Many users trust iOS with their most precious data. This includes, but is not limited to, work email, private information such as photos, and many other types of sensitive data.
Apple has made strides to ensure the apps that run on iOS devices are not only compatible, but also adhere to a certain level of quality and security. However, there are circumstances that Apple cannot protect against, especially if end users opt to not use the advanced security features that are available.
Here are five ways in which you can take control over these variables and make it decidedly more difficult to have your privacy and data pilfered by ne'er-do-wells.
SEE: Executive's guide to mobile security (free ebook) (TechRepublic)
1: Use common sense and due care
There is, sadly, no app for this. There are no settings or policies to protect you from yourself, and unfortunately it is also one of the leading methods used to separate you from your private information.
Social engineering attacks—more commonly referred to as phishing, whaling, link jacking, or spamming, among many other names—are created to obtain access, credentials, or information that lead to placing confidential data in the hands of a stranger claiming to be someone else or representing an organization that they are not affiliated with.
With a 91% statistical average of success, these types of attacks rely on the weakest link—the human element—to act as the portal to more devastating attacks, such as ransomware or data leaks. Taking into account the millions of iOS devices that generate billions of dollars annually, mix that in with lax security, and you have the conditions necessary for attacks like these to succeed time and time again as we see in the news.
So, what's the best way to protect yourself? Be aware of what you're accessing, what apps you're using to access this data, and who is sending it to you. Also, where is this data located? Consider all sources questionable and handle them with care. Do not click on links sent via email, text, or social media. Copy and paste the links into a browser before submitting the address to see if they are legitimate or forged. If there's a questionable website, stop visiting those sites immediately! Many of them are compromised and will pass on scripts that will execute in the background to compromise your devices.
SEE: Security awareness and training policy (Tech Pro Research)
2: Choose HTTPS instead of HTTP sites
HTTP is more than just the funny letters that prefix the address to your favorite website—it stands for Hypertext Transfer Protocol, and it is the language of the internet. It's what facilitates communication on the World Wide Web (WWW), and it's how data that interacts with websites is sent and received.
HTTPS is identical to HTTP in most ways, except HTTPS encrypts the communications between endpoints so all data you send and receive is secured while it is in transit. HTTPS also provides functionality for authenticating you to establish that you're who you say you are when you enter your username and password, for example, to a banking site; it also thwarts attacks that involve an imposter passing itself off as the target server, such as a man-in-the-middle attack.
HTTP, unlike HTTPS, is not secured through encryption. This means your data is sent wirelessly in plain text and as such, can be captured easily and decoded, as any information transmitted via HTTP will be unprotected.
There is an easy solution for this: Only use HTTPS-enabled sites to ensure your data is being transmitted over an encrypted connection. And if a site you like to visit and that you share personal or private data with is not encrypted, find an alternative that does support HTTPS.
SEE: Mobile device computing policy (Tech Pro Research)
3: Enable device-based security protection(s)
All iOS devices—from the very first iPhone to the most recent iPad Pro—support passcodes as a means to protect the data stored on the device from prying eyes. The standard 4-digit PIN, while better than nothing, does not provide as much protection as it once did. Using the built-in Settings app in iOS, the Touch ID & Passcode section will allow you to change to a longer numeric, alphanumeric, or custom passcode that will exponentially prove far more difficult to crack or randomly guess.
And speaking of Touch ID, when Apple's biometric fingerprint reader is enabled, it keeps data and credentials protected in a secure enclave until the correct fingerprint is presented. You may also combine two or more different methods of authentication that provide extra layers of security when requesting access to a web-based account or service. This provides far better protection and adds to the difficulty of unauthorized access to your devices while you're away or in the event of loss or theft.
4: Perform regular device backups and secure them
You might assume backups are difficult to perform on mobile devices, but they're not. All iOS devices can access wireless communications, and all are compatible with iCloud or SpiderOak, two cloud-based backup services that provide AES-level encryption to your data backups while they are stored on their servers as well as when this data is transferred to/from the device.
If you prefer to back up your devices locally using iTunes, it supports the creation and management of encrypted backups so your private moments are not so easily extracted from the volume bundle and stripped apart by data recovery apps that can scan unencrypted backups for data stored within the bundle—even what's stored in individual apps can be retrieved with relative ease.
SEE: Data backup policy (Tech Pro Research)
5: Keep current with iOS updates = no jailbroken devices
While most OSes tend to do a fairly good job of releasing software updates regularly and of making users aware that such updates are pending installation, the benefits are still negligible if the update is not performed.
Vulnerabilities, such as Zero Day vulnerabilities, that are so new they still do not have a patch are difficult enough to contend with, but a vulnerability that has existed for months or even years that still has not been protected against due to lack of updating has been around long enough for malicious coders to properly weaponize the payload to inflict maximum damage.
The jailbreaking process was designed to "free your iOS device from within the confines of Apple's walled garden." While this freedom does have its pros, leaving your device in a less than secure state coupled with every action taken on the device to be run with admin-level privilege brings major consequences with it.
Chief among these consequences are the performance issues involved in running the device in this state. It's followed closely by the multitude of unsecured applications available from third-party sites that may (but likely do not) have your iOS device's best interests at heart and will run on your device—unchecked—with total freedom to the entire contents of your phone's data and full autonomy to do with it as the developer intends. This includes being able to lock you out of your own device ransomware-style until you pay up in order to have your device unlocked and/or services restored.
Do you have any iOS security-related stories that you'd like to share? How about additional tips to secure your device or communications? Please post them in the comments section.
- For privacy and security, change these iOS 10 settings right now (ZDNet)
- The top 10 mobile risks of 2016 (TechRepublic)
- An insider's look at iOS security (TechRepublic)
- How to migrate to HTTPS using App Transport Security when developing iOS apps (TechRepublic)
- How to enable the Do Not Track feature to protect privacy on iOS (TechRepublic)
- Police can force you to give up your iPhone password, Florida court rules (TechRepublic)
- 10 mobile security myths that need debunking (TechRepublic)
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.