Last Updated: 5/18/2018
Matthew Green, a well respected cryptographer and professor at Johns Hopkins has a great article discussing Secure Computing – Desktops vs Smartphones, iOS vs Android and more..
Most iPhone users do not think very much about security. The iPhone is part of Apple’s closed ecosystem, helping to prevent viruses and malware from wreaking havoc. As the iPhone has grown in popularity, the smartphone has become more of a target by hackers and criminals. It is important that iPhone users immediately become more vigilant about smartphone security. Our tutorial covers the iPhone through iPhone 7 Plus and iOS through iOS 11.
0. Obsolete Hardware
If you have an iPhone or iPad that no longer gets updates, we would recycle it and buy a new one RIGHT away. Keep in mind that iOS 10.3.3 is the first version that fixed a Huge Broadcom Wi-Fi bug. Without that fix, you can get hacked by just having a Wi-Fi signal nearby.
1. iPhone Software Updates
Apple upgrades the iOS software for the iPhone from time to time. Updates include additional functionality as well as security bug fixes. It is important that users apply updates immediately. Before iOS 5 users needed to connect their iPhones to a computer in order to update the smartphone’s software. Needless to say, this was inconvenient and led to many iPhones with obsolete software.
Always update to the latest iOS software available as soon as possible.
If you Jailbreak your iPhone, you need to be extra careful with regards to security as iOS updates are much more difficult for you. Be careful where you obtain your Jailbroken Apps as malware is much more prevalent.
2. iPhone App Security
Apple’s App Store reviews all submissions before adding them. All iPhone apps must be authenticated and signed which helps to ensure they haven’t been tampered with or altered. This helps prevent malicious apps from infecting the App Store. (This is not 100% foolproof)
Apps are prone to security vulnerabilities, that are fixed by updates. Keep apps updated regularly and remove apps that you do not use. Regularly use the App Store app and select Updates. iOS 7 added the capability to auto update your apps. Be sure to use this function. Apple has the ability to remotely remove malicious apps from your iPhone.
When installing new Apps, we suggest you install well known Apps with positive reviews, and avoid brand new Apps from unfamiliar companies. Give new Apps time to build trust and to allow others to help test the App for malware and security risks.
3. Suggested iPhone Settings for Security
Below are several suggestions for iPhone settings to increase security on the smartphone. One in three robberies nationwide involve cell phones, with a ratio estimated as high as one in two within the San Francisco area. Users need to protect their smartphones to prevent a complete disaster.
A passcode is required before you perform these tasks:
- Turn on or restart your device
- Slide to unlock your screen (you can change this)
- Update your software
- Erase your device
Enable Passcode, erase iPhone data after ten failed attempts. Starting with iOS 9 the default passcode length is 6 digits instead of 4.
- Open Settings
- Select Touch ID & Passcode Lock
- Select Turn Passcode On
- Enter a Passcode – Do not select an obvious passcode like 1234 or 1111
- Use the Touch ID Fingerprint sensor
- For older version of iOS:
- Turn Simple Passcode off
- Enter a passcode – Do not select an obvious passcode
- Turn Erase Data on – Erases all data after ten failed passcode attempts
- Turn Siri off – Prevents Siri access when locked
- Turn Passbook or Wallet off – Prevents Passbook or Wallet access when locked
- Turn Reply with Message off – Prevents Reply with Message access when locked (iOS 6)
Encryption prevents the data stored on your iPhone from being read, if you do not have the passcode. The passcode provides entropy for certain encryption keys. A 256-bit AES key is used to encrypt every new file created.
Starting with iOS 8, thankfully encryption is turned on by default. If you have an older version do the following:
Ensure Encryption is Turned On. After you enable a passcode in iOS version 4 or newer and you have an iPhone 3GS or newer, the phone can use hardware encryption to encrypt the data stored on the phone. Text messages, photos, emails, contacts, and call history were all encrypted.
- Open Settings
- Select General
- Select Passcode Lock
After the Setting up a Passcode, scroll down to the bottom of the Passcode Lock Screen and verify that the text “Data protection is enabled” is shown.
If this is the phrase is not shown, do the following:
- Connect your iPhone to your Computer
- Backup your iPhone in iTunes
- Restore your iPhone in iTunes
- Check the Passcode screen again for the phrase “Data protection is enabled“
As of March 2016, iCloud, the Internet cloud syncing and storage service, current gives Apple the capability to unlock key data like backups, documents, contacts, and calendar information. Someday this will change.
Turn iCloud OFF if you value security.
