Category Archives: IPhone Security

Is Jailbreaking your iphone or ipad bad for security?

Jailbreaking is the terminology used to describe the situation where the native protection of an iPhone or and iPad is defeated (hacked) to allow developers access to the file system’s root directory. These files would normally be hidden and not accessible but when a device is jailbroken developer’s are then able to modify them and create new offerings outside the control of the Apple store. Now that you know what jailbreaking is you may be asking yourself why would someone want to jailbreak their device and how is it done?

Why would someone want to jailbreak and iphone or ipad?

Jailbreaking is typically done by digital rebels who like to tinker with their devices and not be bounded by the laws imposed by others. People that believe devices should be open to exploration and that once they purchase it they are free to modify and improve. Many people jailbreak to utilize advanced short cut features, use apps only available on jailbroken devices, and open up their data options beyond the restricted carrier models that are available normally (also known as unlocking vs. jailbreaking).

How is jailbreaking done?

There are numerous free utilities available including Spirit and Absinthe that allow you to jailbreak your iphone, ipad, or other iOS based device. If you decide you should choose your utility wisely because picking the wrong one could lead to an inoperable device or security problems. I have chosen not to jailbreak my device but if I did jailbreak it I would make sure follow these jailbreaking risk mitigation steps.

Jailbreaking security risk mitigation steps

  1. Perform a full system backup prior to attempting the jailbreak
  2. Choose a jailbreaking utility that is validated as compliant with your version of iOS running on your ipad or iphone to minimize the likelihood of problems
  3. Choose a jailbreaking utility that is highly rated by other users with a large install base
  4. Choose a jailbreaking utility that has a track record for supporting new iOS levels and is covered by respected
  5. Skim the documentation of your jailbreaking utility to make sure you are changing any default passwords that are created as part of the process. Many of the utilities leave a default account that could be a future security or malware thorn in your side if you do not assign a unique password when prompted.

Why jailbreaking is not a good idea for enterprise use?
#1. Jailbreaking a device violates the Apple terms of service and likely violates your Apple care warranty. Many companies rely on Apple for hardware support so violating the terms of service puts this arrangement in jeopardy.

#2. Jailbreaking a device increases the risks of device instability since Apple does not validate the effectiveness of a jailbroken device. This is more theory vs. any working examples to highlight at the moment but it is very logical that increasing complexity can lead to increase problems.

#3. Jailbreaking a device increases the likelihood of iOS upgrade issues when new updates are rolled out. Apple iOS constantly changes so you have to ask yourself how much time you have to troubleshoot and deal with problems if the jailbroken device does not tolerate a routine iOS update.

#4. Jailbreaking an iPhone or iPad can increase the probability of data security issues since you are installing unreviewed software from vendors of unknown quality. In my opinion this is the biggest reason not to do this at the corporate level there is just too much downside risk that is hard to quantify.

#5. Jailbreaking a device has been known to increase battery consumption rates. Batteries drain quick enough and adding extra app or utility overhead only increases the drain.

Jailbreaking a personal iphone or ipad is a personal decision with limited risk but the same action is a drastically different equation in a corporate setting.

How long until Apple iOS needs its own patch Super Tuesday?

Are you Apple fans ready for some digital heresy? Apple iOS is as vulnerable to security problems as any other software, even as vulnerable as gasp Microsoft. We have witnessed this evolve from occasional updates to regular iOS updates and news of active attacks in the wild. If there was any doubt it is official Apple devices need the same security measures as any other device.

None of this should come as surprise to anyone. One of the unpleasant realities of being the big dog in town is that you become an attractive target to hackers. Apple devices started as a consumer hit but that success has led to a clamor for equivalent devices in the enterprise. Top level executives love these devices and have adopted them in masses along with the regular rank in file company employee. Would be attackers now realize that Apple devices are the future and compromising them can lead to a treasure trove of corporate intellectual property.

So will Apple adopt the equivalent of a regular monthly patching window the equivalent of Microsoft’s infamous “Super Tuesday” patch window? I would bet big money on it and the reason is enterprise adoption. Most enterprise IT departments have not been on the forefront of bringing Apple mobile devices into the fold and are now quickly playing catch up.

