Five iPhone and iPad Security Steps to Take Right Now
By Keith J. Jones and Jason T. Briody – April 18, 2013
If you have an iPhone or iPad, you’re probably using them to email, text, and perhaps even draft briefs or mark up documents. Because these are devices created with mobility in mind, they’re easier to lose—and easier to steal—than your typical desktop computer. Here are five simple steps you should take immediately to help ensure that the sensitive information these devices contain doesn’t fall into the wrong hands.
Use Encryption and a Secure Passcode
According to the specifications from Apple, most of the recently produced iPhones (3GS and onward) and all iPads include hardware encryption that helps secure the data on the device if the device is lost or stolen. However, to employ this encryption, you must set up a passcode to protect your data.
The standard passcode—which many people use—is four digits, but longer and more complex passcodes are better as length and complexity will help prevent tools from breaking, or people guessing, the passcode. Hacking and forensic tools that are currently available to the public may be able to crack simple passcodes (especially ones like “1111”) in a relatively short amount of time if your phone is lost or stolen.
Not interested in changing to a more complex password? Then be sure to read below to see how you can have your device automatically erase data after 10 incorrect passcode attempts.
To use a more secure, complex passcode (more than four digits), turn off “Simple Passcode,” as shown in the figure below. You will then be prompted to enter a new passcode.
Figure 1. Turning Off Simple Passcode
Auto-Lock When Not in Use, and Require a Passcode to Unlock
What if you’re at a coffee shop and your iPad or iPhone gets swiped from your table? So that your device isn’t found or stolen while “unlocked” (i.e., after you’ve entered the passcode and started to use it), go to the two settings screens for “Auto-Lock” and “Passcode Lock” (Settings > General > Passcode Lock/Auto-Lock).
Make sure the device locks (or “sleeps”) after a short amount of time (in the “Auto-Lock” option screen), as shown below. Not only does this Auto-Lock/Sleep setting increase your security, but it also provides longer battery life.
Figure 2. Auto-Lock Settings
Then, to require that a user enter his or her passcode to unlock (or “wake”) the device, choose the amount of time you want to allow between the device locking and a passcode being required to unlock it (in the “Passcode Lock” option screens, shown below).
For example (as shown below), the choice of “Immediately” will require that a passcode be entered every time a user tries to unlock a locked/sleeping device. The “After 1 minute” choice, on the other hand, will give the user a little leeway; the device can be locked/sleeping for up to a minute, and a user will still be able to unlock/wake the device without a passcode. If the device is locked/sleeping for more than a minute, though, a passcode will be required to unlock/wake the device.
Figure 3. Passcode Lock Settings
Erase Data after Ten Failed Attempts
If you believe someone might be able to determine your passcode after a number of attempts, you can have the device automatically erase itself after 10 incorrect passcode guesses in a row. Although the term “erase” has different meanings depending on which device model the consumer owns, it generally makes the information unavailable to an attacker. (A summary on how each device implements the erasing procedure in general is summarized in an Apple article, “Understanding ‘Erase All Content and Settings.’”)
Be sure that anyone with legitimate access to the device—a spouse, your kids, or others—knows not to try to guess your passcode too many times. However, wiping the device accidentally is not as easy as you might think; iPhones will lock temporarily in incrementing time intervals after six consecutive incorrect guesses (starting with 1 minute, then 5 minutes, then 15 minutes, and so on) as the incorrect guesses add up, to prevent someone from running through 10 incorrect attempts accidentally or in a short period of time.
Figure 4. Erase Data after Ten Failed Passcode Attempts
Set Up Remote Locating and Wiping
Another type of protection offered by Apple is to locate and erase your phone remotely at your command. From my experience, this is an additional service that Apple provides and is usually charged monthly or yearly to the consumer as an add-on fee.
Currently (as of iOS 6), to have this feature enabled, you must first go into the settings of the mobile device, click “iCloud,” supply the correct Apple ID credentials for your device, and then turn on “Find My iPhone” or “Find My iPad,” depending on the device you are using.
For example, I have an iPad 3 and an iPhone 4S. After logging into http://www.icloud.com, I’m presented with a number of options, as shown below.
If I click “Find My Phone,” which must be set up before you lose your device, it will show me where my devices are located if the following conditions are true:
The device is on.
The device is able to communicate either by WiFi or 3G/4G communication.
The device has GPS built into it.
Figure 6 shows what will display when “Find My Phone” is pressed.
As you can see, the system located my phone and shows its location on a map. I also clicked on “Devices” in the upper left-hand corner to show other devices that are connected to this service and whether or not they are “offline,” meaning that Apple’s systems cannot locate them at this time.
If I click on “Keith J. Jones’s iPhone,” I am presented with some options. One of the options is to “Erase iPhone,” which “erases” the data on my iPhone in the manner discussed previously, depending on the model of the device selected.
There is a caveat: The Apple website needs to be able to send that “erase yourself” signal to the iPhone, so if the attacker is able to stop any communication to the iPhone (e.g., if the device is off or the signal is blocked), that command may never reach the device, and the erase will therefore not occur as expected.
Encrypt the Backups Stored on Your Computer
Every time one of the Apple mobile devices is plugged into your computer, Apple iTunes attempts to back up the information automatically from your Apple mobile device to your computer’s hard drive while it synchronizes your songs, applications, and videos. iTunes performs this backup so that you can restore your information in case it is accidentally erased in the future. Having access to an unencrypted copy of this backup on a computer hard drive, however, is similar to having the device itself and the information it holds. It is the same information that was on the mobile device. By default, the backups are not encrypted, which makes the data they contain relatively easily accessible to anyone who has access to your computer.
The screenshot below, which is accessible through the summary page when you plug your device into iTunes, demonstrates where a user must turn on this encryption and supply iTunes with a passcode (which can be completely different from your device’s passcode, if desired). This will help prevent attackers from easily reading the contents or placing your backup on a newly purchased device, should they gain access to your computer or the unencrypted backup files. (I have redacted my serial number in the screenshot below for security purposes; yours should appear normally on your iTunes.)
Finally, Erase Your Device Before Selling It or Giving It Away
It seems self-evident, but before selling or giving your iPhone or iPad away, be sure to back it up to a computer if you want to save any data, and then erase the device so that the next user can’t access your data.
To erase your device, go to Settings and click on “General.” One of the options under the reset button is to “Erase all Content and Settings” on that device. (This appears to erase the device using the same erasure methods discussed earlier, depending on the model.)
In short, we recommend you use the following security protocols on your Apple mobile devices:
Always use a secure passcode to access your device.
Make sure your device locks after a reasonable amount of time, and stipulate that the passcode be entered again when someone wants to unlock it.
Set up the “Erase after 10 attempts” policy so that an attacker doesn’t have unlimited attempts to guess your passcode.
Purchase and use the “Find My iPhone” service from Apple. The expense is likely minimal considering the potentially immeasurable value of the information saved on your Apple mobile device.
Encrypt your backups on your local computer’s hard drive through iTunes.
Last, be sure to always securely erase your device before selling it or giving it away.
Keywords: litigation, technology for the litigator, iPhone, iPad, security, smart phone, tablet, encryption, backup
Keith J. Jones is the senior partner of Computer Forensic Investigations and Expert Testimony at Jones Dykstra & Associates in Columbia, Maryland. Jason T. Briody is a digital evidence consultant at Jones Dykstra & Associates in Columbia, Maryland.