Prevent cookies from being accepted in Safari. Clear old cookies.
- Open Settings
- Select Privacy
- Select Safari
- Click Accept Cookies
- Check Never
- Click Clear cookies and data
If you are not using any Bluetooth devices, disable Bluetooth to increase battery life and prevent security risks.
- Open Settings
- Select Bluetooth
- Set Bluetooth to Off
Backing up your iPhone regularly is an important task. With iOS 4, you need to connect your iPhone to your computer in order to perform back ups. With iOS 5, you can easily back up using iCloud. Enable iCloud by doing the following:
- Open Settings
- Select iCloud
- Select the items that you would like iCloud to back up
4. iPhone Email Security
It is important that email accounts accessed from a smartphone are setup utilizing encryption when available. Many email providers including Google’s Gmail, Microsoft Exchange, MobilMe, AOL Mail and Yahoo Mail support SSL (secure sockets layer) when accessing their mail servers. If SSL is not used, your emails as well as your password can be read by hackers.
To check a Mail Account for secure SSL access, do the following:
- Open Settings
- Select Mail, Contacts, Calendars
- Select a Mail Account
- Click on an Email Account
- Click on Account
- Verify Use SSL is set to On
If Use SSL is set to off, check with your email provider to verify their SSL support and enable it if possible.
Also, make sure your email account has been cleansed with a good spam filter. This is a basic requirement of any solid email provider. If your email vendor needs spam filtering assistance, consider accessing the email account via POP inside a Gmail account.
5. Find a Lost iPhone, Erase a Lost iPhone
Apple has an app that helps you find a lost iPhone by showing it on a map and optionally erase it or make the iPhone play a sound. This free service is a life saver and should be one of the first items installed. To enable Find My iPhone, follow these iOS 5 & 6 instructions.
Also consider creating a special graphics file with your emergency contact information that can be used as your lock screen. If you are having a life threatening emergency, people could still access this information. If your iPhone is lost and password protected, people could still contact you.
Make a Contact entry for yourself with a phone number other than your iPhone.You might also put in the Notes field – Reward for returning lost iPhone.
Set it as the default contact entry. Settings – Mail, Contacts, Calendars – My Info – Choose your contact entry
This way, anyone can bring Siri and ask “Who owns this phone?” and see your contact info.
If you do lose your iPhone, watch out for phishing messages trying to get your iCloud Username and password.
6. Using WiFi securely
When accessing a wireless network outside the home, exercise caution. Any information sent over an external wireless may be subject to eavesdropping. Unless you know the WiFi network is secure, we would recommend against connecting to it.
If you really want to use an unfamiliar wireless connection, limit usage to non-critical apps, email, and web. Do not e-mail, online shop, online bank, or online trade from public wifi hot spots or cyber cafes. Many of these locations provide little to no security and are prone to snooping or malware.
The iPhone can remember wireless networks by name and automatically log into them. This convenience function turns into a security problem because the iPhone will automatically send the same password to a wireless network of the same name. So if you name your wireless router, Linksys, if you encounter another wireless router with the same name, the iPhone will automatically use the password. A hacker could exploit this to obtain your wireless router’s password. We suggest you do not enable any automatic joining to wireless networks. The iPhone is very good at transparently switching from a cellular data network to a WiFi wireless network.
When accessing the Internet on a smartphone or tablet, using the built in 3G/4G connection is a lot safer than connecting via a local wireless internet hotspot. This warning applies to both apps and mobile internet browsers.
The safest way to use a public wireless network is by employing a VPN (virtual private network) which securely tunnels all of your iPhone’s traffic through a secure server. There are many paid services that sell VPN access.
iOS 8 includes an “Always-on VPN” feature, which eliminates the need for users to turn on VPN to enable protection when connecting to Wi-Fi networks. The iPhone’s MAC address now changes when it’s not connected to a Wi-Fi network, so it can’t be used to persistently track a device by passive observers of Wi-Fi traffic.
Disable WiFi when you are not accessing wireless networks. This will extend your battery life and increase security.
7. Secure Browsing with Safari
Force websites to use secure connections – It is important to utilize secure connections or HTTPS whenever possible. Several large websites have configuration options to force these secure connections. Here is more information on configuring HTTPS with: Gmail, Facebook, Twitter, Google. Google.com defaults to HTTPS if you are signed into your Google Account, if you are not, just manually add the s after http to force a secure connection ie – https://www.google.com
Use a password manager to create, use, and store passwords for websites. See our password manager guide for details.
