An old trick for new dogs? Easy ways to enhance your iPhone security
Imagine this: You’re the most valued tech company in the world, and you may have just been hacked. This was Apple’s dilemma in 2014 as it prepared to launch the iPhone 6. Celebrities had their personal information leaked online — including sensitive photos — in what was initially called a breach of Apple’s iCloud service.
Upon further investigation, Apple security teams found the service itself wasn’t breached, but certain individuals had fallen prey to a phishing scam to collect usernames and passwords for their accounts. This prompted Apple to significantly beef-up its security surrounding iCloud and Apple IDs.
The problem is that many Apple users still haven’t turned on these enhanced security features even today. The result? An alleged ransom of Apple user data and hackers are trying to hold Apple accountable for paying.
Motherboard (A Vice news affiliate) recently reported that Apple may be attempting to deal with a breach of user data through the iCloud service. This data is allegedly being held ransom for $75k in Bitcoin for these hackers to delete the stolen data. The group is threatening to remotely wipe all the devices under its control by April 7 if the ransom is not paid.
Motherboard has confirmed back-and-forth communication between the hackers and Apple security teams, but the group has yet to provide solid proof of how and what information they have outside of a YouTube video (which apparently shows them logging into an elderly women’s iCloud account). This, on the heels of a mid-March 2017 celebrity photo dump, which also purports to be data stolen from iCloud. The current group is even reporting access to almost 300 million iCloud accounts, but even the hackers can’t agree on this number, with some saying this it is as high as 559 million.
Data breaches are now making weekly headlines. With this constant barrage of privacy hacking, why aren’t users scrambling to enhance their security? More importantly, why aren’t we reporting on how to protect ourselves, rather than headlining what was breached? Let’s look at how the iPhone enhances security, and why it’s important for you to do this right now, regardless of the long process.
Security-for-the-masses is difficult
Apple is world-renowned for its meticulous detail to intuitive user experience, or how easy it is to use its products. Yet, security seems to still be difficult to get user traction, and even harder to implement. Because of this difficulty, ease of use is essential. Three things make a good security solution: easy to implement, easy to operate and completely secure. Let’s look at how Apple does this with the Apple ID on the iPhone.
Easy to implement? Apple iPhone physical and cloud security
For Apple, its growth into security has yielded innovative hardware. Here’s a list of some of the most common security features on the iPhone today, and a guide on how to quickly set these up, if available:
- Touch ID (Biometric fingerprint recognition; iPhone 5S and higher)
- Whole-Phone Encryption (Requires a passcode)
- Enhanced Passcodes (6 digits)
- Restricted Apps
- Privacy Settings
How many of these have you configured or turned on? And this doesn’t include the Apple ID settings, which are even more critical, yet typically ignored.
As we’ve seen, most of the data iPhone breaches have been due to poor/unconfigured account security settings. The real issue here is the ease of implementation. Do you know the difference between an Apple ID, an iCloud ID and an iTunes /AppStore ID? Trick question: There isn’t one! These all rely on one master account: The Apple ID. Moreover, if you own multiple Apple devices on multiple OSes (MacOS and iOS), this could be even trickier.
Many users also aren’t aware that two-factor authentication is available for the iPhone, and even if they are, many don’t have them turned on. It’s difficult to implement, and even more difficult to manage.
Regardless, this sort of security is necessary. Here’s a good guide on how to set this up for your Apple ID. It ties into your Touch ID (if available), which makes it infinitely easier.
The following configuration steps are based on Apple iOS 10.3:
1. Tap Settings from your home screen:
2. Tap the account name and email address (typically yours) at the top of Settings (may require you to type in your password; this is typically the password you use to download apps from the App Store):
3. Tap Password and Security:
4. Now tap, Turn-On Two-Factor Authentication:
5. Tap Continue to begin the two-factor setup process:
6. Ensure your phone number is correct, then tap continue:
7. Ensure your devices are up-to-date with iOS 10 or later. If they aren’t, you’ll receive a warning where you can tap OK:
8. Enter your password for your Apple ID (Again, typically your App Store password):
9. Now enter your passcode for your device (Could be the 4 or 6-digit code to get into your locked device):
10. You can now confirm Two-Factor Authentication is now on:
While Apple’s made strides to ease implementation, its approach can be confusing where obvious next steps are anything but. Overall, this ties into the next point: ease of operation.
