Privacy, Signal, Technology, Tutorials

Guide To Hardening Your iPhone’s Security And Protect It From Hackers

September 12, 2017

Introduction

This article will show you how to harden your iPhone’s security and protect it from hackers, thieves, and other adversaries. By following the tips, you’ll also increase your own privacy as well.

A lot of the iPhone tips in this article are not obvious to the average iPhone user. Nevertheless, the tips in the article will significantly increase your iPhone’s security, making it difficult and time-consuming for all sorts of adversaries that are interested in gaining unauthorized access to your personal information and data stored on your mobile device.

This guide is designed to be understood and grasped easily by the casual everyday iOS user who is primarily concerned with adversary surveillance and privacy. Instructions are both easy to apply and effective.

The tutorial will help make it more difficult for adversaries ranging from basic to sophisticated state-sponsored adversaries to break into your iOS device.

Below are my essential guidelines for securing your iPhone, data, and increasing your overall privacy in the age of government surveillance:

Make Sure To Always Download The Latest iOS Update For Your iPhone When It Is Available

Always ensure that you are running the latest version of iOS.

Go To Settings > General > Software Update.

The software update patches any vulnerabilities that may have been found in the current Apple mobile operating system.

To check if there are any exploits that have been discovered for the latest iOS, I conducted a search for “iOS 10.3.3 jailbreak.” (The latest version at the time of writing this article.) When people decide to jailbreak a phone, they remove a lot of the security belongings that Apple has initially supplied.

If an adversary was attempting to extract information from you or if they desired to infect your phone so they could steal information, intercept your mobile calls, look at your emails, then the circumstance where there is a jailbreak available for the device indicates that there is an exploit readily available.

Hence, it is exceptionally critical to spend a couple of minutes to power down and update your iPhone when a new version of iOS is released and made available to the general public.

Always Remember To Enable Two-Factor Authentication (2FA)

Many people are too lazy to enable two-factor authentication despite being constantly told by other individuals. The truth is that these people are making themselves vulnerable by not adhering to valuable security protocols like enabling 2FA.

Most popular applications and accounts like Facebook and Twitter offer two-factor authentication, providing you an extra layer of security. You’ll need to provide a phone number. For instance, an adversary has your Gmail password and is attempting to reset it in order to acquire control of your account. If you have 2FA enabled, you’ll receive a text message to verify this reset. Unless the hacker has physical control of your iPhone too, they’ll experience difficulty achieving their objective.

Of course, 2FA can be bypassed via methods like social engineering the phone provider, but this is not easy to achieve. If you have an adversary that goes to great lengths like that, then you have bigger problems on your hands like the risk of getting your device exploited by a 0-day which is extremely expensive for the attacker. Nonetheless, enabling two-factor authentication is important in securing anything in our modern days.

Disable Lock Screen Notifications

If you happen to have your iPhone stolen and you have lock screen notifications enabled, the thief has access to all two-factor authentication text messages that you receive. That is a drastic security issue that people tend not to notice or care about.

I always recommend people to disable lock screen notifications. You don’t need text messages showing up in your lock screen notification area. It merely takes little time to look at the text message.

To turn off lock screen notifications, go to Settings > Notifications.

You have to go app by app to disable lock screen notifications for each app. The price of inconvenience is worth it since it helps you in securing your device and enhancing your privacy.

Set A Custom Numeric Alphanumeric Passcode

Go To Settings > Touch ID & Passcode.

Tap on “Turn Passcode On” if you don’t already have Passcode enabled or Tap on “Change Passcode.”

Tap on “Passcode Options.”

Tap On “Custom Alphanumeric Code.”

Enter your new alphanumeric passcode and tap “Next” in the top-right corner.

Enter the new passcode again to confirm then tap on “Done” from top-right corner.

After setting a passcode, scroll down to the bottom of the Touch ID & Passcode settings page. You will see a message that states “Data protection is enabled.” This illustrates that the iPhone’s encryption is now linked to your passcode and that the majority of the data on your device will require that passcode to unlock it. Also, make sure that the “Require Passcode” field is set to “Immediately.” Shorter times are considered more secure.

When data protection is enabled on your iOS device, you possess the ability to erase the data on your iPhone securely and expeditiously.

Do not add a fingerprint and therefore refrain from using Touch ID. An adversary in some cases can force you to place your finger on the home button to unlock your device. A passcode is always going to be more secure.

You’re all set with a more secure and more brute force-resistant cryptographic key than the default 4 numeric passcode typically used by the average iPhone user.

