iPhone optimize

10 ways to secure the Apple iPhone

When you think about security vulnerabilities, your iPhone may not be the first thing that comes to mind. But the risks are real -- in fact, the CIS has now developed its iPhone security benchmark. Learn about the many options you can leverage to make your iPhone more secure.

When you think about security vulnerabilities, your iPhone may not be the first thing that comes to mind. But the risks are real -- in fact, the CIS has now developed its iPhone security benchmark. Learn about the many options you can leverage to make your iPhone more secure.


The Center for Internet Security (CIS) is well-known for developing security benchmarks for operating systems, applications, network devices, and now the Apple iPhone. I've read the iPhone benchmark and felt that TechRepublic's 10 Things format would be the perfect way for me to pass along some of their advice. The complete document can be found at the CIS benchmark portal. So let's make sure your iPhone is secure.

Note: This article is available as a PDF download and as a PowerPoint presentation.

1: Make sure firmware is up to date

Like computer operating system software, keeping the iPhone's firmware up to date is important in reducing the vulnerability footprint. The latest version of firmware is 2.2.1. Select Settings | General | About to determine what version the iPhone is using. If the iPhone is using an older version, follow the steps below to update the firmware:

  1. Connect the iPhone to the computer.
  2. Open iTunes.
  3. Select iPhone under Devices in the source list.
  4. Select Check For Update.
  5. Select Download And Install.

2: Disable Wi-Fi when not in use

This is self-apparent, yet important enough to include in the list. Most people automatically disable Wi-Fi to conserve the battery. But knowing that disabling Wi-Fi eliminates an attack vector may be added incentive to turn Wi-Fi on only when needed. Use the following steps to disable Wi-Fi:

  1. Tap Settings.
  2. Tap Wi-Fi.
  3. Turn Wi-Fi off.

3: Disallow automatic association to networks

By default, the iPhone retains association settings of the Wi-Fi networks it connects to, which allows the phone to automatically reconnect when within range. Automatic association isn't recommended, as it's easy to spoof trusted networks. Still, disallowing automatic association is kind of a pain, as doing so requires you to enter the passkey each time. I'll leave this one up to you. To prevent automatic association use the following steps:

  1. Tap Settings.
  2. Select Wi-Fi (make sure Wi-Fi is on).
  3. Tap the blue arrow of the network to forget.
  4. Select Forget This Network.

4: Turn Bluetooth off when not being used

Features that make life easier for the user tend to make it easier for bad guys as well. Bluetooth is one such feature; it allows many conveniences, such as the use of wireless headsets and sharing information between phones. Yet attackers can also use it to Bluejack or Bluesnarf a phone.

For some reason, the iPhone isn't set up to just turn off discovery. So the only way to prevent unwanted discovery and associations is to use the following steps to turn Bluetooth off:

  1. Pick Settings.
  2. Tap General.
  3. Tap Bluetooth.
  4. Turn Bluetooth off.

5: Disable location services until needed

Turning location services off doesn't immediately increase security; it just prevents the user's location from being published. I personally think disabling the service is a good idea for two reasons. First, it's a significant battery drain. Second, disabling the service isn't an inconvenience. It's simple to turn the location service back on from within the application that needs positioning information. If so desired, follow the steps below to disable location services:

  1. Tap Settings.
  2. Tap General.
  3. Turn Location Services off.

6: Set a passcode

Setting a passcode definitely increases the security of the iPhone. It makes it harder for someone to gain access to the iPhone because the phone automatically locks after a user-determined amount of inactivity. Setting a passcode is also required for feature seven to work. Use the following steps to set a passcode:

  1. Select Settings.
  2. Select General.
  3. Tap Passcode Lock.
  4. Enter a four-digit passcode.
  5. Re-enter the same passcode.

