iSecured - Tips on protecting your digital life on the iPhone
Smartphones in general and the iPhone in particular were designed to make it easier to navigate and integrate your digital life. Unfortunately, technology and security threats go hand in hand. Recently the Apple’s cloud services were in the spotlight because hackers were able to access celebrities’ iCloud accounts and post private photos online.
So what are you going to do? Do you reduce your iPhone to a glorified texting and calling device (basically a 2014 version of the Nokia 5110 – at least the 5110 had changeable face plates) or do you toss caution to the wind and adapt the “do-not-let-the-terrorists(or hackers)-win” mentality?
We’re here to provide an alternative. Here are practical tips for securing your digital life on the iPhone. (Tech-savy-ness not required: If you can use an iPhone and can read this post, you’re good to go.)
Our approach will be similar to how organizations normally secure their information assets. First we will secure the repository (in this case, the iPhone) by making sure the built-in security mechanisms are configured appropriately. Then we have a look at what we put in there or where we connect to and check if the way they are accessed is reasonably secure. Simple enough right?
Let’s look at the iPhone’s security features.
Touch ID. A lot of people like the Touch ID because it’s a seemingly more secure way for protecting your phone. It’s a bit cooler/ nerdier too. If you ask me, I’m a big fan of retina scans. You can ask any infosec dude, biometrics is considered stronger than passwords. Even if you lose your phone or it gets stolen, it’ll be pretty tough to gain access to your device if you use Touch ID. You may want to check if the goblet you used for lunch suddenly disappeared or if you had your hand on a bikini-clad woman’s behind at the beach party.
Go to Settings > Touch ID & Passcode. If you enabled your Touch ID, you can also set if you want to use it for iTunes and the App Store aside from unlocking your phone.
If you chose not to use Touch ID, you can just enable the passcode.
Go to Settings > Touch ID & Passcode
Turn the Passcode On. It’s really up to your level of comfort whether you use the simple (4-number) code or a more complex alphanumeric one. An alphanumeric one is harder to guess but it may be a bit of hassle if you need to pick up your phone while driving – which you should never do. It really doesn’t matter if people know your password is always MrPogi69 or MegaBrain247 or 8888 though.
At the bottom of this menu, the Erase Data option allows you to set your iPhone to erase your data if there are 10 failed passcode attempts. I’m not sure if this procedure is US Department of Defence DoD 5220.22-M compliant but based on my experience getting phones for suspected bad guys, this is a show stopper. It will be hard to get data off a wiped iPhone if you’re not from the Department of Homeland Security or have access to a scanning electron microscope.
Now that we have secured your device, let’s see what you have in there.
Office or Personal? If that iPhone was provided by your company, know that in most cases, they have the right to access whatever is in that phone. If you get involved in something where you end up having to surrender your phone (and they end up with guys like me or the guys I work with) and you pretty much used the phone for a lot of things outside work, that’s probably not going to be good. You don’t want your juicy items to end up in the investigators’ “Annex A” or what I call “Other Interesting Items”. That’s where I usually put stuff like porn, “interesting” photos (why on Earth do guys take naked selfies in front of hotel bathroom mirrors??? AND WHY IS IT ALWAYS GUYS???). You may be not guilty on the incident in question but it gives your boss a reason to can you for:
A) Misuse of corporate property
B) Violation of acceptable use policies
C) Being a creepy pervert
D) ALL OF THE ABOVE.
Take your pick.
Keep your personal stuff on a corporate phone to a manageable level. Once a week, maybe check your phone and ask yourself if someone from corporate sees that, is that OK?
- Emails – Not a good idea to connect the corporate phone to your personal email. Inconvenient but get used to it. Or get your personal phone.
- Pictures – Everyday stuff like office events, what you had for breakfast/lunch/dinner which go to your FB, places where you’ve been which you post on Instaweather (ang app ng simpleng mayabang – “I was here”, “my lifestyle business is awesome”, “platinum leader incentive trip!” etc) are fine. They make me lose some of the whatever respect I have for you but yeah, that’s fine. Intimate photos and videos...uhmm probably not.
- Your passwords on the notepad app – Hell no.
Internet Banking. I personally won’t use my BPI Expressonline on my iPhone. Not happening. Maybe when they start implanting two-factor authentication methods like any first world financial institutions do. The things that are really important, you should do on a proper platform, like on your PC at home.
Privacy Settings. Security and privacy, although related are two distinct areas. Security pertains to access. Privacy deals with the level of access. Like yes you can be my friend but I’m not adding you on Facebook. Under Settings > Privacy is a bunch of settings to fine tune access to your phone.
Among the things here, the one that concerns me is the camera. We have read reports of malware which secretly takes snapshots of you. Wait, those are ANDROID apps. OK Fandroids, the one thing Apple can concede to Android being a leader to is the number of malware on Google Playstore. It’s true. Get over it. But I digress…So nothing to be concerned here right? I’d still make sure all of those apps requesting camera access are switched off.
The most high profile one of these privacy settings is Location Services. Many relationships have gone down the toilet because of this feature. Under it, you can set which Apps can look at where you are based on GPS or cell tower information the iPhone is getting. Yes, I have the Bible app on my iPhone (cue the angels singing…).
