There has been a lot of controversy in the media regarding the security of Apple iPhone and iPad devices. Whilst both ship with a natively secure operating system, the majority (~60%) of iPhone and iPad users have jail broken their devices which makes them blatantly insecure!
Jailbreaking is a process that allows iPad, iPhone and iPod Touch users to install homebrew applications on their devices by unlocking the operating system and allowing the user root access. Once jailbroken, iDevice users are able to download many extensions and themes previously unavailable through the App Store via unofficial installers such as Cydia. A jailbroken iPad, iPhone or iPod Touch is still able to use the App Store and iTunes.
Jailbreaking is different from SIM unlocking, which, once completed, means that the mobile phone will accept any SIM without restriction on, for example, the country or network operator of origin. Jailbreaking, according to Apple, can void Apple’s warranty on the device,[1] although this is quickly remedied by restoring the device in iTunes.
This article will address some of the security issues with jailbroken iPhone and iPad devices and how you can secure your unit.
1. SSH Passwords
By default, jailbroken devices are vulnerable to being hacked into using SSH. If you have jailbroken your device and installed Cydia it is vital that you change your phones mobile and root account passwords. The default password is ‘alpine’ which means that if you connect to a wireless access point using your device, rogue individuals can gain un-authorized access to your device. This would allow them to steal your contacts, modify your units configuration and install malicious software. To change your SSH passwords follow the instructions available here.
2. Install PrivAcy
iDevices include location tracking capabilities which are used by applications like Photos, Facebook and various news applications in order to provide location orient content. PrivAcy allows you to selectively opt-out of sending anonymous usage statistics to some app developers. PrivAcy is free and can be installed using Cydia. You can find out more about PrivAcy here.
3. Install Firewall IP
iDevices do not ship with a ingress/egress firewall application. This means that there is nothing stopping software installed on your iDevice from sending information (out) and from receiving information (in). Firewall IP allows you to block outgoing connections (TCP and UDP). It hooks into applications from App Store and Cydia. Firewall IP will warn you if the app wants to establish a connection to a host and shows you the hostname and connection information. You then have the options to allow/deny all connections for the application. Firewall IP costs $2.99 USD. Find out more about Firewall IP here.
4. SBSettings
SBSettings allows you to quickly enable and disable functions on your iDevice such as a SSH, Wireless, 3G, EDGE and disable running applications. SBSettings is available free via Cydia. You can find out more here.
5. Disable Locations
If you would prefer that your iPhone or iPad not keep track of everywhere you go and notify 3rd party software vendors then you should disable “Locations.” To disable locations open ‘Settings’ then ‘General’ then ‘Location Services’ and set it to “Off”. Note that this will affect some applications such as Maps and Google Earth. You can selectively turn on locations for these applications, as needed.
6. Use a PIN code
You should secure your iDevice with a PIN code and a 1 minute time out. This protects you against an un-authorized individual picking up your phone and gaining access to your information. Detailed instructions on how to set a PIN code are available here. In addition to setting a PIN code (‘Settings’ > ‘Passcode Lock’) we recommend you enable “Erase Data”. This option will automatically wipe your iPhone in the event that the password is entered incorrectly more than 10 times. If someone steals your iPhone and attempts to brute force or guess your password, this will destory the contents of your phone automatically.
Warning: Please make sure you backup your iPhone using iTunes (with encrypted backup enabled) regularly. If your phone is wiped and then found or recovered later, you can simply restore all of your data to it.
7. Enable encryption for your backups in iTunes
When you sync your iPhone with iTunes, iTunes automatically makes a backup of your phone including all of your settings, applications, contact information and stored documents to the computer iTunes is installed on. These backups can be accessed by anyone else who uses the computer. We recommend encrypting your iTunes backups (a simple option available in iTunes) so that this does not occur. Detailed instructions on how to enable encryption are available here.
8. Don’t leave wifi turned on
When your not using your wireless, don’t leave it turned on. Aside from draining your iDevice’s battery, it also opens up your device to probing and potential un-authorized access in the event the other recommendations in this article are not being followed. Wireless can be disabled under ‘General > Settings’ or using SBSettings mentioned earlier in this article.
