Three free tips to better protect your iPhone

Filed Under: Apple, Apple Safari, Data loss, Featured, iOS, Malware, Mobile, Privacy, Vulnerability

iPhoneSmartphone security expert Graham Lee offers some simple advice on how better to protect your iPhone or iPad.

The iPhone - along with the rest of Apple's iOS product family - seems to me to be the TARDIS of the computing world.

There's a full-featured UNIX computer with almost permanent network access, and it fits in my pocket: surely it must be bigger on the inside. Apparently you can even use them to make phone calls, too.

It certainly puts my first portable to shame.

Of course, such a powerful computer must be protected, particularly when you use it for sensitive tasks like email and editing work documents on the move. So here's a short list of iOS tips to help you stay secure using your iPhones and iPads.

1. Set the passcode

Passcode screenAll of Apple's products that run iOS allow the user to configure a passcode. The passcode controls access to the apps and data installed on the device. No passcode, no data - and there's no way to get around that, because content including saved passwords and mail attachments is encrypted so that without the passcode, iOS can't read the content at all.

To enable the passcode, first launch the Settings app. In the "General" section, look for the "Passcode Lock" setting. Tap that, and you'll see a screen that allows you to turn the passcode on, and to define when it's required and whether to use a "simple passcode" (a four-digit PIN) or a longer password.

Even though iOS is designed to slow down "brute force" attacks (where the attacker enters multiple guesses at the passcode until he finds the correct value), guessing one of the 10,000 simple combinations is very quick.

Particularly if you use one of the most common PINs.

It's best to turn simple passcode off and use a stronger password, following Graham Cluley's advice.

2. Don't jailbreak

JailbreakMeBy default, Apple limit the software that will run on your iPhone or iPad to their own apps, and anything that you download through their app store. They do this to restrict the chance that malware gets onto the devices, and so far it seems to work: iOS has not seen the same malware problems that have plagued Android.

Google are more permissive about the software allowed in their marketplace, and allow installation of non-marketplace apps: both good avenues for getting malware onto a mobile phone or tablet.

Of course, some people (including regular Naked Security contributor Duck, who discussed the issue in a recent Chet Chat podcast) see this as an unwelcome limitation on what they can do with the phones that they paid for.

Such people may turn to jailbreaking to remove Apple's limitations, so that they can install unapproved software or reconfigure the operating system.

Down that path lies iPhone malware and an easy route for attackers to install remote access tools, keyloggers (well, taploggers I suppose...) and other nasty things.

"Grange Hill" stalwart Zammo would probably agree with me here: when it comes to jailbreaking, just say no.

3. Be careful of where you surf

Phishing, and other scams like the recent iTunes giftcard ruse, do not depend on your technology choices: they're designed to fool you, not your computer.

Mobile SafariWith that said, it's perhaps easier to be taken in when surfing with Mobile Safari: user interface hints including the location bar and the SSL padlock are smaller, and in scrolling to read a page's content you'll push them off the top of the page and perhaps forget to check that you're on the correct site.

Especially if you've just snuck your phone out during that boring meeting, and are still half-listening to the Q3 sales projections.

Personally, I reserve sensitive tasks including online shopping and banking for either native apps released by the banks and stores, or for the desktop browser where it's easier to see whether I'm on the right website.

I hope you found those tips useful. For more chat about mobile security and privacy, please follow me on Twitter.

, , , , , ,

You might like

13 Responses to Three free tips to better protect your iPhone

  1. what a pathetic apple ass licking comment about jailbreaking...there would be no jailbreaking if apple allowed users to access whatever they want on the operating system...just as you can on os x !!!!!!

    • Hi @simonothen, indeed there would be no jailbreaking. However, the risk of unwanted software including malware being installed would be higher: notice that the MacDefender problem does not exist on iOS.

    • Deramin · 1501 days ago

      You can have security or you can have freedom. You can't have both. Apple chose security, Google choose freedom. By choosing one OS over the other, you have also made your choice.

      Apple decided that its users couldn't or didn't want to make informed, well researched decisions about whether an app was safe to install. They believed their users wanted to install apps easily, quickly and safely. Safe being Apple's own definition (which includes "doesn't threaten our business model"). Obviously this annoys some users and hurts some innovation.

