iOS device security

A talk with a few friends the other day, and a recent blog post on OSXDaily, both reminded me that I wanted to write a blog entry where I share how I approach security on my Apple devices, specifically iOS.

I hope this article helps you think about how you approach security on your mobile devices; Which are easy to forget, lose, or get stolen. But that's not all, you also share it with a new friend in a bar to show a picture you just took. Or leave it with a parent over the weekend who want to discover new technologies or go through your media / content. There are all sorts of situations where others are handling your devices. Even cops with unwarranted searches. Which means you have to realize what you have in your pocket, and how you are going to protect yourself.

Remember, you have your pictures, videos, e-mail, text messages, instant messages, social network conversations, or even bank account and other personal details on the device. Hopefully you have programs like Google Authenticator, 1Password, and DropBox on your device. And I hope you're using a unique PIN or code for each one.

If iOS is a full fledged operating system based on OSX, how come the iPad doesn't support profiles? At the very least I would love to see a guest login option.

@Floris

Abuse is there in different forms, incidental, as a prank, on purpose, or malicious. A few examples: Others might not know how to use the iPad and are trying things out, making the icons wiggle after holding down too long and clicking the (x) on an icon only to find out that deletes the program. Heck, your cat won't be the first to rebel against you. Or, a friend trying to prank you by removing certain apps thinking it's funny. Or someone who found your phone using your auto-login to apps to post as you on social networks. Perhaps a cop thinks it's their right to go through your phone for whatever reason. Anyway, an iOS device is personal, it has access to my personal media and data, and while I love showing off apps, features, technology, media, etc. It's nobody else their business to configure, manage, or sneak around. And without means in the current iOS version of a limited guest account it means I recommend you take security into consideration.

Compromise a little bit of personal convenience to gain a peace of mind and prevent potential (malicious) abuse.

@Floris

Here's a bit of info some of you reading this might not be aware of. If you don't use a PIN code to lock your iOS device, the system isn't using hardware encryption. So, at the very least: Use a unique PIN code to lock your device. Pro tip: And that also means you should encrypt your iOS device backups by setting a password in iTunes for the backups. And finally: set a reasonable value for Auto-lock, so if you leave your device alone it will be locked automatically, requiring a pin the next time someone tries to use it.

System Settings app > General Here you can find Auto-lock, Require Passcode lock, and other settings.

Optional security steps here are to erase all the data after 10 failed attempts, and personally I don't use a simple password (PIN), I use a stronger and longer personal code. This to make a brute-force hopefully more useless.

It's not a matter of being paranoid, it's a preventive measure. I rather have the bother now, and protect my personal data.

@Floris

Using a passcode on the device is a great first step, check out the sensitive data applications for their settings and features. Some such as 1password and DropBox both have an option to set a code, and for apps like on-line banking I strongly recommend to certainly use a unique code. You don't want someone that gets into the phone to use the same code to get into the password manager program or worse, your banking account.

Which leads to my next suggestion: Use 1password, and make sure you use a unique and strong login for everything. Be it a web site or to get into an app. An example: If your login is the same everywhere, and someone gets into your phone. They can install the Apple Store app and order a new iMac on your iTunes ID. Or transfer money from your bank account to somewhere else. Abuse your PayPal account to buy things on-line. Not that this always happens, and sure, in case of abuse you might be insured, or the companies involved have anti fraud policies in place to help you out. But in my opinion it's a hassle, you're still out of your money until you get it back. And personally I rather not go through that.

Every web site lets your change your password, security questions, and your e-mail account. Review your accounts!
Every iOS app might have settings from within the app. A small tool icon or an info icon usually indicates this. Also check the System Settings app where application specific settings can be found.



That's the passcode part, and a few examples of potential abuse. I did not mean to scare you. My goal is just to have you think a little bit about how you want to balance out 'caring about my privacy and data' vs 'i will just be ignorant and stupid and call people like Floris later when I am in trouble, assuming they can help me fix all this horror'. Yeah: I find it a bit annoying when I always give tips and they're blatantly ignored only to be 'the computer guy' that feels guilted into helping out again. *zen*

Still and all, additional steps that you can take to prevent abuse and increase your security is to think about the built-in features that you can use to your advantage. Such as blocking in-app purchases, prevent installing and deleting of applications, and to use basic restrictions on features such as turning off 3g or even taking the sim card out when you loan it out to others.

iOS has Restrictions settings, also under General. Where you can turn off installing and deleting applications, and in-app purchases. If you are giving an iOS device to a child, you can also go through the other settings and review settings for things that are related to parental controls (location services, use of the camera, which media ratings apply, etc).

If you are handling a batch of iOS devices in a home, work or education situation you can consider the Apple Configurator app for the Mac to deploy profiles. Allowing you to restrict network usage, app usage, restrictions, etc.

iOS 6 is around set for release later this year and will come with a new feature to lock down parts of a screen, the home button, etc. in an attempt to lock a user into a single application. Great for showcasing, kiosks, schools, etc. Something to look forward to.

As you can see, there are a few options for you to think about and walk through that can help you improve your security and protect your data, privacy and in extreme cases your money.

Next Article: Unified Software Updates