iOS Security Overview
According to Apple’s iOS Security Guide, iOS security can be viewed in four layers:
- system architecture
- encryption and data protection
- network security
- device access
iOS System architecture includes the platform and hardware used to protect iOS devices, software update releases, developer/application certification, and sandbox mode for application testing. Encryption and data protection systems are also in place to safeguard user data in the event of theft or an attack. Other security features include data Protection technology, passcodes, data class policies, and the iOS keychain.
iOS Network security refers to the procedures in place to protect data as it is transmitted, like VPN capability, encrypted Wi-Fi, and Transport Layer Security. Device access prevents unauthorized parties from using the device and includes security measures such as passwords, passphrases, unlock patterns, and remote wipe tools. All of these iOS security features work together to ensure that Apple iOS devices are secured through different types of uses and from different types of attacks.
iOS Security for Users
iPhones and iPads store large amounts of private user data, including account information, website logins and passwords, emails, location, and more.1 Because of the sensitivity of this information and the risk facing users if their data is stolen, it is important that iOS users understand how to secure their devices. There are several steps users can take to significantly increase the security of their devices in just a few minutes.
Best Practices for Avoiding iOS Security Issues
A good starting place for configuring iPad and iPhone mobile iOS security is device access. All users should set a unique passcode for accessing their devices. This is the simplest gateway to information stored on devices and a strong passcode (long passcodes are better than simple passcodes) can protect users in the event of a lost or stolen device. 1 Another tip for maximizing device access security is to enable Apple’s “Erase Data” setting. This setting wipes all device data after 10 incorrect passcode entries. To ensure that this doesn’t happen unintentionally, iPhones and iPads disable passcode attempts for several minutes between entries after several incorrect entries have been made.1
Certain iPhone features can still be accessed without unlocking the phone unless they are disabled. These features include Voice Dial and SMS Preview. It is recommended that users disable these features. This can be done in the iPhone’s “Passcode Lock” and “Messages” settings screens.1
There are many measures that users should take to optimize iOS security beyond access control. For one, users should regularly delete the keyboard cache that iOS devices store for text autocorrect. Keystrokes can be stored for up to 12 months if they are not regularly cleared.1 Additionally, it is widely recommended that the Location feature is disabled for camera use, as it has been found that storing photos with location tags can leave photo libraries vulnerable to snooping.2 Managing permissions is also key to iPad and iPhone application security; users should review the permissions requested by an app before accepting them.4
Finally, there are some general best practices that users can follow to maintain iPad and iPhone security in the face of inherent flaws and iOS security vulnerabilites. Apple regularly releases firmware and software updates; it is strongly recommended that users keep their devices up to date with the most recent versions as they often contain security fixes.
Jailbreaking iPhones has become a common practice, but unless the user has a strong knowledge of iOS security it is highly unadvisable. Mobile browsers offer their own security options and it is always safe practice to configure browser settings to prevent risky activity. Recommended browser settings include pop-up blocking, disabling automated form completion tools, clearing browser data regularly, and enabling phishing/fraud notifications.1 Bluetooth and Wi-Fi should be disabled when not in use and devices should be set to prompt users before joining Wi-Fi networks.3 Finally, users should wipe all data from their devices before selling, shipping, or retiring them and should have a remote wipe tool enabled in case the device is lost or stolen.1, 4
iPhone Enterprise Security
The recent popularity of “BYOD” (Bring Your Own Device) practices amongst employees has made iOS security a concern for enterprises. Because employee devices can access company networks and data, it is very important that companies ensure these devices are secured beyond the practices already recommended. IT departments can work with employees to configure iPad and iPhone security settings for safe use with company networks. Many IT teams will also install security apps and software on company devices. Mobile antivirus software and scanning tools protect employees by detecting and removing malware on their devices and helping employees configure their iOS security settings. More sophisticated tools even include features such as download protection, anti-phishing services, and spam screening features.4
Many IT departments require use of Mobile Device Management (MDM) software as well. MDM software is used to protect all devices that connect with company networks. These tools offer company-wide iOS application and device configuration settings to ensure that all users receive the same level of protection before connecting to sensitive networks and data.4
In the event that an organization doesn’t use MDM software, IT professionals can still configure employee devices for higher iPad and iPhone enterprise security. Email encryption is highly recommended to protect sensitive company information. SIM card locks and secure credential storage settings can be set up to passcode protect connections to network-enabled applications. SIM card locks protect employees from third party attempts at making unauthorized calls or using their SIM cards in other devices, and credential storage features keep application authentication certificates safe. Finally, IT teams should always test iPad and iPhone application security before approving any apps for employee download.4
Works Cited in this iOS Security Guide
1. Shah, Kunjan. "Top 10 iPhone Security Tips." Top 10 iPhone Security Tips. McAfee, 2011. Web. 2 July 2012. http://www.mcafee.com/us/resources/white-papers/foundstone/wp-top-10-iph....
2. Bilton, Nick. "Apple Loophole Gives Developers Access to Photos." Bits. The New York Times, 28 Feb. 2012. Web. 2 July 2012. http://bits.blogs.nytimes.com/2012/02/28/tk-ios-gives-developers-access-to-photos-videos-location/.
3. Sacco, Al. "Six Essential Apple iPhone Security Tips." Business Center. PC World, 12 Oct. 2008. Web. 2 July 2012. http://www.pcworld.com/businesscenter/article/152128/six_essential_apple....
4. Veracode. "Mobile Security for the Rest of Us." 11 June 2012. PDF eBook file.
Veracode Security Solutions
Written by: Neil DuPaul