Playing security catchup for them with Apple devices means:

  • Refining policies to enable Apple mobility devices
  • Educating users on security requirements on Apple devices such as patching and safe device usage tips
  • Reminding users that physical security and safe browsing security measures apply on mobile devices
  • Evaluating and implementing iOS enterprise security tools to help control devices that contain sensitive corporate information

Enterprise IT will also pressure Apple to release iOS updates at a consistent time of the month because it helps with planning and user education. It is a lot easier to schedule, implement and communicate security updates when a fixed release date is established and can be planned around. Then again Apple has never had a reputation of pandering to corporate IT departments so the call for consistent patch release dates may go unanswered.

Bold and not so bold predictions:

Within next 6 months a major security incident will involve the iOS and be responsible for a big intellectual property loss.

Within one year Apple will establish a fixed monthly patch window date

iPhone 4s security accessories

 

 

 

 

 

 

 

Orders for the iPhone 4s are smoking hot and the volume is only going to ramp up between now and the Christmas season. With a new phone comes the need for new accessories to make your phone more attractive and keep it in good working order. Protective security cases and screen films are essential to help keep your iPhone 4s from suffering damage due to an accident.

iPhone 4s Cases – By choosing a case for your iPhone 4s you can help protect your smart phone from drops, scratches and other wear and tear related issues. Cases are must have accessories to help secure your iPhones and avoid costly repairs.

Boost Protective Case – Attractive black protective case is comfortable to the hand and lightweight which are important features to ensure you will continue to use it day in and day out. This case also provides extended battery benefits so it is one of the higher end cases available for your iPhone 4s.

splash VAPOR Slim-Fit Flex Case – This case is made of soft silicone which helps offer protection while keeping the weight in check. Fits nice and has been noted as high quality in the reviews and lists at a nice price of $14.95.

QuickFlipCase for iPhone 4/4S – Case is highly rated on Amazon.com and noted as a good value for the money. Has a useful belt clip that will give you the look of an Old Western gunfighter if you draw your iPhone 4s quickly from your belt. I’m your huckleberry..

OtterBox Commuter Series Hybrid Case – The normal OtterBox cases were noted as being a bit bulky but the Commuter Series is free from that problem and comes in a variety of colors unlike some of the other cases. I am partial to the white/black model which is linked.

Elago slim fit case – This case is priced at the very low end of the spectrum but offers solid value and extra protection for the price. Many of the reviewers were impressed with the slimness of the case and how it felt natural in their pockets.

Tuneband for iPhone 4/4s -Offers front and back device protection and the unique feature of an arm strap for runners and other people who want to take the iPhone 4s on the extreme go. Available in black, pink, purple, red, and glow in the dark.

iPhone 4s Screen films/protection – To help reduce glare, smudging and lower risk of scratch for your iPhone 4s display.

Halo Screen Protector Film – High quality low cost films are a good option to protect your phone screen and keep the smudging/glare problems to a minimum.  $5.95 for 6 films is not a bad deal at all.

splash Masque Clear Screen Protector – 5 pack of films is very affordable and has had mainly good reviews noting its easy bubble free installation and good fit.

AcaseView Screen Protector Film – Another quality film option this one comes in a pack of 6 for $7.25.

iPhone 4s car mounts – Helps securely mount your device in your car to function as a gps or for other hands free use (please be safe and obey local laws). Remember phones can become projectiles in sudden stops or accidents so it is important to securely mount them and keep them off your seats.

Kensington SoundWave Sound Amplifying Mount – Higher end then the one recommended below and my top choice for a reasonably cost mount.

Kensington Quick release car mount – Kensington is a trusted name in the security lock/mounting industry and this mount is highly rated from those who have purchased it.

Black Ultra Durable Compact Car Mount – Not yet rated due to newness

Motorcycle Handlebar Mount – For motorcycle enthusiasts this product is relatively knew but an intriguing option (be safe on the bikes please)

Happy and secure iPhone 4s’ing!

 

iPhone 4S Security

The release of the iPhone 4S caused quite a stir because it was not what everyone was expecting. Many of the pundits were boldly pontificating about advanced new features that would be introduced via “iPhone 5”. Instead they got the iPhone 4S which didn’t match expectations but it has been a pre-order bonanza anyway. It seems Apple can literally do no wrong right now. I decided to order an iPhone 4S (32GB memory black model) and hope to get it towards the end of the month.

When it comes to securing your iPhone 4S not a lot has changed at this point. The iOS 5 update is expected very soon which will likely introduce some security changes worth mentioning so I will provide an update when that hits the street.