You can use the “business need level” test to set which Apps have access to your location. Do you really need to track your location for that app or does that app work better for you with location services on? Apps have different location services settings. Some have either Never or Always. Some have, like Facebook, have the third “While Using the App” option. So how to I apply this? I definitely want it my Taxi Booking app to know where I am. I only want Facebook to know when I’m using it. Isn’t allowing Facebook to track my location a lapse in privacy settings? Not really. First of all, I’m not an Internet Action Star like Ramon Bautista. Secondly, I like trolling multilevel marketing people who have gone full mental by passively showing I also have a cool lifestyle oriented job, have taken hold of my life and building my dreams and get to go places too.
If you really want to be safe, just flick the Location Services setting to off. It will warn you that some services dependent on this like Find My Iphone will not work.
There’s two more settings under Privacy that you may want to look into. Diagnostics & Usage sends passive telemetry information about your device to Apple so their engineers can look at how to “improve its products”. iSheep will probably switch this on. I’m generally comfortable switching this on as well so it’s up to you. Advertising is for how App developers can use the iOS Advertising Identifier data. I’ll not delve into the details of this but the safe way to go about it is to just set the Limit Ad Tracking to on.
iCloud. I do use cloud services. They are pretty useful for storing data which you may need to access online from anywhere like some stuff I have for work. It boils down to your level of comfort. The most conservative approach is just to put your contacts in there just in case you need to change your phone to a new one, you don’t have to manually redo your contacts list. Some people who don’t have enough space on their iPhone for music, pictures and stuff do use iCloud and it’s generally fine. Also, we just secured your device earlier right?
What I probably won’t do is put my backup on iCloud if I’m in Manila. One it will take ages to restore your phone using our “world class” network connection. Two, that file is better off sitting at your PC.
Speaking of backups…
Whenever you back up your phone, it is a good idea to encrypt the backup. You never know what will happen and if you lose your PC, there are applications available online that can view contents of unencrypted iPhone backups. The downside? It’s one more password to remember. If you forget it, your backup is lost, your life is soooo over.
Jailbreak. Who doesn’t like free apps? A lot of the top apps, especially casual games are free. There are some you need to pay for (I paid for a few add-ons to games). There are also some who think Apple is shackling them by restricting them to the App Store and basically everything they can do on the iPhone. That’s why some people Jailbreak their phones. I’m not sure about the stats but some people of the people I know who have Jailbroken phones did it because their phones were carrier-locked. Just stay away from it. It voids your warranty and exposes you to malware. What about the free apps? Be a responsible adult and do the right thing. Like I said, a lot of useful apps are free or ad-driven already. If it’s really something you need, give the developers their dues. Reasons aside from loyalty to a carrier aside, never go for a locked phone so you don’t have to Jailbreak it. It’s actually a problem we have with the lack of proper regulation and protection of consumer rights in Manila. If the governments of Hong Kong and Singapore pretty much decided carrier locking phones is baloney, why can’t we have it at home right? Then again we have petty crime, floods, hellacious traffic jams and politicians who don’t have balls or think with them…I digress.
Losing your phone. In Manila, you’re more likely to lose your phone and not find it than say Singapore. No, I don’t have the OFW-Walang-ganyan-sa [insert foreign location here] syndrome. It’s true. I used my iPhone at Lau Pa Sat to reserve my table and it didn’t get lost. My buddy also lost his phone while he was out and the lady who found his phone answered his call and agreed to meet up so he can get his phone back. Another friend lost her phone in Manila and the phone was switched off when she tried to call. Go take comfort in the fact that we have a lot of Filipinos winning singing contests all over the globe to mask the chaos of home. Feeling better now?
Back to the topic…Fortunately, Apple stole an idea from Blackberry and came up with Find My iPhone (it works for the iPad and Mac too). Just set it up on your iCloud and run the app. This will allow you to set your device to Lost Mode. Lost Mode allows the person who found your phone to call you but not do anything else. Switching the iPhone to Lost Mode also makes it unusable for the person who found it because they need access to your iTunes account to activate the phone. When all hope is lost, you can remote erase your device. If the device is somehow online, it will initiate the remote erase. If it’s off, the next time it goes online, it will initiate the erase procedure. If the device has been erased, you will be notified through the email you used for iTunes. Note that even if the device has been erased, it will still be on Lost Mode. Hopefully this is enough to foil the enterprising people at Greenhills who deal with lost or GSM (Galing Sa Magnanakaw) phones. Find My Iphone also lets you see the estimated location of your phone. A green dot says the phone is live. A gray dot means the last location where the phone was online. I won’t recommend you acting on this information without a Marine Battalion behind you though. Charge the loss to experience and move on. Or as the cops in Manila will advise you, “Mam/ser, bili ka na lang ng bago.” Good thing for you, there’s a new online store you can get your new device from. I hear they have outstanding service.
That’s it. Hopefully this guide helps you protect yourself or mitigate the risks of using an iPhone. Knowing that you’ve done your homework here should put yourself at ease and you can go about enjoying your new gizmo.
Fistbump. See you around.
About Kenny. Kenny’s day job is forensic technology specialist and APAC Solutions Manager for one of the leading providers of software used in investigations, electronic discovery, cyber security and information governance. He’s also done information security work for banks, telcos, and other organizations in the APAC region and was one of the first Filipinos to be certified in security assessments of payment infrastructures. In his free time, he plots to become a dictator. Or grinding to get to level 30 on Destiny.