Saturday, January 26, 2013

Securing iOS 6

Remember the first iPhone ever released?  It didn't have a lot of features we see in the iPhone 4S and 5.  One day we'll say the same about the iPhone 5.  Until then let's review the settings you should immediately configure on your iPhone 4S.  The following information provided also applies to iOS 6 devices.

Right out of the box every single computer, network appliance, switch, router (wired or wireless), software and hardware isn't configured to be locked down or hardened.  I call this Security to the Core.  It may be one of the easiest things you can do to protect your privacy.  It's not the only thing you should do - keep that in mind.

1.  The number one thing you should never do - root kit your iPhone.  It's not wise and opens your device up to a number of exposures.  Namely - unsupported code and configurations.  Apple maintains an advantage over all those Android phones - software control for all those cool apps.  Remember Android apps are open source which can leave your device exposed.  Android malware out number code exposures found on Apple products a whopping 76% according to this article.

2.  The next thing you should do - always get your apps from the App Store.  Apple maintains a certain level of security and integrity of the code released as Apps in the App Store.  This software control is so important and so much better than what you get with Android apps.  Sorry Android developers!  It only takes one bad app to spoil the reputation of all Android developers.  Do your best to write secure code. I know this often adds much more time and you are limited in the size of your app.  The world is much better place if we all play an active role in providing secure and stable products. 

3.  Settings.  Go to Settings on your iPhone do update the following items.

Safari General:

Disable AutoFill by turning it off.  If you use your Contact Info a lot you might enable that item in AutoFill.  It's recommended to keep it off.  Also turn off Names & Passwords. If you absolutely must use AutoFill for Names & Passwords then use Clear All to wipe those from web forms.  A relative to Names & Passwords is to enable Private Browsing in Safari and clear History and Cache often.

Safari Privacy:

This is one area you MUST visit in Settings.  Always turn on Private Browsing.  I know this will affect some functionality of your web browsing experience but it's a much needed feature and a big improvement over previous versions.  Though you still have the additional option to clear History and Cache.

Safari Security:

Always enable Fraud Warning and Block Pop-ups by turning them on.

Safari Reading List:

Unless you do a LOT of reading items from iCloud for offline reading turn this option OFF.

Wi-Fi:

Always Ask to Join Network by turning this feature ON.  I noticed older versions of IOS didn't always enforce this rule.  Once while at an International Airport I noticed my older iPhone automatically joined a wireless access point from a cafe when I explicitly had this feature turned ON. 

Bluetooth:

Unless you use Bluetooth - turn this OFF.

Settings General:

Cellular Data should be turned OFF for two reasons.  One, to protect your data plan from overages (unless you have unlimited data this can be expensive).   Two, to restrict you activities to better wireless security by joining a known and secure wireless network (using WPA2, AES, TKIP, etc.).

Also turn OFF Data Roaming for obvious reasons.  Avoid using your iOS device as a Hotspot.  As a general rule wired connections provide better physical security over wireless.  A well-configured Wireless Access Point (WAP) will provide better security over Cellular Data. 

I'm a big fan of VPN connections.  Use them when ever you can.  Of course you need to have a VPN to connect to.

Always turn on Auto-Lock to a reasonable time frame (1-5 minutes idle).

Always turn on Passcode Lock with the Nuclear option - after 10 failed attempts your iOS device is wiped clean back to factory defaults.  If you have Small Children beware!  They can accidentally wipe your mobile device - or change your Passcode!   I'm sure you know someone this has happened to - or maybe it happened to you!

If you have a wild teenager then you'll love the Restrictions you can set to Allow certain apps, Allow certain levels of Content and set Privacy settings like Location Services and Bluetooth Sharing.

Settings Privacy:

Privacy settings can be set for Apps, Calendars, Location Services, Contacts and Bluetooth Sharing. It's highly recommend combing through your Location Services for every App you have.  Turn OFF Location Services for Apps you rarely use. Consider turning OFF all Location Services and only turn them on when you use them.  I know it's a pain but this is your Privacy.  You should be in control of your privacy.  Which brings me my next point that you can apply to any computing device.

Randomness.  Even though it's a pain and hopefully developers will code this function in as a feature in future releases - when you're not using your device then disconnect from your wireless/map/location services, etc.  We often leave things on rather than turn things on and off each time, for convenience.  However, by manually turning features like our wireless connection on and off we introduce randomness.  When we put our computers to sleep they should automatically disconnect from the network. When we wake our devices it should reconnect.  Randomness is one of the very best security techniques we can program into our devices/apps.  Even chaos shows a pattern over time. Randomness isn't the only security tactic we should employ, but it's one of the best.

You have to balance your Privacy with Convenience.  Remember these mobile devices we carry all the time are very convenient.  Convenience usually wins over Privacy.  Convenience is the enemy of secure systems.  Convenience sells products so security administrators need to discover and walk the fine line between convenience and security.  iOS 6 has System Services you can manage for Location Services. These include Cell Network Search, Location-Based iAds, Traffic, etc. 


No comments:

Post a Comment