8. Careful Link Clicking and Attachment Opening
As we have learned on computers, clicking on links in email can lead to viruses or malware being installed. We need to take the same precautions and more, on an Apple iPhone. Avoid clicking links in email, text messages, and websites that are unfamiliar to you.
Email attachments require the same amount of caution. Only open attachments when they are expected. Avoid opening your email provider’s spam folder and do not open any attachments in your spam folder.
Opening Attachments Safely with Gmail
Forward the email with attachment to a Gmail account. From there, you can use Google Docs to open Word Processing, Spreadsheets, etc. No need to endanger your own computer.
9. iPhone Anti Virus and Internet Security Software
iPhone anti virus software exists but due to the secure iOS design, cannot scan files automatically or run scheduled scans. Users have to manually tell an anti virus or Internet security App to scan files. Intego makes anti virus software VirusBarrier iOS App ($2.99) for the iPhone, iPad, and iPod Touch.
Kapersky Lab makes a free App called Threatpost that quickly displays articles from their security news website.
10. iTunes Password and Payment Option
It is important to select a strong password for iTunes. Read our article How to Create, Store, and Use Secure Passwords.
If a hacker obtained your iTunes password, they could drain your credit card with purchases. We recommend you remove all payment options after having created your iTunes account. iTunes only requires a payment option when creating a new account. We prefer to add iTunes money by purchasing a pre-paid iTunes gift cards.
11. Turn off Diagnostic Log Sending
Apple used to use Carrier IQ before iOS 5, so make sure you turn off this feature. To turn off sending of diagnostics data to Apple do the following:
- Open Settings
- Select General
- Select About
- Select Diagnostics & Usage
- Click on Don’t Send
12. Malicious QR Codes
QR codes are appearing in print and all over the place. Be aware that malicious QR codes that lead the user to download malware have been found. Be sure you check the link the QR code points to before using it.
13. Enable Two-Step Verification for Apple ID
Apple introduced two-step verification for Apple IDs. You need 2 forms of proof to access your account.
We have covered many ways to improve your iPhone security. Utilizing our tips will help significantly improve the already good security of the Apple iPhone smartphone.
Do you have more iPhone security tips?
14. Secure Messaging
Law enforcement and probably the NSA use cell phone tower simulators called Stingrays, IMSI catchers, or dirtbox made by Harris. These fake cell phone towers slurp handset identification information and can snoop on data. They deploy these in small planes to net a ton of intercepts, without getting a warrant. Cell phone users have no right to privacy in public areas.
You can fight back by using secure messaging clients like Signal or Text Secure. Older Stingrays only support 2G, not 3G/4G, so turning off 2G will help here.
15. Public Charging – Video Jacking
Do not use a public phone charging cable, it could be capturing video video HDMI recording while you charge aka Video Jacking. Always use your own charging cable.
16. Setup Emergency Contact in Health App
The Health App was added way back in iOS 8, but few people have setup the Medical ID that emergency responders can use to contact your emergency contact. They can click Emergency from your lock screen and bring up your emergency Medical ID information.
In the Health App, setup a Medical ID.
Make sure it is set to be seen when your phone is locked.
Showing Text messages on your lock screen should not be allowed.
17. Enable Two Factor and Two Step authentication
Apple offers two-factor as well as two-step authentication. Enable it! If you enable it, make sure you keep the recovery code in a safe place.
18. Lock your SIM Card with a PIN code
This keeps your phone even more secure from theft. It is a pain because you need to enter it every time you startup your phone.
19. Secure your mobile phone’s account from hijacking or Port-Out Scams
Hackers have been calling wireless carriers like: AT&T, Sprint, T-Mobile, and Verizon asking them to switch control of mobile phone numbers to themselves.
They will repeatedly call, hundreds of times, and make up all kinds of sob stories to get control. Once they hijack control, they will reset passwords of any device that uses that phone number as a security backup via SMS Text or two factor authentication. IE Google, Facebook, Twitter, Bitcoin accounts, etc.
How do you protect against phone hijacking?
- FTC has details
- Do not use your cell phone number in the first place!
- Use two factor authentication that uses a physical key or Google Authenticator App, not Text
- AT&T – Enable an account passcode
- Sprint – Customers setup a PIN when first signing up
- T-Mobile – Enable a customer care password
- Verizon – Setup an account PIN
T-Mobile customers can also call in to the company’s customer support line and place a separate “SIM lock” on their account, which can only be removed if the customer shows up at a retail store with ID.
Be sure to use Google Authenticator instead of Text messages for second factor authentication when possible.
If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.
Do you have any iPhone Security tips?