Basics of iPhone 4S Security steps:

Set a private pass code to prevent others from accessing your iPhone 4S. If you do not set up a password you are at a bigger risk of having someone snoop or send prank texts/emails from your phone. Remember your code because if you forget you must do a restore.

Select General > Passcode Lock and enter your 4 digit passcode

Set password expiration parameter (which defines how long iPhone 4S will remain unused before pass code needs to be entered). A setting of 30-60 is a good idea.

Select General > Passcode Lock> Require Passcode then select the value you want

Disable Bluetooth if you do not use it. Bluetooth related vulnerabilities have gone from theoretical to actual problems being exploited so if you are not using it definitely turn it off.

Select General > Network and turn Bluetooth off

Set a voice mail password to prevent busy bodies or sleazy European tabloids from accessing your voice messages. Select a pin that will be easy for you to remember but not easily guessable by others (same concept as your debit card pin)

Select phone > Change Voicemail Password

Lock your SIM card to secure your sensitive information located in memory.

Select phone > SIM PIN and turn it on. The manual mentions the default iPhone SIM PIN is 1111 unless the carrier has changed it.

Backup your phone data every few months so that you will not lose your phone lists, pictures and other customized settings. This will be useful if an update goes wrong and your phone requires a total restore.

Install iOS firmware updates when they become available. iOS 5.0 is expected very soon and will contain new functionality and security fixesThe recent passcode bypass vulnerability will be updated in a November update and in general when hardware or software is updated by a vendor it is often is due to security vulnerabilities so it is best to stay current with these important updates.

Only join WiFi networks that you trust or you risk having your information intercepted and possible identity theft.

Use Find My iPhoneFind My iPhone is Apple’s free app that helps recover or remotely wipe your iPhone 4S if you lose it or it gets stolen.

You also have the option for installing additional security applications to provide anti-virus and password related functions. If you are interested in additional security applications for your iPhone 4S be sure to review the best of itunes security store post.

iTunes Security Applications – What’s available for the iPad2, iPad, and iPhone

Apple devices such as the iPad 2, original iPad, or iPhone are not vulnerable to traditional information security threats such as viruses and other web based malware. This statement is untrue wishful thinking and is a dangerous message that is being communicated by many forum “experts” who think just because it is not happening now it will not in the very near future.

Apple products are at the top end of the usability scale but are vulnerable to the same information security threats as any other devices. In the past Apple devices were not often targeted because the user footprint was small and not the high value targets that hackers seek. The times have changed and now Apple has the highest market cap of all technology stocks and everyone from CEOs to soccer moms are seen sporting iPads and iPhones. Apple devices are now among the hottest targets for hackers and financial criminals who seek to compromise your information and cause other all other sorts of information headaches. Click here if you are here to learn about physical security products for your iPad/iPad 2 (cases/locks/mounts/etc) to prevent theft otherwise read on for our top itunes security application recommendations.

Do you need more security protection for your iPad(1/2) or iPhone?

  • Are you a business user? – These devices could end up being a pathway into the corporate network and require the same type of endpoint protection as any other device
  • Do you perform online banking or manage other sensitive financial accounts with an apple device? Online banking increases your potential for financial loss if your credentials are compromised so additional controls are recommended.
  • Do you frequently web surf to many sites of unknown quality?
  • Do you have kids and desire advanced security or child protection features?
  • Have you opened up your device otherwise known as  “jailbreaking”?

Here is a rundown of the top security applications/utilities available in the iTunes store to protect you iPad2, iPad, or iPhone.

Mobility Management/Device Locators – Tools that help identify a lost device or simplify the management/cleanup process to minimize the risk when a device is lost or stolen.

Find My iPhone – Apple’s free app is a must use security device to help locate or remotely wipe your device should it become lost or stolen.  iOS 4.2 is required to take advantage of this functionality.

McAfee Enterprise Mobility Management (MEMM) – Tool to allow company’s to administer iPhones and iPads in an efficient and more secure manner. This is done through registering of devices and allowing rapid configuration to an allowed email/VPN system. Features Active Directory compatibility for enterprises that use that functionality. MEMM is listed as a free app in the iTunes store. Compatible with: iPhone 4, iPad, iPad2, 4th generation iPod touch

Anti Virus & Web Surfing Security Apps – Tools that provide additional security from viruses and other web based malware.