Why Setting A Passcode Is Useful For iPhone Security

iPhones support disk encryption which illustrates that clear-cut forensic methods to analyze the iPhone’s storage cannot be deployed by themselves. For example, physically removing the memory device to analyze it precisely.

The data of interest that is on the disk cannot be decrypted by hackers and other adversaries without knowing the proper cryptographic key. This key is produced by mixing the user’s passcode with a key integrated to the hardware in a manner that is intended to be hard to extract.

Apple cannot carry out iOS data extractions from the pressure of state search warrants since the files of interest are safeguarded by an encryption key that is fixed to the user’s passcode which Apple lacks. This knowledge applies to only iOS devices that are running iOS 8 and later.

The only destined technique to access the iPhone’s memory is through the phone itself: by using the correct passcode that was initially created by the user.

Set iOS To Erase Its Cryptographic Keys After 10 Incorrect Passcode Guesses By The Attacker

By instructing your iPhone’s software and enabling the erase of the iOS device’s keys after 10 incorrect passcode guesses in Settings > Touch ID & Passcode, an adversary cannot just attempt to guess and enter passcodes into the target’s iPhone. Doing so runs the major risk of completely erasing the iPhone’s keys which make the data on it possibly never able to be recovered. This honestly makes passcode-guessing drastically more difficult and slower for any level of an adversary.

To bypass this security feature would require the software developer like Apple to create and digitally sign a distinctive version of iOS that is modified to disable this security feature enabled by the iPhone user.

Remember Rate Limiting Is Your Friend

iOS enforces progressively long delays after successive incorrect passcode guesses to bog down guessing which is usually called rate limiting. Again, bypassing this security feature would require Apple to create and digitally sign a distinctive version of iOS that disables rate limiting. This is very unlikely ever to happen.

Disable Swiping Left Of Lock Screen To Prevent Widget Access

It’s important to prevent potential adversaries from accessing your device’s lock screen widget which would let them view information like dates in the calendar and possibly abuse the widget itself to their own advantage.

Therefore, go to Settings > Touch ID & Passcode, disable “Today View” / “Notifications View” / “Reply With Message” / “Home Control” / “Wallet

Applying these settings will stop people that have physical access to your phone from swiping left to view the lock screen widget, limiting the information they can initially discover and obtain from your device.

Use A Long Passphrase If You Use Device Back Up To iCloud

If you ever backup your device to Apple’s iCloud, it’s a good idea to use a long passphrase to protect your own data. You must remember to keep that passphrase away from the public eye and safeguard it.

As Apple encrypts most data in the backups, it could be possible for Apple to acquire access and hand it to an adversary like law enforcement since Apple handles the keys utilized for iCloud encryption.

Hence, Apple cannot extract data directly off the phone, but if the device is set to sync with iCloud, or backup to a computer, the majority of the data will be inevitably made available to law enforcement.

Enable Restrictions, Disable Camera And Siri, And Use A VPN

Go to Settings > General > Restrictions

Disabling Camera means you won’t have access to it and disabling Siri means the function is gone when you attempt to use Siri such as holding down the home button. If your camera is enabled, an adversary may possess an advantage. Enabling Siri means putting your data at risk of being stored. Hence, it is a good idea to disable both.

Use Signal When Transmitting Anything Sensitive

Avoid transmitting sensitive information via regular text messages or emails since they lack encryption.

I prefer Signal which is a free secure messaging application that has complete end-to-end encryption. Not only can you have a complete end-to-end encrypted chat, but also a video chat. No one is able to intercept the communications. An adversary could perceive traffic on the network like being able to see that you are transmitting a text message, but the adversary is unable to know the contents of the message.

The thing to remember is that the other person you are communicating with also needs to have Signal installed.

Fully Power Off The Device If You Are Not Planning To Use It For A While Or If You Suspect An Adversary’s Presence Nearby Or Lingering

Do keep in mind that in nearly all circumstances, iOS encryption is merely potent when a device has been fully powered off or just rebooted without being unlocked. Thus, if you don’t use the device for a while, it’s best just to turn it off completely. Suddenly, the attack surface is reduced extensively.

Some adversaries may possess the capabilities of extracting valuable data from your iPhone’s memory when it’s just been turned off. Do remember this and ensure that your phone is completely powered off if you think it has been confiscated or stolen.

The chances of extracting data from some adversaries are higher when the device is turned on.

Conclusion

Applying the instructions provided here will effectively enhance the privacy and security of your iOS device and data from adversaries such as hackers, thieves, spies, and law enforcement.

For a more in-depth and advanced hardening iOS configuration guide, check out one written by the Australian Signals Directorate (ASD) that is provided to Australian government organizations here.

You Might Also Like

Back to top
%d bloggers like this: