The iPhone is the most popular smartphone in the Jaguar office. For me, the bandwagon-jumping point was the iPhone 4, with the 300+ dpi screen and the A4 CPU that made for one of the first smartphones that was sufficiently powerful (IMO) to actually run its OS and apps well.
With many of us relying more on our iPhones for Serious Business, the question of security arises. Apple has implemented some security measures into the iPhone, and continue to make small but steady improvements, as the iPhone sneaks further and further into Corporate America. While the iPhone isn’t quite at BlackBerry level of security yet, there are some important features that everyone should be taking advantage of.
The Bare Minimum Basics
1. Enable Auto-Lock and Passcode Lock
The one step you absolutely, positively must take with your iPhone is enabling the auto-lock and passcode lock functions.
Auto-Lock locks your phone (the same action as pressing the “sleep” button on the top of the phone) after X minutes of inactivity.
Passcode Lock requires users to enter a passcode in order to unlock a locked phone.
The point of these features is to try and ensure that if your phone is lost or stolen, the device will be in a locked and password-protected state by whomever took or found it. This is essential in order to protect your data.
2. Enable Find My iPhone
Find My iPhone gives you the ability to track a lost phone from a computer or from another iOS device. It can help greatly in the recovery of a stolen device.
This used to be a feature one would have to buy from Apple as part of the MobileMe service, but it is now part of the free iCloud service that replaced MobileMe.
Find My iPhone gives you the ability to remotely lock your phone, or even wipe its data. It provides a way to make the iPhone play a sound (even if it’s set to silent) in order to help you locate it when you’re close to the GPS position. And, in the event that the phone is found by an honest person, you can make a message display on the phone to tell the person how they can return the phone to you.
Tracking down a stolen phone using Find My iPhone has been known to make people feel like Batman.
3. Keep iOS Up to Date
iOS is the phone’s operating system. As a complex piece of software, it is often updated in order to fix security issues. It is important to make sure your phone’s software stays up-to-date, so any newly-discovered security holes are closed.
If your phone is running iOS 5.0 or newer, you can do these updates directly from the phone via Wifi. When a new update is available, you’ll see a number badge on the Settings app. Enter the Settings app and go to General > Software Update, and you’ll be able to update.
If you’re on a version of iOS older than 5.0, updates have to be performed by plugging the phone into a computer with iTunes. I highly recommend updating such a phone right away, in order to get current with iOS 5, if for no other reason than to make future security updates easier to install.
4. Backup Your Phone
One of the most important features of the iPhone is the ability to generate backups of the phone’s data, which can be used at a later time to restore the phone.
Some of the security features here involve wiping the phone’s data to prevent data theft in the event of a lost or stolen phone. If you recover the phone, however, how do you get the data back?
The answer is in backups. Before iOS 5, backups were performed entirely by connecting the phone over USB to a computer, and creating the backup via iTunes. Now, users have the option of backing up their phones to iCloud for free, removing the need to tether the phone to a computer. This is a great feature for the large percentage of iPhone users that never plug their phone into their computers.
iCloud gives you 5GB of free backup space. If this isn’t enough for your phone, you can either buy more space, or selectively exclude applications from your backup (the important stuff – your accounts, settings, etc, are always included, and take up a rather trivial amount of space themselves).
Short of that, one can still connect to their personal computer and iTunes to perform backups. Since iOS 5.0, these backups can be performed over Wifi instead of USB, making it much more convenient.
At any rate, backups are essential, whether it’s through iCloud or your computer’s iTunes installation.
A Step Further
1. Disable “Simple Passcode” on Passcode Lock
By default, Passcode Lock enables the “Simple Passcode” feature, which makes passcodes a 4-digit PIN-number style code.
By disabling this, you can use the full iOS keyboard to define a true password. This is much more secure than a 4-digit code.
2. Set Auto-Lock and Passcode Lock’s “Require Passcode” Times As Short As You Can Stand
It’s important that a would-be thief never get their hands on your phone in an unlocked state. By having the phone auto-lock and require a passcode, you can help ensure that anyone besides you who gets your phone will find it in a locked and passcode-protected state.
However, there is a trade-off between security and usability here. Many people don’t want to have to enter their passcode again when they were just using their phone 30 seconds earlier. At the same time, having the phone wait an hour before requiring a password is too large of a window for someone to steal and begin using the phone.
One thing to understand is how the two timers work. Auto Lock’s timer begins from the moment you stop using your phone. Passcode Lock’s timer begins from the moment the phone locks. So, if your Auto Lock is set to 3 minutes, and Passcode Lock’s “Require Password” timer is set to 5 minutes, it will take a total of 8 minutes from the moment you stop using your phone for the phone to be in a locked & passcode protected state.
As of iOS 5, Auto Lock’s timers options are each minute from 1 to 5 minutes, while Passcode Lock’s are immediate, 1 minute, 5 minutes, 15 minutes, and 1 hour. In the past, there were much longer timers available, but Apple is nudging users towards more secure options.
In my opinion, it should take less than 10 minutes of inactivity for your phone to be passcode locked. So, combining a 5 minute Passcode Lock timer with anywhere from a 1-5 minute timer for Auto Lock will get you there. For the more security conscious, Passcode Lock can be set to 1 minute or Immediately, along with a sufficiently short Auto Lock time.
