The iPhone is one of the most popular mobile devices on the market with an array of downloadable apps that enable users to do any number of things. Its popularity and the users’ habit of downloading apps make it a popular target for malware developers and data thieves.
There is an abundance of personal information stored on this device such as:
- Browsing history.
- Map and browser queries.
- Even stored GPS data on newer iPhones.
And these are the risks if you don’t use your phone to manage your finances or make purchases online or use various apps that let you pay for things in person with your phone.
Setting up your phone to run as securely as possible is critical. To help you do that, follow these steps:
1. This is a no brainer, but turn on the auto-lock feature. First tap the settings icon. Then select General. In the resulting menu, select the Auto-lock button and set it to five minutes. Also make sure the Passcode Lock option is enabled. While you’re here, make sure the Location Services option is turned off. While I’m sure you can think of 100 reasons to use it, I can tell you 101 reasons not to. For one, this geo-location information will be tagged to every photograph you take with your iPhone. Then depending on how you post these great photos to Facebook, and other locations on the Web, someone could easily pull the pictures down and track your every move historically.
2. This one is from Apple directly. Re-assign your home button. By default it goes to your favorite contacts. To do this, tap the settings icon again. Then select General. Now select Home. Change it from Phone Favorites to iPod. It is worth noting that if you have an iPhone 4 this is not necessary.
3. This one is important. Change your SIM PIN. This is not the same as the PIN you enter when the phone auto-locks. To get to the SIM PIN setting, do the following. Tap the settings icon. Next tap Phone. Then scroll down and select SIM PIN. Tap the option for ON. Then enter a code. This ensures that an individual can’t just take your SIM out of your iPhone and use it in another iPhone.
4. You will find other tutorials elsewhere that instruct you to use a password storage app. Since I’m not a fan of single point of failure, I’m going to advise against using a password app. The concept sounds great; store all your passwords in this app and you don’t have to worry about remembering a bunch of different passwords. A compromise of the iPhone could not only give up credentials to your iPhone, but also other passwords you’ll inevitably start to store there. I say remember your passwords! It’s amazing how much our expectations, as far as intellect goes, have declined in the last 20 years.
5. Stay up to date with security updates and iOS updates.
6. Now I know I’m going to probably get some arguments on this one. But please read it entirely before chiming in; DO NOT Jailbreak your iPhone. Here’s why; What if someone told you to download a piece of software to your computer. You have no idea who the “real” person is responsible for writing this software. In addition to that, you probably have never looked at the source code or don’t have the capabilities to look at the source code. Also it’s very likely that this software has a backdoor. By installing this software you give the software complete control of your computer. And you just blindly trust that the unknown author hasn’t backdoored you. If you’re that trusting, then go for it. Otherwise read on. Essentially, the Digital Millennium Copyright Act (DMCA) pretty much made jailbreaking illegal before the technique even existed. However as of July 2010 it was deemed an “exemption.” To read more about the Electronic Frontier Foundation’s battle with The Librarian of Congress and the Copyright Office go here. In addition to not opening yourself up to potential ownage, you’ll keep yourself out of the Apple software update/jailbreak update merry-go-round. In other words, every time there’s a new release or major update to iOS, you won’t be able to get them without first un-jailbreaking your iPhone (restoring to factory), then installing the updates, then re-jailbreaking it again. Do you really want to go through all that? Repeatedly? Seriously? I didn’t think so.
7. I’ll start this one with a simple question; Why do you use your iPhone for Web browsing? You can actually enjoy your browsing with that tiny screen? No? Great! So don’t bother connecting your iPhone to a Wi-Fi network other than your own. And even then, do it sparingly. For you pentesting folk, here’s a test you can perform. If you want to see if any iPhones are connected to your wireless network (or any you may be connected to), scan for TCP port 62078. If you find it open on any IP address, it’s most likely an iPhone (or iPad). Since this is not a hacking article, we won’t get into to dumping the address book via tunneling etc. Maybe in another article. Also, turn the Wi-Fi off when you’re not using it. For people who travel a lot like me, imagine if I were to go near an airport and set up a rogue access point named Boingo. You know how many iPhones I’d get because of that freaking auto connect to remembered access points feature? Tons.
8. Here’s a basic, often overlooked tip. I know it’s tempting to download bank apps to be able to see your bank account balance and even do transfers and other transactions in real time. Considering all the other advice I’ve given in this article it should now be apparent why doing these types of things on the phone might not be the best idea. So I don’t recommend banking on your phone. We don’t even know how to truly secure our PCs and bank “securely” online, and already people can’t live without having the ability to do money transfers and manage their bank accounts from their iPhone? If you’re reading this, you’re most likely already security conscious, so stay that way. There’s plenty of more thoroughly tested ways to spend our money. Let’s wait a bit on using iPhone apps for that. At least until we (the security community as a whole) has had time to truly test the security of these apps and processes.
9. Try and stay away from transparent or automatic data transfer apps. An example would be Bump. Basically Bump allows you to just literally “bump” your iPhone against somebody else’s iPhone and start transferring things like contact lists or individual contacts. What do you think the chances are of that app having a hiccup which causes it to send more than you intended? And what if it doesn’t inform you that it screwed up and did this? Just use your imagination on how bad this could turn out. Copy?
10. This one is really a two for one. First, BACK UP your iPhone to your Mac or PC. Secondly, encrypt your backups. You don’t need any special software to do this. You can do it from iTunes by following these steps.
- Once you’ve connected your iPhone to your computer, and it shows up in iTunes.
- Click the iPhone name located in the Devices section of iTunes.
- Next click the Summary tab in the preferences window.
- Now click the empty box next to “Encrypt iPhone backups”, and then select “Apply.”
- Go ahead and eject your iPhone from iTunes. Done.
This will make recovering the “backup” data stored on the phone really hard if you don’t have the passcode, even forensically it’ll cause some major headaches for the investigator. So just like it will be a forensic headache, it should cause some stumbling for any thief who’s stolen your phone as well.
Keatron Evans is an instructor at InfoSec Institute. InfoSec Institute is a security training company now offering mobile forensics classes.