By Thomas Reed for Malwarebytes Labs
iPhones have a reputation for being notoriously secure. After all, they caused quite the kerfuffle between Apple and the FBI because they are, from the FBI’s point of view, too secure! However, don’t let that lull you into a false sense of security. Using an iPhone is not an automatic guarantee of invulnerability.
The good news is that there are easy things to do to avoid causing problems for yourself. The following seven tips will help you to make sure your iPhone is the digital fortress that it was meant to be.
1. Use a long passphrase
Most people set a four-digit PIN code, or perhaps the slightly more secure six-digit PIN, to secure their phones. And sure, this seems like perfectly acceptable protection, given that the phone will lock itself down for increasing amounts of time if a thief tries to unlock it with the wrong code too many times. Depending on your settings, it may erase itself after 10 incorrect tries.
What can possibly go wrong? Out of a possible 10,000 combinations, the attacker has to guess correctly in the first 10 attempts. The chances of doing that are quite low—one in 1,000, to be precise. Using six digits increases your odds further.
However, not all attacks involve poking numbers into the screen repeatedly. There have been many devices over the years capable of retrying PIN numbers endlessly, with no penalties, by taking advantage of vulnerabilities in the hardware or software of the iPhone. The latest of these, the GrayKey device, can crack a four-digit PIN in an hour or two, and a six-digit PIN in three days or less.
If there’s one universal truth about these passcodes, it’s that longer is better. The best thing you can do is start using a longer alphanumeric password instead of a PIN code. Each additional character of length increases the time needed exponentially, and that time gets even longer when adding letters and symbols to the mix.
To change to a longer password, open the Settings app, then tap Touch ID & Passcode. Enter your current PIN, then tap Change Passcode on the next screen. Enter your passcode again, but then instead of entering a new passcode, tap Passcode Options. This will give you the option to choose, among other things, a custom alphanumeric code.
I know what you’re thinking. Who wants to enter a lengthy password every time they unlock their phone? Fortunately, modern iPhones have convenient biometric options for accessing the device without entering the password every time. Either Touch ID or Face ID gets you into your phone fast, without needing to enter the password.
Of course, Touch ID and Face ID are convenience features, not security features. There are valid concerns about the safety of using a biometric pattern that cannot be changed as a replacement for a password. Still, if they allow you to use a longer password conveniently, that’s worth way more than avoiding them but using a short PIN code. You can always temporarily lock the device so that Touch ID and Face ID won’t work. For more information, see Apple’s information on the security of Touch ID and Face ID.
2. Lock down your Apple ID with 2FA
With what, now? That funny abbreviation (2FA) stands for two-factor authentication, a means of authentication that requires not just something you know, like a password, but also something you have, like a temporary, one-time-only code. Without both, an attacker cannot access your account.
Your Apple ID provides the keys to the kingdom. It’s tied to every device you own. It probably has a credit card associated with it. Your Apple ID is also your iCloud account, and as such it may hold all manner of tempting goodies, including passwords.
Fortunately, Apple offers 2FA on your Apple ID, and it’s strongly recommended that you take advantage of this. Doing so means that you will always have to enter both your password and a six-digit code sent to a trusted device before logging on to your account from a new machine. This makes it very difficult for a hacker to access your Apple ID and the trove of data it can give access to.
3. Keep your iPhone up-to-date
Keeping your system and all your apps up-to-date is an important part of staying secure. iOS (the system that runs on iPhones) updates frequently to fix vulnerabilities that could be used in various scenarios to attack your device. Some of these are minor, others are major issues.
As an example, consider the GrayKey device discussed above. The method it uses to break into iPhones is still unknown, but one thing is for sure: It relies on one or more unknown security vulnerabilities in iOS. At some point, Apple will find and fix those vulnerabilities, making you safe from GrayKey or any other groups or individuals who may have discovered the vulnerabilities. If you don’t install iOS updates promptly when they are available, though, you remain vulnerable.