3. Disable Siri on Lock Screen
This only applies to phones with Siri (as of this writing, the iPhone 4S only, but undoubtably all iPhones to follow). If your phone has Siri, by default it can be used even if the phone is locked. This is a convenience, but it allows a thief to make use of the phone even while it’s locked.
To disable this, flip Siri to “Off” in the Passcode Lock menu:
This will prevent anyone from being able to use Siri without unlocking the phone.
4. Get a Smudge-Resistent Screen Protector
Security researchers have noticed that one can often deduce a lot about a phone’s most recent use based on the finger smudges left behind on screens (see paper: Smudge Attacks on Smartphone Touch Screens).
This is particularly true with simple passcode unlocks (another reason to disable “Simple Passcode” and use a keyboard-types password instead). But in general, smudges are information left behind that an attacker could use to aid in an attack on the phone’s security.
Certain screen protectors are smudge resistent, reducing the information left behind by finger smudges.
5. Get a Protective Case
Buying a good protective case is an important safety measure for keeping your iPhone intact. In a situation where you are trying to track down a lost or stolen phone, it also is a benefit in that the relative uniqueness of your case would make the phone more instantly recognizable from all the bare naked iPhones out there.
A thief could always remove the phone from the case, but in the event that the case is left intact, it makes for an easier positive ID. And certain cases, like the OtterBox Defender, take some effort to get off, if you’ve never dealt with them before.
1. Enable “Erase My Data” to Wipe Phone After Too Many Failed Login Attempts
A Passcode Lock will help keep thieves from being able to get into a stolen phone, but given sufficient time, a passcode (especially a Simple Passcode) can be broken. The “Erase My Data” feature defends against this, by automatically wiping the phone’s data after 10 failed passcode attempts.
It’s important to note that one cannot make 10 failed attempts all at once. After a few failed attempts, the phone will lock you out from making another attempt for a set “cool-down” period of time. This cool-down period increases in length as you get closer and closer to 10 attempts. So, it is not the case that a prankster can just grab your phone, bang out 10 wrong passcodes, and make it wipe. The only way anyone is getting to 10 failed attempts is if you lose control of your phone for hours.
As mentioned above in the “Backup Your Phone” section, if your phone is wiped clean, you can restore your data from a backup, provided you’ve set up backups either through iCloud or with your computer’s iTunes installation.
2. Disable SMS Preview
By default, the partial text of SMS messages appear in previews on a locked phone. This would allow a thief to read your incoming text messages even if he is unable to unlock the phone.
In iOS 5, this can be disabled in Settings > Notifications > Messages > Show Preview.
If you want to go a step further, and even prevent the message notification (which includes the sender’s name) from appearing entirely, you can turn off “View in Lock Screen” in that same menu.
3. Jailbreak Your Phone for Additional Security Measures
Jailbreaking (the act of modifying your phone’s software to run software other than what has been authorized by Apple) is often spoken of as a security risk. To an extent, this is true, as users who jailbreak give up the safety of having the iPhone refuse to run any unsigned code (programs which have not been approved and digitally signed by Apple).
The flip side of this, however, is that jailbreaking allows users to take advantage of security features that don’t exist for non-jailbroken phones.
The first example of this is exploit fixes. When a new security hole is discovered in iOS, it often takes some time before Apple releases an iOS update that fixes the problem. Often, the jailbreak community fixes the hole themselves, releasing a patch for all jailbreak users to take advantage of much more immediately.
The other big “win” for jailbreakers is the ability to run security applications that aren’t allowed in the traditional iPhone app model. There’s RecognizeMe, which adds facial recognition to the standard Passcode Lock. There are apps like Firewall iP, which add a software firewall, and Lockdown Pro, which allows users to define passwords required to open certain applications, and iProtect, which will lock your SIM card and notify you if a new SIM card is inserted into that phone. Jailbreaking also adds the ability to use VPNs, such as OpenVPN, that aren’t among the standard VPNs supported by iOS natively.
There are a lot of security features that are only possible by breaking out of Apple’s “walled garden” model. Jailbreaking is not for everyone – it’s definitely for the diligent and the technically inclined – but for those of the right mindset, there are some clear security benefits to doing so.
Things NOT To Do
1. DON’T Buy An iPhone “Anti-Virus” Application
Anti-virus applications for smartphones are ineffective at best, outright scams at worst. Although there have been instances of phone-based malware, and there will be more in the future, anti-virus apps have so far proven to be fairly useless at defending against them.
2. DON’T Use A Weak Passcode
If using a Simple Passcode, your passcode shouldn’t be your birth year, or “0000”, or anything overly obvious like that.
Common advice is to use four different digits for your code. However, it may be the case where using 3 digits, with 1 repeat, actually produces a stronger passcode.
3. DON’T Sell or Give Away Your iPhone Without Wiping Your Data First
Too many people get rid of their devices without thinking about what’s left on them. The iPhone provides an easy way to wipe all of your settings and data, so that you can safely sell or give the phone to a new owner.
The menu is in Settings > General > Reset, then “Erase All Content and Settings”
It will ask you if you’re REALLY sure. If you’re no longer keeping the phone, you are.
By taking the steps above, you can significantly improve your iPhone security. Keep your eyes peeled for new security features with each iOS update, as Apple is being pushed for stronger security, thanks in no small part to ever-growing corporate and government use. Personally, I have my fingers crossed for GPG support in Mail, and native OpenVPN support.