7: Erase data if too many wrong passcodes are entered

After 10 wrong passcode attempts, user settings and any data stored on the iPhone will be erased if this setting is enabled. It's a valuable feature because a four-digit passcode of just numbers will eventually be discovered, and this option ensures that any sensitive information will not get into the wrong hands. Use the following steps to turn erase data on:

  1. Select Settings.
  2. Tap General.
  3. Choose Passcode Lock.
  4. Turn Erase Data on.

8: Erase data before returning or repairing the iPhone

To some, this may be apparent, but many people don't even think about removing sensitive data before selling or sending their phone in for repair. Use the following steps to prevent others from accessing your personal information:

  1. Select Settings.
  2. Tap General.
  3. Choose Reset.
  4. Select Erase All Contents And Settings.

9: Disable SMS preview

Even when the iPhone is locked, it's still possible to preview a recently received text message. I immediately disabled SMS preview on my iPhone, as I do not want my text messages visible when the phone is locked. If you agree, use the following steps to turn off SMS preview:

  1. Select Settings.
  2. Tap General.
  3. Choose Passcode Lock.
  4. Turn Show SMS Preview off.

10: Disable JavaScript and plug-ins in Safari

Because the iPhone uses a fully functional Web browser, it is susceptible to all the same JavaScript and plug-in exploits that plague normal computers. I recommend disabling JavaScript and plug-ins, but doing so breaks certain Web page characteristics. It's yet another balancing act between security and usability. If you want to err on the side of security, use the following steps to disable both:

  1. Select Settings.
  2. Tap Safari.
  3. Turn JavaScript off.
  4. Turn Plug-Ins off.

Final thoughts

Most of the above security enhancements are intuitive, but I've found that unless prodded, most people don't take advantage of them. I can't in good conscious say that applying all of these enhancements is the only way; that's going to be up to you. I just wanted to make sure everyone knew what was available. I also want to thank CIS again for its diligence in preparing the iPhone security benchmark.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

23 comments
david.k.patterson
david.k.patterson

You can increase the security via Passcode by turning off Simple Passcode. That allows you to use a more sedcure complex Passcode rather than a simply four digits. Settings - General - Passcode Lock - Simple Passcode (Off)

ndoritn
ndoritn

I found an interesting app - PrivateTIP that enables the user to hide text inside a photo and keep it to photo library or sent it over a mail.

JCitizen
JCitizen

and complimentary devices like the iPod; I feel we can finally say Apple is just like Microsoft, in at least this phone area. This is why Michael's article is so important, as phone jacking is going to become more and more common, as crooks find use for it. Obscurity is no longer usefull for this Apple product.

Deadly Ernest
Deadly Ernest

damn shame you need to think about such stuff for a bleeding phone. Where, oh where, can I find a phone that's just a phone and not some idiots fool's idea of a do everything electronic tool? Whatever happened to the idea of doing one thing extremely well instead of a lot of things poorly?

darpoke
darpoke

Great article, Michael - very informative, I'll be forwarding the link to my iphone-using friends. Interesting that you compare its abilities to a full client, such as a proper web browser, along with the associated fallibilities. With great power comes great responsibility, eh? :-) Personally I've jailbroken mine, to allow third party apps. I have a SSH client on there, with full CLI access using MobileTerminal. Obviously the first thing I did was change passwords from default on both the root and mobile accounts. I also generated RSA keys and swapped public keys with the Mac I use at work to allow simple, secure comms. Since connection via USB is only of any use when using iTunes (Apple created a proprietary communications protocol that prevents any machine actually seeing the iPhone as attached storage), I use STFP over port 22 to communicate with my phone. This allows me to swap data between it and any machine wirelessly and fairly easily, though Wi-fi isn't the fastest medium. There is an app to allow wireless sharing via the AFP protocol - this lets the device show up in Finder. The only problem with using a GUI (as opposed to a terminal or FTP connection) to browse the device is that the filestructure, like OS X, uses symlinks at the top level, and I've experienced problems with the Users directory disappearing when I've tried to access it. This doesn't happen when using FTP or Terminal. There are some other really useful third party apps I use regularly, which fully justify the act of jailbreaking the device for me. There's a rich, if dilettante, development community out there.