Easy to operate? Apple iPhone physical and cloud security
Once set up, Apple absolutely shines in overall day-to-day security operations; just so long as you have Touch ID. Many companies are moving to mobile device management solutions in which to get email or have convenient access to corporate resources, you need to either give up device ‘freedom’ and have company policies enforced (like passwords and remote wipe capabilities), or carry a separate device altogether. Yikes.
Once past that, operating the iPhone’s security footprint is easy. Touch ID ensures a seamless experience from opening the phone to downloading an app. If you’re running the latest version of iOS (10) and Touch ID, there’s one setting you must enable — Rest Finger to Open — which can be done with the following:
- Open the Settings app
- Tap on General
- Tap on Accessibility
- Tap on Home Button
- Tap the Rest Finger to Open switch to the on position
iOS 10 removes the famous ‘slide-to-swipe ‘operation and forces you to not only unlock your phone via a password or Touch ID, but you also must press the Home button after. This setting removes that option if you have Touch ID.
From the standpoint of dealing with verifying your Apple ID account, again ensure that you have your two-factor authentication setup and a backup phone number(s) in place to make life easier. The lesson here: Get an iPhone with Touch ID.
Completely Secure? Apple iPhone physical and cloud security
This is where things get murky. It’s human nature to assume when someone says something is 100 percent of anything, you may have some doubts. Even more on the security side of things, and Apple is no exception.
To quickly list everything that has pushed Apple to a better security posture would be nothing short of a dissertation. All of Apple’s CVEs (found security holes) for 2017 alone is no light reading — 152 to be exact.
Here’s a quick-list of things to disable/change on top of what’s listed above:
- Disable Siri (It’s currently a worthless AI assistant, and huge security hole)
- Enabling a strong multi-character password
- Require passcode immediately to avoid any adverse methods for capturing iPhones
- Pay for and run a VPN client when attached to any wifi hotspot
- Settings > Privacy > Location Services > Frequent Locations OFF
On top of these, regardless of the safeguards in place, governments are now becoming increasingly aware of security features, and rather than find backdoors, they’ll force you to unlock your phone. While a gray area now, advocacy to protect privacy while enabling security is becoming increasing blurred. The answer to the security question is many times, “I have nothing to hide.” A rebuttal to that would be: Don't fear the surveillance state because you might have something illegal; fear the surveillance state because it is a tremendous institutional barrier to meaningful societal progress.
The borders of the United States have also started to encroach on this area between security and privacy. This is where the Touch ID feature becomes a real risk. Experts say that “your PIN or password is information you have memorized in your mind, which courts have repeatedly affirmed you cannot be forced into giving up. Your body, however, is not so free — so federal agents can force you to unlock your phone using your fingerprint.” Food for thought.
Complete security only comes at the cost of complete freedom. Regardless of the device, technology or circumstances, it becomes everyone’s responsibility to find the balance for themselves.
Make the easy changes, right now
As creatures of habit, use this guide to become more aware and make some changes now. At a minimum if you have Touch ID, turn on two-factor authentication for your Apple ID, then turn it off Touch ID if you frequently cross borders. Save your passwords somewhere secure and accessible, and take your digital security seriously. The viability of your online persona is critical to secure just like your home, vehicle or wallet. Because in the end, the line between being safe and being hacked is that thin.
About Mike Barmonde
Mike Barmonde is a senior engineer at Ivanti. As an end-user advocate and cloud-technologist for over a decade, his passion is equipping enterprise IT with solutions to make them a leader in business development and strategy.