9. Don’t leave Bluetooth turned on
When your not using your bluetooth, don’t leave it turned on. Aside from draining your iDevice’s battery, it also opens up your device to probing and potential un-authorized access in the event the other recommendations in this article are not being followed. Bluetooth can be disabled under ‘General > Settings’ or using SBSettings mentioned earlier in this article.
10. Use secure email accounts (e.g. POP3-SSL, IMAP-SSL)
Realtime access to email is one of the major benefits of iDevices but also opens you up to a number of security risks including email man in the middle attacks and password snatching. Most email providers (for example Yahoo, Hotmail, MSN, Verizon) send passwords in clear text over the air. This means that a rouge hacker can easily log your email account passwords and gain un-authorized access to your mail box. We recommend using secure email accounts which encrypt email traffic using transport layer security (TLS). Commercial secure email providers such as a Aorta provide secure access to email using POP3 or IMAP.
11. Use a secure password storage application
Keeping track of all of your passwords for online banking, email accounts, chat software, websites, forums and memberships can be difficult. Many users make the mistake of storing such information in text files which they sync between their iDevice and their desktop or laptop computer. This is insecure! We recommend KeePass which is free for Windows and Linux users and has a iPhone / iPad version called MyKeePass available in the App Store for $0.99. You can easily sync your secure password safe file between your desktop, laptop and iDevice!
12. Use a VPN
If you regularly access the Internet via public wireless hotspots using your iPhone or iPad, we recommend using a VPN. A Virtual Private Network (VPN) connection will secure your wireless Internet use making sure others cannot “sniff” your activity over to air. Many secure VPN providers including Aorta provide support for iPhone’s and iPad’s using GuizmoVPN which costs around $7.00 USD.
13. Password your SIM card
We recommend you set a password on your SIM card. This protects your SIM from being used by someone else in the event your phone is lost or stolen. When used in conjunction with a phone PIN code, your phone cannot be used by anyone else. To set a SIM card password on your iPhone or iPad open ‘Settings’ then ‘Phone’ then ‘ SIM PIN’. Be careful to record the PIN you set as if the PIN is lost you will have to contact your phone provider to replace it.
14. Update your devices firmware (iOS)
Many iPhone and iPad users continue to use old (~9 months) firmware on their phones. Whilst firmware upgrades generally include new feature additions and stability enhancements, they also include important security updates and patches to protect your device against new attacks. You should regularly upgrade your devices firmware.
WARNING: If your iPhone is jail broken please be sure to research the impact of upgrading your phones firmware as some new firmware versions cannot be jail broken or unlocked.
15. Jailbreak Security Patches
If your phone is jail broken and you are using a older firmware then its important to install any available security patches in Cydia. For exampleif you are currently using iPhone OS 4.01 and cannot upgrade to iPhone OS 4.0.2 (as it cannot be jail broken yet), then you should install the PDF patch available in Cydia to protect you against the security vunerability patched in firmware 4.0.2.
FEEDBACK!
Do you have other ideas on how to secure your iPhone or iPad device? Please comment below!
Danka! This is a great outline. There are many items to address but this covers the big ones.
In Para 8 & 9.. you state authorized.. should it be unauthorized traffic?
I enjoyed the article.. you reference a lot of software that can only be installed on jailbroken iDevices.. maybe this is a market to write some apps for the iTunes Apps store… securing my iPad is important to me, but I’m not interested in jailbreaking it to do so… any thoughts?
Mike,
Thanks for the feedback, I have corrected the “authorized” lines.
I wouldn’t be able to utilize my iPhone 4 and iPad the way I do without them being jail broken. I run several custom firewall scripts, MyKeePass for password management and utilize GuizoVPN for OpenVPN connectivity. These can only be used on a jail broken device as Apple just won’t approve these sorts of APP’s in the iTunes store.
As outlined in the article, with jail breaking comes several security concerns although the majority of Apple vulnerabilities, to date, affect non-jailbroken devices as well. To jail break or not is a toss up between productivity/utilization vs. being bound to what Apple deems “acceptable” for our iDevices.