10 ways to secure the Apple iPhone

Guest post: TechRepublic's Michael Kassner highlights 10 ways to secure an iPhone. For more posts like this see TechRepublic's 10 Things blog.

The Center for Internet Security (CIS) is well -known for developing security benchmarks for operating systems, applications, network devices, and now the Apple iPhone. I’ve read the iPhone benchmark and felt that TechRepublic’s 10 Things format would be the perfect way for me to pass along some of their advice. The complete document can be found at the CIS benchmark portal. So let’s make sure your iPhone is secure.

Note: This article is available as a PDF download and as a PowerPoint presentation.

1: Make sure firmware is up to date

Like computer operating system software, keeping the iPhone’s firmware up to date is important in reducing the vulnerability footprint. The latest version of firmware is 2.2.1. Select Settings | General | About to determine what version the iPhone is using. If the iPhone is using an older version, follow the steps below to update the firmware:

1. Connect the iPhone to the computer.
2. Open iTunes.
3. Select iPhone under Devices in the source list.
4. Select Check For Update.
5. Select Download And Install.

2: Disable Wi-Fi when not in use

This is self-apparent, yet important enough to include in the list. Most people automatically disable Wi-Fi to conserve the battery. But knowing that disabling Wi-Fi eliminates an attack vector may be added incentive to turn Wi-Fi on only when needed. Use the following steps to disable Wi-Fi:

1. Tap Settings.
2. Tap Wi-Fi.
3. Turn Wi-Fi off.

3: Disallow automatic association to networks

By default, the iPhone retains association settings of the Wi-Fi networks it connects to, which allows the phone to automatically reconnect when within range. Automatic association isn’t recommended, as it’s easy to spoof trusted networks. Still, disallowing automatic association is kind of a pain, as doing so requires you to enter the passkey each time. I’ll leave this one up to you. To prevent automatic association use the following steps:

1. Tap Settings.
2. Select Wi-Fi (make sure Wi-Fi is on).
3. Tap the blue arrow of the network to forget.
4. Select Forget This Network.

4: Turn Bluetooth off when not being used

Features that make life easier for the user tend to make it easier for bad guys as well. Bluetooth is one such feature; it allows many conveniences, such as the use of wireless headsets and sharing information between phones. Yet attackers can also use it to Bluejack or Bluesnarf a phone.

For some reason, the iPhone isn’t set up to just turn off discovery. So the only way to prevent unwanted discovery and associations is to use the following steps to turn Bluetooth off:

1. Pick Settings.
2. Tap General.
3. Tap Bluetooth.
4. Turn Bluetooth off.

5: Disable location services until needed

Turning location services off doesn’t immediately increase security; it just prevents the user’s location from being published. I personally think disabling the service is a good idea for two reasons. First, it’s a significant battery drain. Second, disabling the service isn’t an inconvenience. It’s simple to turn the location service back on from within the application that needs positioning information. If so desired, follow the steps below to disable location services:

1. Tap Settings.
2. Tap General.
3. Turn Location Services off.

6: Set a passcode

Setting a passcode definitely increases the security of the iPhone. It makes it harder for someone to gain access to the iPhone because the phone automatically locks after a user-determined amount of inactivity. Setting a passcode is also required for feature seven to work. Use the following steps to set a passcode:

1. Select Settings.
2. Select General.
3. Tap Passcode Lock.
4. Enter a four-digit passcode.
5. Re-enter the same passcode.

7: Erase data if too many wrong passcodes are entered

After 10 wrong passcode attempts, user settings and any data stored on the iPhone will be erased if this setting is enabled. It’s a valuable feature because a four-digit passcode of just numbers will eventually be discovered, and this option ensures that any sensitive information will not get into the wrong hands. Use the following steps to turn erase data on:

1. Select Settings.
2. Tap General.
3. Choose Passcode Lock.
4. Turn Erase Data on.

8: Erase data before returning or repairing the iPhone

To some, this may be apparent, but many people don’t even think about removing sensitive data before selling or sending their phone in for repair. Use the following steps to prevent others from accessing your personal information:

1. Select Settings.
2. Tap General.
3. Choose Reset.
4. Select Erase All Contents And Settings.

9: Disable SMS preview

Even when the iPhone is locked, it’s still possible to preview a recently received text message. I immediately disabled SMS preview on my iPhone, as I do not want my text messages visible when the phone is locked. If you agree, use the following steps to turn off SMS preview:

1. Select Settings.
2. Tap General.
3. Choose Passcode Lock.
4. Turn Show SMS Preview off.

10: Disable JavaScript and plug-ins in Safari

Because the iPhone uses a fully functional Web browser, it is susceptible to all the same JavaScript and plug-in exploits that plague normal computers. I recommend disabling JavaScript and plug-ins, but doing so breaks certain Web page characteristics. It’s yet another balancing act between security and usability. If you want to err on the side of security, use the following steps to disable both:

1. Select Settings.
2. Tap Safari.
3. Turn JavaScript off.
4. Turn Plug-Ins off.

Final thoughts

Most of the above security enhancements are intuitive, but I’ve found that unless prodded, most people don’t take advantage of them. I can’t in good conscious say that applying all of these enhancements is the only way; that’s going to be up to you. I just wanted to make sure everyone knew what was available. I also want to thank CIS again for its diligence in preparing the iPhone security benchmark.