Worse, once a vulnerability is patched and Apple publishes their release notes, that gives hackers a little extra information that may help them find the vulnerability, meaning older systems are potentially in greater danger after that point.
4. Use a VPN on free Wi-Fi
Public Wi-Fi can be extremely hazardous. Anyone else on the same network can see any unencrypted network transmissions you make, and an untrustworthy network can actually perform all manner of man-in-the-middle attacks for phishing or other malicious purposes. For example, if you try to log onto your bank site on public Wi-Fi, you might not actually be logging onto your bank site. It could be a malicious look-alike site that bad actors within the Wi-Fi network are sending you to instead.
You could always use cellular data when in public, turning off Wi-Fi in settings, but that’s not always practical, especially with the data caps on most cell data plans. Fortunately, there’s a good solution: a VPN, or virtual private network. Using a good VPN means that all your network traffic is tunneled through an encrypted connection to a server located somewhere else.
Unfortunately, there are a lot of insecure or untrustworthy VPNs out there. It doesn’t help your security much if the VPN is careless with your data, or is otherwise not acting in your best interests. There are many free VPNs out there, but remember the first rule of free services on the Internet: If you’re not paying for it, you’re the product.
Finding a trustworthy, secure VPN can take a little work. Fortunately, an excellent article by Brian Krebs provides details about VPNs and how to select a good one. Make sure that the VPN you choose has good support for iOS; anything that requires you to download an app, but doesn’t offer an iOS app, is off the table from the start.
5. Use additional encryption
The encryption on the iPhone is one of its finest features, but it’s not perfect. As long as there’s any chance of cracking your iPhone’s passcode, or gaining access to unencrypted backups, your data isn’t safe. For your particularly sensitive data, such as passwords, social security numbers, credit card numbers and the like, you need additional encryption.
Using a password manager with its own strong encryption, and a strong password different from any other password you use, can be extremely helpful. A utility like 1Password can store a vault in iCloud that is encrypted independently, meaning an attacker looking for your passwords would need to first crack your phone or iCloud account to access the vault, then crack the vault itself.
Similarly, Apple’s own Notes app now allows creation of encrypted notes, which can be secured with a password of your choice. Use of a strong, unique password means that the data such a note contains is also quite secure.
When it comes to your iPhone backups, consider backing up to your computer using iTunes, and set iTunes to encrypt those backups. Such encryption will use a separate password that you set, so be sure to use a strong, unique password for that.
6. Audit privacy settings periodically
There are many permissions that can be granted to apps, such as access to the camera, the microphone, your contacts, and your location. It’s a good idea to keep track of which permissions you’ve given to which apps, and to revoke any permissions that are not strictly needed. For example, if you posted a photo to Twitter once, but you aren’t likely to do it again, it would be a good idea to remove the right to look at your photos from the Twitter app.
In Settings, tap on Privacy. Here resides the master list of all permissions and which apps you’ve granted them to. Go through all of them periodically, and revoke any permissions that you don’t think a particular app needs.
7. Beware of scams
Use of an iPhone doesn’t do a thing to protect you against scam phone calls or scam text messages. Always be wary of calls or messages from unknown senders. Treat any links received in text messages with extreme suspicion, even if it’s from someone you know, since the sender could be spoofed or their phone could have been stolen.
If you tap a link in a message and the site wants you to log in or provide other personal information, verify with the sender that it’s legitimate. If it appears to be a site you’re familiar with, consider visiting the site via a bookmark instead of the link.
You can also consider using security software that can screen and block scam calls and texts, such as Malwarebytes for iOS (coming soon).
The most secure phone
It’s okay to feel safe as an iPhone owner. Currently, iPhones are the safest smartphones on the planet. However, as demonstrated here, there are still plenty of ways that you can become a victim. So don’t just assume you’re safe automatically by virtue of owning an iPhone.
Doing the right things to keep yourself safe can often be more important than having the most secure phone.