June marked the five-year anniversary of the iPhone. Without a doubt, the world has changed substantially since the iPhone was first introduced. But how secure are consumers as they trust more and more of their sensitive data to modern smartphones?
Last month, I described a few things that an IT security manager who is responsible for a fleet of iOS devices can do. After that column, though, several people asked me if there are things that security-minded consumers can do to secure their iPhones and iPads. There are several. Let's take a look.
Good iOS hygiene includes:
Don't jailbreak. From the standpoint of device security, jailbreaking is the single worst thing you can do on your iOS device. The entire iOS system, from its boot code through all of its application software, is essentially one big hierarchical chain of digital signatures on every entity. Software introduced to the system is required to be signed before it is allowed to run. When you jailbreak your iOS device, you turn all of that off. Of course, I have no doubt that many of you reading this are saying that there's a whole world of useful software available only in the jailbroken world -- and you'd be correct. Unequivocally, there is. But you're giving up security safeguards when you go that root route.
Use long passwords. All iOS devices encrypt much of your sensitive files on their file systems. Your email, photos, etc., are kept encrypted using a hardware AES-256 module, keyed with two things: a unique, per-device, random 256-bit key, and your device's passcode. The device key and encryption hardware can be used by an attacker with physical access to the device, so it essentially comes down to your passcode. And most consumers stick with the default four-digit PIN. That list of ingredients spells disaster for your personal data on your device, should the device be lost or stolen. You simply cannot count on a four-digit PIN to protect your sensitive data. The good news, though, is that iOS gives you the ability to disable "Simple Passcodes" in the built-in Settings app (Settings --> General --> Passcode Lock). Yeah, I know it's a hassle to type in a password every time you unlock your device, but if the information on your device is of any real value to you or your employer, this is one of the few direct actions you can take to protect that data. Do it right now.
Use the security features. Speaking of passcodes and such, there are several other security settings that you can control from the Settings app. Take a few minutes to explore them, and enable the ones that make sense for you. Even some basic things like tweaking each app's notification settings can make a difference (e.g., enabling an app's notifications to be viewed even if the device is locked may well expose some sensitive data to someone who has access to your locked device).
Enable "find my iPhone." One of the nice features that Apple's iCloud gives us for free is the ability to "find my iPhone," should your device become lost or stolen. Assuming the person who has your device hasn't removed the SIM, powered the system down, put it into "airplane mode", etc., you may well be able to locate the device and remove your sensitive data before the thief can get to it. Speed is vital, though. If you notice you've been robbed of your iPhone, log into iCloud as soon as possible and locate your device. You can even send the thief a message asking nicely that it be returned it to you, its rightful owner. (Good luck with that.)
Use Apple's iPhone Configuration Utility. Particularly if you own more than one iOS device, consider creating a "configuration profile" using Apple's free iPhone Configuration Utility. You can quickly configure all the security settings I've described here, and many others, using the iPCU. Once you've done that, you can copy your customized configuration profile onto all of your iOS devices, so that you don't have to tweak all the settings one at a time on each device. (If you have many devices to configure, also consider a Mobile Device Management (MDM) tool, such as the one that comes with Apple's Lion Server.)
Couple with a VPN when using open networks. As mobile device users, we're presented with many opportunities for using open Wi-Fi networks: coffee shops, hotels, airports, friends' homes, etc. When you're on anyone else's network, you must consider it to be potentially hostile. The best way to protect your data as it transits that bad neighborhood is to use a virtual private network (VPN). VPNs are common nowadays, and users have a multitude of options. Apple's Lion Server software includes a VPN server, which can easily be enabled on your home LAN, for example. Alternatively, there are many VPN services available for just a few dollars, which will at least protect your sensitive data on those open Wi-Fi networks. (There's still the issue of whether to trust the VPN service provider, of course.)
Read app reviews. Before you dive in and install the latest, coolest-sounding app, take a few minutes to read through the reviews to see if there's anything you really should be aware of, security wise. Certainly, that's no guarantee, but it's still worth doing. (Heck, you might even save yourself a few pennies and grief if the app really isn't what the description claims. Gasp!)
The above is a short list of good hygiene practices to consider, in addition to the things I described last month.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.