      Google decided their users would rather do research and make their own decisions rather than having a company, which may or may not have their best interest in mind, make those decisions for them. They believed potential innovation trumps potential security risks. Obviously some users are not making very good decisions about what they install, or go mad with the power.

      Both camps have merit. Both camps have flaws. Pick the poison that's more palatable to you and accept the consequences.

      • Macldoo · 1495 days ago

        Deramin, it is that simple the choice is always mine I choose an IPhone my son prefers an Android based phone, my little brain doesn't need to waste anymore of it's braincells decideing which is better, my son raves about Android until I ask him relevant questions about Android then the tune changes. I like to live in a world where someone is looking out for me and has some form of ethics to prevent the unlearned from becoming victims to the sick minds of scammers and such.

        "Both camps have merit. Both camps have flaws. Pick the poison that's more palatable to you and accept the consequences." Deramin

  2. Anthony · 1501 days ago

    What about using a VPN provider to protect your mobile data by encrypting the traffice being sent?

  3. Joseph · 1500 days ago

    This is a pretty poor article. All common sense.

    • In my experience (particularly in regards to computer security), the problem with common sense is that it isn't that common.

      We can all be guilty sometimes of assuming that just because *we* know something, everyone else will too.

      • I agree. I've never done a scientific count, but anecdotally a majority of the iPhones that I've seen other people using don't have a passcode enabled. I've also talked to people who have been told to jailbreak their phones "because it means I can run more software", including people who then don't actually run more software.

        In other words, understanding the security impact of things like pass codes and jail breaking is not "common": and indeed it seems naive to assume that it would be. Most people aren't security specialists (and we shouldn't expect them to be).

      • Alan G · 1499 days ago

        That IS the big problem with "common" sense, isn't it? If it really were common, those of us who play Tier 0 tech support to our friends, family and business associates would have a lot more free time. :-)

  4. André · 1499 days ago

    I chuckled when I read your intro paragraph. When I bought my iPhone, I immediately named it "The TARDIS". :)

  5. Matt · 1495 days ago

    Actually, jailbreaking your iphone gives you the option to change your default system password, which is set to "alpine" on every single stock standard iPhone. Knowledge of this password can allow hackers into the device and so if you change it you are instantly making your iPhone more secure than most. You need to jailbreak to change it though.

    Jailbreaking gets such a bad name when it actually completely improves the phone and adds so much more (otherwise blocked) functionality.

    • guatemaleco · 1485 days ago

      If you haven't jailbroken your device, the system password doesn't matterr because there's no avenue for attackers to use it. I challenge you to find one instance where a non-jailbroken iPhone was hacked by use of a default root password.
      Tje reason jailbreaking gets a bad racket is that it's often used by people without the expertise toknow what it really means and how it should change your behavior when using the device.

  6. pixelrogue · 490 days ago

    Curious on the following, essentially want to ensure the smartphone is protected regardless of operator, network etc. Simple in theory.

    Main question: Is a jailbroken iOS device (say iPhone) (where the ssh password is changed, default port changed) safer than than a non-jailbroken iphone?

    On a jailbroken phone, there are firewall apps where you can block outgoing port calls, disable the location log etc. Though keeping the iPHone on the latest iOS may keep the phone a bit more secure to the public, it comes at the cost of the tracking and unknown network activites. Then, depending on the tools of the operator, a standard stock iOS (even the latest version) may not stand a chance of privacy ~ where a jailbroken phone w/a few ports/passwords changed, logs disabled etc may offer less in the way of content to the operator? May make the operator job accessing the data more challenging?

    I'm not a techie... so any insight would be appreciated. Just a person who believes in privacy in a world (at the moment) that thinks privacy is not a reasonable expectation nor right.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Lee's business card says he's a "smartphone security boffin", so it must be true. He owns Fuzzy Aliens Limited, a security consultancy service for mobile app developers, has written a book on Mac application security and is often found speaking at iPhone developer conferences, helping developers get security right and taking the burden off the users. Graham's writes a blog about secure Mac programming. Follow him on Twitter at @iamleeg.