McAfee Family Protection – Designed for parents to allow their children to safely browse the Internet and avoid inappropriate content. Allows reporting of blocked URLs and easy modifications to the inappropriate content list. It works by providings a browsing sandbox that takes the place of the native Safari browser. Cost is $19.99 and is compatible with iPhone, iPod touch, and iPad(1/2). Requires iOS 3.0 or later

Virus Scan of Suspicious Website – Free app queries existing database archives that have labeled a site as clean or infected. This would be used prior to visiting a site but should only be considered a small mitigating control as these data sources could be quickly out of date. Otherwise an ok tool to view known problem sites before visiting them. Compatible with iPhone, iPod touch, and iPad. Requires iOS 4.0 or later

Intego’s VirusBarrier X6 – Software is installed on a Mac computer not an iPad or iPhone itself. Software scans an iPad or iPhone when it is connected to the machine with this installs and helps to validate it is free from malware. This should not be considered real time protection but is an option if a device does become infected and needs to be cleansed.

Symantec VeriSign Identity Protection – Coming Soon (recently announced but not yet available in iTunes store)

Password Managers – Tools that help securely manage passwords for the Apple device itself and more important the assortment of websites you visit.

Roboform – Award winning password manager for other platforms has an offering that is available for free download in the iTunes store. It appears it is not entirely a free app as it requires an annual fee. One other item to note is there is more negative feedback on the iTunes comments vs. what I would expect from what is a normally high quality name brand tool. Compatible with iPhone, iPod touch, and iPad. Requires iOS 3.0 or later

Splash ID Password Manager – Top rated software costs $9.99 and is my top choice of programs available to securely create lock and store sensitive information. Had the most positive reviews of any security software in the store and also offers password generation and anti-phishing url awareness options. Compatible with iPhone, iPod touch, and iPad. Requires iOS 3.0 or later

1Password Pro – Password management tool to auto fill password to all the web sites you visit in a secure manner. This type of tool is essential to avoid reusing passwords which puts all of your accounts at risk if any one of the sites you frequent is compromised. If you decide to use this tool remember to back up the data to your iTunes account if you this is your sole method of keeping track of your passwords.The Pro version costs $14.99 and is compatible with: iPhone, iPad, iPad2, iPod touch  iOS 3.1.3 or newer

SyCrypt Safe – Provides additional security around passwords/PINs and contacts using a 256 bit key based on the TwoFish algorithm. Costs $1.99 and is compatible with: iPhone, iPod touch, and iPad. Requires iOS 4.1 or later.

mPassword – Maintains passwords to provide additional security over the standard device passcode locks available in most apple devices. App cost $.99 and appears to have a relatively small user install base. Compatible with iPhone, iPod touch, and iPad. Requires iOS 4.2 or later.

Mnemosyne Password Manager $.99 download that does password management based on a secret pass phrase/username.

Keeper Password & Data Vault – All user feedback suggest the free version with ads is sufficiently bothersome to avoid this application. Compatible with: iPhone and iPad iOS 3.0 or newer

This is just a sample of the security solutions available via iTunes app store and many more are on the way.

For most users I recommend the following setup:

  1. Use Splash ID Password Manager
  2. Use Find My iPhone
  3. McAfee Family Protection (optional if you desire these features)

Other useful resources:

iPad and iPad 2 screen privacy recommendations

iPad2/iPad physical security products (cases/locks/mounts/etc)

iPad2 Security Tips

iPad Security Recommendations

iPhone Security Tips



 

Apple iOS4.2 – What are the security benefits?

Apple released iOS4.2 in late November and it is applicable for the iPad, iPhone, and iPod Touch. From a functionality perspective the upgrade provides a lot including the ability to create folders and multitask on the iPad (features previously lacking) plus the AirPlay feature for all three devices that enables streaming of content to the Apple Tv or Airplay enabled features.

These features are intriguing but since this site specializes in information security my primary focus is to discuss the security implications of the iOS4.2 upgrade.

What is the most significant security benefit of iOS4.2?

The Find My iPhone, iPad, or iPod touch application is now available as a free application and this is an important breakthrough because these services typically were subscription only in previous iOS’s via the Mobile Me service. Once the Find My app is installed an owner of one of the devices mentioned above can perform the following security functions:

  • Find the location of a lost device on a map
  • Display a remote message on the device screen (with hope it will be returned to you if found so perhaps offer a reward as incentive)
  • Remotely set a passcode lock so your device and data can not be accessed inappropriately
  • Wipe the device remotely if it is stolen or lost for good and you are not likely to recover it.

