a wifi network other than your own. And even then, do it sparingly. For you pentesting folk. Here’s a test you can perform. If you want to see if any iPhones are connected to your wireless network (or any you may be connected to), scan for tcp port 62078. If you find it open on any ip address, it’s most likely an iPhone (or iPad). Since this is not a hacking article, we won’t get into to dumping the address book via tunneling etc. Maybe in another article.
    Also, turn the Wifi off when you’re not using it. For people who travel a lot like me, imagine if I were to go near an airport and set up a rogue access point named Boingo. You know how many iPhones I’d get because of that freaking auto connect to remembered access points feature? Tons.
  8. Here’s a basic overlooked one. I know it’s tempting to download bank apps to be able to see your bank account balance and even do transfers and other transactions in real time. Considering all the other advice I’ve given in this article it should now be apparent why doing these types of things on the phone might not be the best idea. So I don’t recommend banking on your phone. We don’t even know how to truly secure our PCs and bank “securely” online, and already people can’t live without having the ability to do money transfers and manage their bank accounts from their iPhone? If you’re reading this, you’re most likely already security conscious, so stay that way. There’s plenty of more thoroughly tested ways to spend our money. Let’s wait a bit on using iPhone apps for that. At least until we (the security community as a whole) has had time to truly test the security of these apps and processes.
  9. Try and stay away from transparent or automatic data transfer apps. An example would be Bump. Basically Bump allows you to just literally “bump” your iPhone against somebody else’s iPhone and start transferring things like contact lists or individual contacts. What do you think the chances are of that app having a hiccup which causes it to send more than you intended? And what if it doesn’t inform you that it screwed up and did this? Just use your imagination on how bad this could turn out. Copy?
  10. This one is really a two for one. First, BACK UP your iPhone to your Mac or PC. Secondly, encrypt your backups. You don’t need any special software to do this. You can do it from iTunes by following these steps.
  • Once you’ve connected your iPhone to your computer, and it shows up in iTunes.
  • Click the iPhone name located in the Devices section of iTunes.
  • Next click the Summary tab in the preferences window.
  • Now click the empty box next to “Encrypt iPhone backups”, then select “Apply”.
  • Go ahead and Eject your iPhone from iTunes. Done.

This will make recovering the “backup” data stored on the phone really hard if you don’t have the passcode, even forensically it’ll cause some major headaches for the investigator. So just like it will be a forensic headache, it should cause some stumbling for any thief who’s stolen your phone as well.

Hope this article helps.
Keatron.

Posted: March 24, 2011
Author
Keatron Evans
View Profile

Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry, including Infosec Skills live boot camps and on-demand training.

11 responses to “iPhone Security: 10 Tips and Settings”

  1. Some good tips here but some of them ignore reality.

    The tip about turning off geo-location for photos is not really a tip and ignore the reality that is social media. I want my photos to have the location of where I took them. And when I check-in to Foursquare I’m choosing to let people knwo where I am. But I don’t do this from my home address or my work address. That’s the real tip. This is not a privacy tip. Being out in public means your actions are not private. They might be anonymous but they are not private.

    Tip #4 is idiotic and ignores reality. Too many accounts with too many different passwords to remember is the reality for most people. And attacking people’s intellect will ensure that your security advice is ignored.

    Tip #7 is not practical unless you want a massive data bill. I use trusted (Home, Office) Wi-Fi whenever I can.

    We all have a personal threshold of acceptible risk. We each much determine what that is and then act accordingly. One size fits all security does not exists and does not. You want your mobile device to be truly secure. Turn it off and never use it. But that’s not practical is it?

  2. Tony D says:

    I think turning off the geo-location feature is a good tip, most people don’t know about this feature. Consider those who have kids with iPhones and facebook pages. Do you REALLY want someone to know where the kid in the picture can be found? What malls they hang out at, the school they go to, and yep, even their home address.

    In “reality”, who really needs to know where you are? If they need to know that, actually tell them

  3. RedTalon says:

    Keatron,
    Nice article… Good suggestions…

    Why do you recommend connecting to your own wifi sparingly though, assuming it’s secure? I have a limited data plan, so I like to do any data intensive functions when I’m on my wifi connection.

    Also, to avoid connecting to unknown networks. Go to SETTINGS > WIFI > Turn “Ask To Join Networks” ON.
    This way when you use an app that requires a network connection, and a wifi connection is available, a little window pops up thats says “Select A Wireless network”. Simply tap “Cancel” and your 3G connection will be used instead. This assumes you haven’t been naughty and already connected to unknown networks. Any networks that you have connected to in the past will automatically be connected to. But if you’ve been safe the only network that you should be connecting to is your own home network. If you are not sure you can go to SETTINGS > GENERAL > RESET and select “Reset Network Settings”. This will wipe out any networks you have connected to in the past. Just reset your home settings and from now on you will get the popup warning before you connect to an unknown network.

    RedTalon

  4. Keatron says:

    Khurt, To your first point. I recently worked a case with a law enforcement agency where the victim (a parent of a 9 year old boy), wasn’t using her iphone to take pictures at home, but she took pictures of little Johnnys Christmas play. Needless to say, a certain ring of very bad men were tracking her on facebook. When she posted those photos on a popular picture hosting site and updated facebook with this info, they promptly got the pictures, pulled the exif data out and of course now they knew exactly where Johnny went to school. I think you can figure out the rest.

