How secure is your iPhone?

From vunet.comSince I bought my first smartphone – the Nokia 7650 – it has become my key digital device. I store absolutely everything I can on it – who I know, all the details about them, and all the other information that enables me to run my life. This dependency has increased alongside the expanding capacities of the iPhone, supplanting even my computer. So it’s fair to say that my phone contains a lot of information that I consider quite sensitive.

But what happens if someone steals my iPhone? How easy is it for that person to get access to the phone? And even if they do, how can I prevent them finding out the most sensitive information?

Firstly, what do I need to secure?

I’ve been thinking about the information that’s currently on my phone. It includes:

  • Everyone I know (Contacts, Facebook), when I’m in contact with them (SMS, Email, Recent calls), and who’s most important (Favorites*)
  • Everything I’m doing (my to-do list, Things) and when (Calendar)
  • Places I’ve been (to a certain extent, within Maps)
  • Photos I’ve taken, including scans of membership cards
  • Websites I visit (Safari) and things I buy (eBay, confirmations stored in Email)
  • Certain bank account details, and passwords (within Contact entries and Notes)

That’s a lot of information about my life. Using only the built-in functions, how can I secure my iPhone?

The first step is to stop people accessing that data

  • Use a Passcode
  • Auto-lock after a short delay
  • Set the phone to Erase Data – this will happen after 10 failed passcode attempts

You may also set a stronger alphanumeric passcode by following this article at MacOSXHints.com.

This is straightforward enough, and should be sufficient to stop a snooper (if you leave your phone lying around), or if it’s lost or stolen opportunistically. But what if the person who now has your phone has a little more technical know-how? What if it was stolen on purpose in order to get all that personal information?

The bad news: your iPhone is wide open

What’s true for the iPhone is true for all computers: if you have physical access, you own the device. Jonathan Zdziarski has pointed out how easy it still is under firmware 2.2 to bypass the passcode lock. His book iPhone Forensics, demonstrates how easy it is to:

  • Break v1.x and v2.x passcode-protected iPhones (including 3G) to gain access to the device
  • Interrupt the iPhone 3G’s “secure wipe” process
  • Conduct data recovery of a v1.x and v2.x iPhone/iPhone 3G user disk partition, and preserve and recover the entire raw disk image
  • Recover deleted voicemail, images, email, and other personal data, using data carving techniques specialized for the iPhone
  • Perform e-discovery of Google map lookups, typing cache, GPS fixes, geotags, and other data stored on the live file system
  • Extract contact information and extended call history from the iPhone’s database

So if you lose your phone to someone who knows what they’re doing, they can get an awful lot of private information. This is not good.

Protect what you can

You can still secure additional information using applications that encrypt data. This doesn’t secure everything, but can be used to ensure bank account details etc. remain secret. If you do keep this sort of sensitive information on your phone, and you’re concerned about others having access to that data, here are some reviews comparing apps that will provide security:

http://the-gadgeteer.com/2008/10/07/secure_information_keeper_software_for_the_iphone_and_ipod_touch/

http://www.macworld.com/article/134942/iphonesecretkeepers.html

Also, don’t store sensitive data in plain sight in Contact fields or in Notes. Yes, I’m deleting all of that now…

How likely are you to lose your data, really?

Auto-lock and a passcode will deter casual snoopers, and is sufficient if you regularly leave your phone lying around. But even if your phone is stolen, a technically-aware thief is far more likely to just wipe your phone and replace the firmware ready for resale, rather than take the time to create a custom RAM disk and start stealing your identity. Yet if someone does really want access to your data, you can only protect some of that data (which you consider especially sensitive**) through encryption.

Ideally, Apple should:

  • Move the passcode preference out of an easily-accessible file, so that it cannot be removed by an attacker
  • Don’t default to an unlocked phone – require a passcode. They mandate a password on your Mac, so why not on your most personal computer of all?
  • Enable remote wipe for consumers, not just enterprise customers. If they rolled that into MobileMe, that would be enough for me to sign up.

Notes:

I haven’t spoken about previously discovered holes in iPhone OS, and I haven’t gone into email and web browsing security either. I’ll leave that to you to read these Tidbits and Maclife articles.

Infoworld has an “8 easy steps to iPhone security” guide. Number 5 is “don’t jailbreak”. Contrary to what they think, jailbreaking could make your iPhone more secure, if you know what you’re doing. Zdiarski has noticed that iPhone OS takes lots of screenshots to enable the zooming effect whenever you push the Home button. These screenshots are stored, and may contain personal information you thought was deleted. On a jailbroken iPhone, you can disable these screenshots. Jailbreaking also allows you to install Cylay, an app that will track a stolen phone, although it won’t prevent a firmware restore.

Apple has some iPhone configuration advice for enterprise customers, which is good for security consideration.

* British English localisation only goes so far
** Although it is entirely arguable that your contact list (probably including your banks) and calendar are the most sensitive items of all.

  • http://m-strat.org Jose HC

    Thanks for the post… it really makes you think twice if you have data you don’t want others to see. I will try and do a follow up post to this sometime this week or next because even though the iPhone is still not enterprise ready it is in the enterprise and we need to know how to secure it.