These security features are significant and go a long way to help prevent loss of data confidentiality on a loss or stolen device and possibly may even with the recovery of your device itself.

How do you upgrade your iPad or iPhone to iOS4.2?

First back up your data and then connect your iPhone or iPad or Ipod Touch to your computer and load up iTunes and click check for updates. Download and install the upgrade.

How do I activate Find My (iPad/iPhone)?

Here is a nice Apple instruction video showing how to configure your device on Me.Com

* Be sure to set this up right away if you wait until you need the features it will be too late.

What security vulnerabilities are corrected by iOS4.2?

In addition, to the Find My functionality there is a big list of other security vulnerabilities fixed in the iOS upgrade. In scanning the list several of the vulnerabilities mention arbitrary code execution that could lead to a lack of security integrity of the device. If you have not already done so an upgrade to i0S4.2 is highly recommended to close these vulnerabilities and take advantage of the new Find My capabilities. Install it and configure your device on Me.com as soon as possible.

Smartphones and Online Banking Apps – New security vulnerabilities and tips to stay protected

The recent InformationWeek article exposing new bugs in online banking applications that are utilized by various Smartphones really peaked my interest. Two of my biggest focus areas have been to highlight the risks of online banking along with some recent advice on how to keep your iPhones secure. The primary issues highlighted in the InformationWeek article include improperly configured security certificates, lack of encryption, and improper saving of sensitive credentials without user approval.

As a result of the findings many banks and other payment companies like Paypal are issuing new versions of their applications that are or will soon be available. This is an important reminder that helps reinforce a few important security principles we have already covered recently.

Smartphone Security Tips

#1 – Online Banking is risky enough when performed on a machine that is physically secure from theft. Performing online banking on mobile devices adds an additional element of risk that is not recommended. If you lose your device or it is stolen you are at an increased risk of having your credentials compromised.

#2  – Application updates occur regularly and are often issued as a result of security vulnerabilities. You must regularly check for updates for any installed applications on your Smartphone device and ensure that you have the most recent version of software. Failing to do so will put you at an increased risk for compromise and financial loss.

#3 – Be discreet about which applications you choose to install on your Smartphone. By installing new applications you potentially expose yourself to additional security vulnerabilities so your security is only as trustworthy as the vendor providing the application.

iPhone Security – Tips for keeping your iPhone Secure

The iPhone has been easily winning the battle vs. Google Android and other mobile devices for market share but is it leading the pack in security? Out of the box the iPhone has some security gaps but if you follow these iPhone security tips you will be ahead of the game in protecting your device.

iPhone Security Settings

1. Set up a pass code to help prevent unauthorized use of your iPhone. By default no password is required but that kind of setup greatly increases the chances of someone snooping on your phone (the most probable scenario) if you leave it unattended or if it gets lost. If you forget your pass code you must do a restore so be sure to remember it.

Select General > Passcode Lock and enter your 4 digit passcode

2. Set how long before passcode is required (how long iPhone can be locked before passcode needs to be entered). A setting of 30 minutes should be good here.

Select General > Passcode Lock> Require Passcode then select the value you desire

3. Disable Bluetooth if you do not plan to utilize it. If Bluetooth is active it is another potential vulnerability source so if you are not using it shut it off.

Select General > Network and turn Bluetooth off

4. Set your voicemail password to prevent others from accessing your voice messages. Select a pin that will be easy for you to remember but not easily guessable by others (much like your ATM pin)

Select phone > Change Voicemail Password

5. Lock your SIM card to help provide additional security around your sensitive information.

Select phone > SIM PIN and turn it on. The manual mentions the default iPhone SIM PIN is 1111 unless the carrier has changed it.

6. Turn Pop Up Blocker On to enhance security and browsing experience (note that this stops only entry/exit induced pop ups not click through pop ups)

Change security settings: Choose Safari, then turn pop up blocker on

7. Backup your phone data periodically so that you will not lose your phone lists and other customized settings. This will come in handy if a firmware update ever goes haywire.

8. Install iPhone firmware updates when they become available. The recent passcode bypass vulnerability will be updated in a November update and in general when hardware or software is updated by a vendor it is often is due to security vulnerabilities so it is best to stay current with these important updates.

9. Only join WiFi networks that you trust to lower your chances of having passwords and other sensitive data intercepted by those seeking to steal your credentials.