iPhone Security Thoughts

IOS & Macintosh.

Use more than a 4 digit pin.
Use Two Factor Authentication.
Use HTTPS.
Use a proper email setup. Like ProtonMail

Corrections.

06/20/2014 - Use of letters in longer passphrase.
05/01/2019 - touch up.


Background.

Unlike Android, IOS is designed with security foremost. The boot process is secure, data at rest is encrypted, apps are vetted, approved, signed, sandboxed, and the ability to jailbreak has become extraordinary difficult. 

Android has a model that anyone can do anything, including replacing the operating system. Just like Windows versus Mac, 100% of the virus and exploits exist on Android and near zero on iOS. Android apologists can complain that that the Mac or IOS have had incidents but when rounding to a whole number the numbers are 100% to 0% which is a rather radical comparison. If you care about privacy and security don’t buy or trust Android based devices.

Apple has some gritty details about what they do at:

https://www.apple.com/it/business/site/docs/iOS_Security_Guide.pdf

That said basic security measures do not help against government level agencies. Still, you aren't usually a target for that level of espionage, rather the common or extraordinary criminal, or a friend wanting a bit of fun at your behalf is who you have to protect yourself from.

In a sense device security can be broken into three areas of exposure, data security from friends and criminals, data security from warrant based searches, and finally security from government actors.  We’ll just touch on the issues for the first part, and a bit of discussion about warrant based searches.

 In some respects you could argue that in the post NSA era it’s apparent that some of the default choices made favoured certain governments, versus the individual. So there are changes that should be made to the out of the box device configuration to improve your security situation.

 

Data

Some data in the device is accessible if you can jail break or disrupt the boot process. This usually is hyped as something critical by the media but over time Apple has fixed any exposure of customer data, remember at some point some of the file system has to be accessible to the operating system in order to load the signed operating system.  Given this issue another layer an application should use is file level protection so that files are encrypted by your passcode until the device is unlocked, or the app is in the foreground, or has been launched. The degree of file encryption features are set by the application developer. For apps which store sensitive data you should ask the developer what they do to protect your data on the device, especially if they copy that data into the cloud.

Understanding who can access that cloud data is especially important and frankly is the weak point in your security.

Apple has disclosed what data on the device or in their cloud is accessible without knowing the passcode (or by breaking into the device); check their disclosure documents for details. http://www.apple.com/legal/more-resources/law-enforcement

Obviously SMS message belong to the telco and are accessible to most anyone… Pushing private message there isn’t private.
https://ssd.eff.org/wire/protect/sms

iMessage on the other hand is claimed to be secure, as Apple doesn’t hold the keys on their server (perhaps excluding China), rather those are properly exchanged between devices for the individuals involved in the conversation, 

You should check with the developers of other messaging apps you use to understand their security/privacy promises. Unfortunately a developer might misrepresent their security model, as the encryption playground is ripe with snake oil solutions, or their solution is basically flawed as security is hard to do.  

 

Passcode

Your common passcode/pin is the first line of defense, but by default a four digit pin with the right tools can be defeated in about 9 minutes. 

So some changes are required

A) In Apple Settings turn simple passcode off and use a long phrase of 8 or more digits/characters (some letters! not pure digits)

B) Ensure Erase IOS device after 10 attempts is on

C) Ensure Find my iPhone is on

D) Ensure Require passcode immediately is on

E) Review the privacy settings and understand why listed apps need access to certain services, also consider disabling ad tracking which is also found in this sub-panel.

F) Ensure settings>auto-lock is set to a reasonable amount of minutes

G) Consider a VPN when using public networks, hosting your own VPN is not difficult, see https://johnmcintosh.pro/vpn---virtual-private-netwo/ , and it reduces your dependency on a third party.

ProtonVPN is great, part of your ProtonMail subscription. Otherwise consider https://www.wireguard.com

With these changes a lost device isn’t accessible to the person who finds it, you might be able to get it back. It’s harder to attack, and a few minutes of cross checking might make you wonder why the app Frogger needs access to your address book?

As earlier mentioned Apple offers a service to law enforcement to discover passcodes in their crime lab, but the attack rate is limited by the device hardware to about 50ms an attempt, so a ten character pass phrase would take years or decades to defeat.

* This Is a hard Problem To Solve ?*  *TIahPTS?*   Dictionary based attack algorithms can solve the problem in far less tries than 50% of the key space. *TIahPTS?* as your password defeats that, so don’t use any english words (sigh) or ‘obvious’ keyboard key patterns


Fingerprint & FaceID.

