The Protect IU Blog
Mobile Device Security Shakedown PT.1 iPhone
The Apple iPhone is, arguably, the most popular and recognizable icon of the smartphone industry. If you’ve never owned one, chances are you have seen one or dreamt of the care-free life depicted in every iPhone commercial. While smartphones have brought to our fingertips the vast knowledge contained in the Universe and video of your buddy’s newest kittens in costumes, these devices are also a repository for some of our most valuable information. We use them daily to contact the most important people in our lives, send messages to colleagues, and check our bank balances. We are transitioning away from desktop and laptop computing to phone- and tablet-based information consumption. This change in culture brings with it all the risks of traditional desktop computing and increases that risk by putting this information in a device that can easily be stolen or lost or hacked, in some cases faster than your home desktop. In the following article I will describe some of the best practices related to security when using your iPhone and offer some insight into how cybercriminals may be looking to access the information on your smartphone.
Let’s start with talking about the simplest form of protection, the lock and key. Many of us already understand the importance of passwords on our electronic devices. Some of us are probably using the same password for multiple devices or even the same password we use on internet sites. It is important to know the risks of weak passwords and password reuse. Because the iPhone comes unlocked out of the box, the first step I suggest is to enable the password feature. It might seem time-consuming or annoying to have to enter that password every time you plan to take a picture or check Facebook, but it is more annoying and potentially dangerous to have your devices stolen and your information used to access your bank account, email, social media, or sensitive personal or professional information. Apple has recognized this and as a result has allowed iPhone owners to access the camera function directly from the lock screen. So Apple has just taken away one of the largest complaints reported by users with implementing a password on your iPhone. Score one for the little guy! To me the time it takes to enter the password is worth the safety it provides from potential disaster. You wouldn’t leave your car unlocked in a strange place; why would you leave your phone unlocked?
Password uniqueness is just as important as implementing a password. Everyone is busy and our minds are full of information that we need to remember and regurgitate on demand multiple times per day. So it is tough to come up with a unique password for every computer or devices that we use. It is important though to avoid using the same password for multiple accounts and computing device.Here are a couple of good practices that might help you in the future to avoid the “one password to rule them all” pitfall
- Pick a sentence or phrase that you are familiar with for example: My son Harrison loves bugs! If the password is derived from is something that has personal meaning it will be easier to remember. This example is long for an unlock pin code, you may want to choose something shorter.
- Another option is to take the same sentence, “My Son Harrison is 5 years old,” and use the first letter of each word to create a password “msHi5yo.” This method isn’t as strong as a passphrase with spaces and numbers and symbols replacing characters, but it will be tough for intruders to guess. This method in conjunction with intrusion protection (discussed below) will help to protect your device from prying eyes.
The most important thing to remember is if you use a single password for everything, you are going to be in a world of hurt if that password is compromised. You will have to change that password for every account that uses it instead of a single password for the one compromised account. Choose your passphrases wisely and choose many of them.
See the following:
- Passwords & Passphrases | UITS Knowledge Base
- Passphrase Vaults
- IU policy IT-12.1: Mobile Device Security Standard
Indiana University policy IT 12.1 states the following regarding required password strength for handheld mobile devices (i.e. Smart Phone, Tablet, etc.):
- Minimum 4-character passcode using at least 2 unique characters
- Auto lock after a maximum of 15 minutes of inactivity
Device Encryption and Intrusion Protection
Two other safeguards available to iPhone users can greatly improve your phone’s security posture against the dark arts of information burglary—encryption and intrusion protection.
Encryption prevents digital pilfering of your information if the device is lost or stolen. The iPhone uses Advanced Encryption Standard algorithm (AES).
iPhone intrusion protection will erase the data on your iPhone after 10 incorrect passphrase attempts, this makes it nearly impossible for a thief to recover the data by guessing the passphrase/password by process of elimination.
Indiana University policy IT-12.1 states the following regarding mobile device encryption and intrusion prevention:
- Recommended in all cases if supported by the device
- Required for all intended use involving critical information
If you have children who have access to your device, you should probably warn them that incorrectly typing the password may result in your iPhone being completely wiped.
Backing Up Your Data
Say Junior does get his tiny paws on your iPhone and manages to incorrectly type the passphrase 10 times. Your data is wiped including your contacts, applications, photos and all the other important information that is required for us to make it through the day. I’ve lost data on my mobile device. Not just through botching the password, but if the device is dropped in water, lost, or stolen, you may not be able to recreate that perfect picture or find that important phone number. The iPhone offers a couple of ways to back up your data and it is highly recommended that you do.