    Concerning tip #4, I don’t attack people’s intellect sir. Really it boils down to changing how we “pick” passwords. For example. Take the phrase “I met my wife in Vegas and she was wearing a brown dress”. Now take the first letter of each word in the phrase and you end up with IMMWIVASWWABD. Add a number and a special character, then you have a strong password that you can remember and no one else would ever guess. Additionally, it’s not a dictionary word so dictionary attacks are useless. Brute forcing will take a while, and you’d need a serious rainbow table to crack it that way. Then pick other phrases that you’ll never forget and do the same technique for other passwords. One of the biggest challenges in security is trying to get people who aren’t security minded to be at least “more” security minded. This is a goal of mine. Sorry if you feel I was attacking your intellect or anybody else’s, as that’s certainly not my intention. As far as ignoring my advice, people are certainly free to do that.

    Concerning tip #7. The point here is to minimize how much web browsing you do on your iphone. I NEVER use it on wifi except at home occassionally for updates and the like. The times that I need to actually use it to browse when I’m away from home I use 3G. And mind you I travel A LOT. And even with the amount of travel I rack up every month, I’ve never went over my data plan limit. I have several family members, friends and associates who have done the same based on my advice, and none of them have went over their data limit either.

    Concerning your last point, do keep in mind, this is a tips article. The point is to read the article, implement the things you are able to based on your “acceptable risk” factor, then ignore the things you can’t. It’s as simple as that. Isn’t that most of us do with any advice?

    Also, I don’t think calling my points idiotic because you don’t agree with them serves any real purpose as far as helping people. Since helping people is pretty much why we created this portal try and refrain from name calling and negativism in the future.

    Thanks for your comments!

  5. Red Talon. Basically I say connect to even Home wifi sparingly because honestly it’s really no way to secure wireless to the point of it being “Wired Equivalent Privacy” which is what we were promised with WEP back in the day. In addition to my iPhone, I use my wireless at home sparingly even when it comes to my laptops. I’m not saying don’t ever. Just make it less frequent. Think of it this way; If you’re at home with your computers, other than updates and app stuff, why would you use your iphone for browsing?

    Remember, when you implement a wireless network, it’s the same as taking a cable, plugging it into your switch or router, running that cable outside, sitting it on the sidewalk, then plugging another switch on that end and letting anybody who wants to have “physical” access to your network. Remember with wireless, the physical layer is the air. Your data travels in the air. For sure there’s WPA2, and all the other things we can do to make it more secure, but they’re pretty much all broken to some extent. I will add this tidbit of advice concerning wireless. I will also point you to another article I published concerning the home network and securing it. I’ve got a few things in there about locking down the wireless. Check it out at
    http://resources.infosecinstitute.com/information-security-at-home/

    Thanks for stopping by and sharing!

    Keatron

  6. Bob H says:

    Thanks for your tips Keatron.

  7. Claude says:

    the #3 really got me messed up, the instruction to change the sim pin is not clear enough. it just say “…then enter a code.” code? it fails to say that the user should get it from ATT, otherwise the sim will lock if entered anything else. below is the copy from ATT:
    Important: If the incorrect PUK (Pin Unlock Key) code is entered 10 times in a row, the SIM card will become permanently locked, and you must purchase a new SIM card. If your device is requesting PUK 2 please call Customer Care at 1-800-331-0500.
    all the other sugestions seems good.
    thanks

  8. Immanuel N says:

    Keatron, thanks for your most insightful and real world advice you give on how to guard our privacy (data) when using the iPhone. I have an iPhone and that’s what naturally drew me in to your article on how to secure one’s iPhone. Judging from the quality of the advice that you shared in this article, I am going to be reading your other articles as well.

    Keep it coming Keatron!

  9. Anthony G says:

    Keatron,

    Once again, you have enlightened me. I think you should do an update article or to include the ipad. I agree with most of the points but I think tip number 3 needs a bit more maturing on the application vendors’ side. As you pointed out, having a password manager app is a single point of failure, but yet people will NOT stop creating easy to guess passwords because let’s face it, there are just too many places and too many passwords to remember. Utilizing your “passphrase” scheme is definitely the ONLY way to go in creating passwords so I agree with you there. But people (including me) will use that same password on our MySpace, facebook, Gmail, and twitter accounts, thus creating a single point of failure. So I do think we need a password manager app, but it has to be one in which it offers 2 factor authentication, or 3 factor authentication. Will hackers still be able to crack it, yes, but it will surely give them a very good fight.

    On the wifi issue, I rarely use wifi because, well it’s just not secure enough for my liking. It’s sad that the wifi vendors for years have touted having wireless equates to “worry less” and that is not the case. I won’t say any more about that issue.

    Finally, I just want to say your tips are very useful and it will help keep people more secure. I understand there will be some who think you are completely off base, but they won’t try to do a comprehensive comparison article to stick their neck out to have it critiqued by the masses. Keep up the good work!

  10. how to unlock iphone 3g says:

    Hi, all is going sound here and ofcourse every one is sharing information, that’s genuinely excellent, keep up writing.

  11. Very quickly this site will be famous among all blogging users, due to it’s fastidious posts

Leave a Reply

Your email address will not be published.