Good stuff use it, secured on the device by paranoid brits working on the ARM CPU security in the 90’s. However in the USA the forced use of your fingerprint by officials might be allowable so remember to power off the device before surrendering to officials.

https://www.eff.org/wp/digital-privacy-us-border-2017

 

Paranoid?

Power off the phone and stick it in the fridge, or set it into DFU mode and stick it into the fridge. On some android devices you can remove the battery but are you sure that powers off the device? Frankly tossing it in a fridge is less hassle and quite secure, besides ‘they’ would have the room bugged anyway…

 

HTTP versus HTTPS.

It is your right to use encrypted transportation. 

HTTPS please, check to see if your favourite sites use HTTPS, some might require further setup in their account settings (FaceBook & LinkedIn . Ensure the browser shows the proper padlock symbol, don’t ignore credential failures message or any HTTPS failure messages. Those speak to man in the middle attacks, forgeries and other nasty bits. Check the cloud service you are using security settings preference panels, you might be surprised to find they offer more security but default to ‘less security’. Again a oddity “less secure by default”, more secure if you adjust the settings.

If you use Windows you can be lied to by the administrator of the machine as a company can setup fake certificates for outside services so that they can spy or cache SSL traffic. Employees in the USA have no rights to privacy. You might encounter this when using an internal corporate network as Safari will complain the certificate is improperly signed or fails validation. Time then to switch to 3G or LTE, or use a VPN (if possible).

After the SSL HeartBleed bug http://en.wikipedia.org/wiki/Heartbleed take ANY warnings about certificate failure seriously. HTTPS is your friend, don’t cripple it. 

Ensure you have the  HTTPS: feature turned on for Facebook & LinkedIn. Check other services you use to see if it is an option you can set or use instead of http:// For the macintosh you can even use a different browser and the plugin https://www.eff.org/https-everywhere

This leaps into the whole TOR network conversation: https://www.torproject.org  But I’m not going to cover anonymous browsing in this article, so more reading on your part is require to understand how to achieve anonymous internet browsing (hard to do), which is different from secure internet browsing.

The advice below should protect you from the default of flashing your data about, and having zero privacy and security, but in all things security related there are or can be ways for sophisticated attacks to defeat these suggestions.

 

Two factor authentication

The use of two pieces of information to validate a login or passcode etc.

This is done either by supplying a SMS pin code to your phone from the service, or the use of a psuedo-random number generator supplied by hardware (token device) or in software via Google authenticator. https://itunes.apple.com/ca/app/google-authenticator/id388497605?mt=8

In IOS 8 Apple will allow apps to request your fingerprint, no doubt you’ll see this feature added to IOS app as one more level of security for accessing app data.

If you use Gmail turn on two factor authentication  http://www.google.com/landing/2step/

The same applies for iCloud based mail, Facebook, twitter etc.

http://support.apple.com/kb/ht5570

https://www.facebook.com/note.php?note_id=10150172618258920

https://blog.twitter.com/2013/getting-started-with-login-verification

http://blog.linkedin.com/2013/05/31/protecting-your-linkedin-account-with-two-step-verification/

Also see

http://twofactorauth.org


Some services (banking) you use might offer a RSA hardware token, but possibly now offer software tokens via the Google authentication app, or other app. Basically any service where you use and supply a login id/password you should check to see if they offer a two factor authentication protocol.

I have mixed opinions on using LinkedIn or Facebook to authorize third party websites & apps. Mmm just don’t, linking all your accounts to your FaceBook authorization just seems to scream for one compromise causing all to fail..

For GMail and other services, you can generate emergency passcodes on paper or interface back to a SMS or voice telephone number for backup if you lose you IOS device, and hence your access to the authentication software. Both Gmail and FaceBook they will tell you which devices currently are authorized to login, perhaps it’s time to wipe that list and rebuild it?

Review your list of challenge questions, having the same ones everywhere is dangerous. Possibility you could create a crib sheet of fake answers to avoid having people close to you guess the correct answers. However see ‘run over by a NYC taxi’ later in the paper if you actually want people close to you to reset your password.

Sounds all good but in fact two factor authentication can be broken by man in the middle attacks or SMS intercept or spoofing. Still it can prevent a friend who knows your password via social engineering gaining access to your account, as he isn’t likely have the level of sophistication required to do spoofing or man in the middle attacks.

Remember watch those HTTPS links and certificates, and is the URL what you think it is?

 

Email

In general if you use email services from Google, Apple, or Yahoo your data lives in the USA, and you have no privacy right, even less if you are not an American, and it appears no legal process is followed in order for officials to read all your email anyway.