desirawson
desirawson

Are there antivirus programs available for these phones? I have a Sprint Instinct phone, which is basically a copy-cat of the iPhone, with all the bells and whistles, and operates as my notebook. I have asked Sprint if they have Antivirus installed on their "servers" for this reason, and they guarantee that they do "UP TO A POINT", meaning - not at all. Thank you, Desi Rawson IT Consultant

travis.duffy
travis.duffy

Best way to secure the Iphone? Turn it off

SilverBullet
SilverBullet

Turn off and disable all communication functions. Better yet, have the Obama administration customize your device with federal resources.

Michael Kassner
Michael Kassner

I'm constantly using my iPhone as it's capable of doing much of the work my notebook does. Which means the iPhone is vulnerable to many of the same exploits that plague computers. I've put 10 methods together that go a long way to securing the iPhone. Please check them out. If you have any more options, let me know.

Michael Kassner
Michael Kassner

Interesting, they now have stenography on the iPhone. Very cool.

Michael Kassner
Michael Kassner

I personally think the iPhone is the best phone I've ever had and I had mobiles since they were car phones. What I really like is how the iPhone has eliminated my need to constantly carry a notebook with me.

Michael Kassner
Michael Kassner

The iPhone app store and didn't come up with any anti-virus applications. I'd be suspect of any other software claiming to be AV for the iPhone.

Michael Kassner
Michael Kassner

That was one of the options that CIS offered. The iPhone has what is called Airplane Mode which shuts off all RF communications. I just didn't see the logic in that personally.

williamjones
williamjones

...and that's the "Find My iPhone" tool available to Apple's MobileMe members. You can use the MobileMe web site to locate your phone if you've left it somewhere. Thankfully, the new Remote Wipe and Screen Message and Alert features in iPhone OS 3.0 work even without Location Services being turned on.

CaptainRedeye
CaptainRedeye

The erase all data function could be abused by playful anti-iPhone colleagues, who pride themselves in guessing passcodes.

ratbatblue
ratbatblue

Following your instructions in #9, I see no setting even vaguely related to SMS.

SilverBullet
SilverBullet

about the security and network functions. I will continue to gather information from TR and members like Michael. I can still manage my day with a simple cell phone and e-mail. On a personal note, I don't like using my money on technology that needs further R&D because manufactures are pressed to go to market before the engineers sign off on functionality. We see this more often then not with both hardware and software. Now if my boss or client want to spend the dollars, I'm in!

Appletude
Appletude

.... doesn't matter. You can still go under Settings>General>Restrictions and manage a lot of stuff and control the way you want your iPhone to me managed. For e.g. incase you lodt your iphone and it gets into wrong hands, possible 2 things will happen and i must say will... 1. To have your "Find My iPhone' app to work, your MobileMe account should be activated, well that account can be deleted, hence making your "Find My iPhone" app good for nothing. Solution: You can disable deletion or addition of any accounts through restrictions 2. What if your "Find My iPhone" app is deleted, well again you can't track your iPhone. Solution: You can disable deletion or installation of apps through restrictions. So if you have a look at Restrictions, you can virtually make your iPhone very secure. Please correct me if am wrong anywhere.

darpoke
darpoke

but I think 'a55holes' describes them better.

Michael Kassner
Michael Kassner

If you notice the article is from 2009. The iOS does not have that setting.

rates1gtc
rates1gtc

I found it under Settings > Messages on my iPhone.

darpoke
darpoke

but I think there is a place for just releasing it to get it out there. Of course it should be market-ready, nobody deserves to purchase something that doesn't work. I'm just saying that all products evolve over time, and quite often the manufacturers simply aren't the people best placed to make the decision of what feature-set ought to be in the current release: the market knows what it wants best. Very often, it takes actual large-scale use of the product to determine this.