The first method is to use the Apple iTunes software (available for Mac and PC). iTunes back up process is pretty straightforward. You plug the iPhone in to your Mac or Windows PC and the iPhone is recognized automatically and available as a manageable device in the upper right hand corner. This Apple support link explains the process. http://support.apple.com/kb/HT1766 If you are storing any kind of critical data such as patient health information or some types of student data information it is required by the university as part of the IT12.1 policy that you encrypt your iPhone back up. A list of data types and their criticality can be found here: http://datamgmt.iu.edu/classifications.shtml
The benefit of the backup is self-evident. If your device is wiped, stolen, or lost, you can restore this information to the original devices or to your new replacement iPhone. Note* these backups are not compatible with other types of devices.
The second option, iCloud, is a free, cloud-based Apple service. iCloud can also be used to store other non-sensitive documents that you want to share between devices. This service requires you set up your account before performing a backup. iCloud backups are encrypted by default and actually meet the requirements for sensitive data according to sensitive data policies at IU. http://support.apple.com/kb/HT4865 The benefit of iCloud backups is your data is backed up regularly and available to you from almost anywhere with a data connection. If you are traveling often for work or pleasure and your iPhone is lost or stolen, you can restore your data without having your computer handy. Remember, it is important to choose a strong password for your iCloud service.
The UITS Knowledge Base says the following regarding backing up critical information stored on mobile devices:
- When backing up your device data to a computer, use the encrypt-local backup option in iTunes. UITS recommends setting a password that uses a combination of letters and numbers, and saving it in your Keychain.
- If you use iCloud to back up your device data, make sure to use a strong iCloud password.
Important: At IU, if you use your device to access or store electronic protected health information (ePHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA), do not use iCloud to back up your device data (regardless of the strength of your iCloud password). For more on data classifications at IU, see At IU, where can I find information about IRB requirements for ePHI or HIPAA-protected data?
How Do Mobile Devices Get Hacked
Now that we have talked about ways of protecting your device, I’m going to talk about some of the ways hackers try to gain access to your mobile information. Robert Siciliano, a McAfee consultant and identity theft expert, has recently stated that social engineering is the most prevalent way for a would-be hacker to attempt accessing your device. They may call and claim to be with your provider and ask you for your information or send an email in which they attempt to “phish” the information. Never give your username and password or account information to anyone claiming to be from your service provider. Your real provider should have your account information on file and should never need to ask for your password. http://protect.iu.edu/cybersecurity/safeonline/phishing
Smartphones are also susceptible to monitoring software disguised as normal apps. iPhone owners are less likely to download these apps because of the control Apple maintains over applications available via the App Store. Unless you have jailbroken your device and install apps outside of the App Store, you are most likely safe. Android users are far more vulnerable as the Android Market does not keep a watchful eye on the applications it provides. In March, hackers added malicious code to 58 Android apps, resulting in the infection of 250,000 phones.
Public charging stations offer another way for savvy hackers to gain access to your device. “Juice-jacking” is a method in which hackers prey on those who are running low on battery power. These hackers set up kiosks in hotel lobbies and other public places, usually consisting of several types of charging cords laid out with the promise of free power. What users don’t know is behind the scenes these stations are actually trying to either download your personal information or upload malicious code to your mobile device. Some airports and malls provide legitimate charging kiosks that are safe to use; still, be careful about where you charge your device. My personal preference is to carry a small battery pack in my laptop bag or buy a case for your iPhone that provides an external battery. Examples are Mophi Juice Pack, Power Glider and Boost Case.
To sum it up, the iPhone and other smartphones are more vulnerable to attacks than your desktop or laptop. It is important to take steps to protect yourself and your data from those who would seek to do you harm. Next time we will take a look at Android devices and implementing the same practices to protect your Android device.
A reader wrote me and asked why I hadn't included any informtation about IU's GetConnected app for the iPhone. I have no good answer. I'm including a link to the IU iPhone get connected application. The GetConnected app will help you to configure a device passcode, a Wi-Fi profile and set up your IU email.
UITS instruction page: http://uits.iu.edu/page/basx
Link to the IU iPHone GetConnected App: http://gc.iu.edu
Thanks to John G. for bringing this to my attention.
Ian Washburn is a Lead Security Analyst for Indiana University's Information Security Office