Open source software security

Tips for Protecting Your iOS 5 Device

21 November 2011
iPhones and iPads are becoming increasingly prevalent in today's office environment. Many, if not most, of these devices are personally owned, yet used to access organizational data. This can create a vulnerability where data that is otherwise tightly controlled is exposed to theft or loss when it resides on an iOS device. Most security professionals advise following "best practice" security guidelines to secure mobile devices, but what are "best practices" when it comes to your iPhone or iPad? I've collected the following tips that I consider essential for locking down your iPhone or iPad. Even if you aren't worried about losing corporate data, theft (or loss) of your own personal data can be devastating.

1. Back up your device

You can back up your device quickly and easily by selecting the appropriate option in iTunes. With your device plugged in to your iTunes computer select your device from the left hand pane and scroll to the bottom of the Summary page to see your backup settings. Encrypting your backup is a good idea if you're not backing up to an encrypted volume (such as a computer with whole disk encryption) but be warned that recovery from an encrypted backup can be problematic. Each time you sync your iTunes backs up your device. You should also back up the backup in case something happens to your host machine. To do this copy all the files found in the C:\Users\[Your_Username]\AppData\Roaming\Apple Computer\MobileSync\Backup on Windows 7 or /Library/Application Support/MobileSync/Backup on OS X to a secure backup location.

2. Apply all updates

Apple releases updates on a pretty aggressive cycle, and many of these updates address newly discovered security vulnerabilities. Be sure to apply updates as soon as possible. You should ensure that you've got good backups before attempting any update, however. Because iOS updates are monolithic, meaning you have to download an entire new copy of the operating system rather than a small patch, there is a potential for data to get lost during an update process. In iOS 5.0.1 you can do this from Settings -> General -> Software Update and get updates over the air.

3. Set a password

Having a password set on your device prevents a thief from easily accessing your data should they steal your device. Under Settings -> General -> Passcode Lock choose the 'turn Passcode On' option. A simple passcode (four digit code) is probably sufficient, but be sure to use a non-obvious code (1234 is *not* a good code). You should set the 'Require Passcode' immediately so that each time you put your display to sleep a passcode is required to unlock the device. If you find this incredibly inconvenient setting a low time out (such as 1, 5, or perhaps even 15 minutes) still affords you some protection. Be sure to set 'Voice Dial' to 'Off' when you set a passcode. This prevents someone who steals your phone from making calls, even if they can't unlock the phone. If you are truly worried about your data consider setting the 'Erase Data' option to 'On'. This will cause your device to wipe itself if someone guesses the pass code incorrectly 10 times.

4. Turn off Bluetooth

Unless you're using Bluetooth, turn it off. You can find this under Settings -> General. If you have Bluetooth turned on an attacker could attempt to pair a device to your phone, or access your data over the Bluetooth protocol. In the spirit of the common best practice security maxim of disabling unnecessary services, if you're not explicitly using Bluetooth you should set it to 'Off.' You can always re-enable Bluetooth if you need it.

5. Only use secured Wi-Fi or Cellular

You should only use secured Wi-Fi. Secured networks are indicated with a lock icon next ot the signal strength under Settings -> Wi-Fi. These networks will require authentication of some sort and encrypt data over the wireless network. Never connect to unsecured, or guest, networks. These can easily be 'sniffed' and attackers can observe data you access with your iOS device. Another reason to use secure network is that it requires credentials. If you join an insecure network and someone sets up another unsecured network with the same name your device could mistakenly connect to the second network without your knowledge. If there is no trusted, secure wi-fi you should use your carrier's cellular signal for data connection. It will be slower, and there may be charges, but it is much more secure than an unknown wi-fi signal.

6. Turn off 'Ask to Join Networks'

Setting this option to off will still allow your device to automatically connect to networks it has joined before. It won't prompt you to join new networks, or attempt to join them for you.

7. Turn off Location Services

Location services provides your location data (GPS coordinates and nearby cell towers and wi-fi signals) to many of your applications and can jeopardize your privacy. While it is nice to automatically geotag your photos, there's certainly no compelling reason to notify Facebook of your whereabouts throughout the day.

8. Only use encrypted e-mail connections

Most e-mail providers provide some sort of secured connection (such as IMAPS). Using a secure connection ensures that data passed from your e-mail provider to your device is encrypted along the way. This ensures that even if someone was able to gain access to the network you use to connect your iOS device to the internet, they wouldn't be able to read your e-mail or intercept your username and password to your e-mail service. Be sure to use SSL or TLS on both your incoming (IMAP or POP) and outgoing (SMTP) e-mail server settings.

9. Safari settings

Safari, the web browser on your iOS device, has a number of settings that can help protect your security and privacy. Under Settings -> Safari you can turn 'Private Browsing' to 'On'. This feature removes web pages from your history, and forgets your search history as well. You should set 'Accept Cookies' to 'Never' to prevent your browsing behavior from being tracked (cookies are sent to domains every time your browser makes a request, so every page you see a little Facebook 'Like' button on actually lets Facebook know you've visited the page). Turn 'AutoFill' to 'Off' so that your passwords and form data aren't saved on your device. If you want to be extra secure you can turn 'JavaScript' to 'Off' but this will only have limited effectiveness in protecting your device and will greatly deteriorate your web browsing experience. Be sure the 'Fraud Warning' is set to 'On'. This feature uses Googles Safe Browsing API to determine if a site is hosting malware or is fraudulent.

10. Physical security

It goes without saying that the easiest way to lose the data on your iOS device is to lose the iPhone or iPad itself. Be mindful of where you leave your device. Your phone has a lot of intrinsic value for a thief or criminal. Keep your device out of sight but on your person. Consider using headphones other the ones that come with your device. Those shiny white cords are a dead giveaway that there is an expensive phone in your pocket. Keep your phone or iPad on your person or lock it up when you're away, even a cheap desk drawer lock will deter casual theft.