 As of June 12th 2014 the American courts were arguing if they could search Microsoft hosted email in Ireland based on a warrant issue in New York courts. https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_States

Remember it is your privacy and why would you surrender it to the USA for a bit of free Email? If this is of a concern you should consider a Swiss hosted supplier such as: https://protonmail.com That won’t defeat a valid legal warrant. Hosting your own email server outside of the USA is possible, but this is a nontrivial and time consuming task requiring weekly if not daily maintainer chores.

After settling the email question, consider getting an email certificate so you can sign or encrypt email.

http://www.comodo.com/home/email-security/free-email-certificate.php

or 

http://www.enterprisessl.com/ssl-certificate-products/addsupport/secure-email-certificates.html

This offering exists with other SSL providers, check around, but wonder who holds the primary keys.

For Comodo you might need to load the "comodo client authentication and secure email ca" certificate on your IOS device for this all to work as the chain of certificates is not stored in the default iOS 7 setup and Comodo is blind to this non-Windows centric issue. http://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl

 

Setup Mail properly

 (a) SSL  (Secure Socket Level encryption).

 Settings>Mail/Account/Account/Advanced/ “Use SSL”

This is to use encrypted socket support for sending/receiving mail, you SHOULD ALWAYS enable this. Just like HTTPS don’t transmit data in an unencrypted form.


(b) S/MIME ON

and sign and encrypt is ON.

This will sign all email using your email signing certificate (like the one from Comodo), and encrypt the email if the receiver has given you his public email encryption key.

In order to actually exchange encrypted email I’m afraid you must first send the other party a signed email, then they have to tap on the (>) in the FROM line to show the certificate, confirm the certificate is what they and you expect and install it. That action installs the your public key, which then allows the receiver to encrypt email using your public key. Now ask for email from the other party to repeat the process on your device to get their public encryption key so you can both send/receive encrypted email.

Post the NSA debacle it is thought there was a conspiracy to make encrypted email between parties very difficult to setup. There is no one click setup, time will tell if that assumption was correct. BTW individuals in the encryption community have reported receiving bogus spoofed email with certificates pretending to be a friend yet the email isn’t from their friend. So be wise when setting up S/MIME. 

Sadly it’s unknown if various governments own the base encryption keys or get copies of the created private keys. Still S/MIME encrypted email will defeat any other player. Mind email address, date/time, and subject are exposed and just that meta-data can be so informative you don’t need the body of the email.

 

Another choice is to use GNU PGP via https://gpgtools.org Look in the store for PGP related email apps like

https://itunes.apple.com/us/app/opengp/id414003727?mt=8

and

https://itunes.apple.com/en/app/ipgmail/id430780873?mt=8

 

Pushing files:

In IOS 8 Apple will provide a ‘secure’ way to push large MB or GB files in mail by either embedding the data, or a link to the encrypted data in iCloud.

Other choices are Dropbox, Google Drive, or MS offerings. Wonder then who else holds the encryption keys, and or who they would give them to. Don’t use other large file service offerings, who are they really? Is your data secure?

 Data files or documents you want to protect should be pre-encrypted on your device, and sent with the assumption someone will make a copy of the file at some point between your computer and your friend’s computer.

 

Tracking.

Your iOS device is a tracking device because emergency services need to know where you are, either within 10m by the phone GPS or 100m by cell tower triangulation.

Another pre ios 8 problem is use of the MAC address on the WIFI radio interface via BIG DATA to correlate your device and you to any wifi networks you handshake with as you pass within signal range. Just strolling thru a mall in America will let hundreds of merchants know you are in the mall shopping and which stores you visit etc. This is because your IOS device reaches out to all the Wifi networks reachable to auto-login or to see about access rights. In iOS 8 this becomes more difficult for the adversary as a random MAC address will be generated for each network it chats to, thus defeating the ability to correlate the data keyed by the MAC address and shared by data services between multiple merchants.

Although this applies to merchants it seems at border sites between Canada and the USA the governments have used WIFI MAC tracking to record entry and exit of devices between the countries and tagged that to individuals.

 

Dangers

Your Apple ID

 A compromised Apple ID will allow someone to remote wipe your mac or iOS device, so ensure the challenge questions are unique, and turn on the two factor identification.

 

See http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/


Two Factor authentication can fail

https://www.schneier.com/blog/archives/2005/03/the_failure_of.html

&

http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication

&

http://blogs.sophos.com/2014/02/05/sophoslabs-android-malware-intercepts-sms-messages-to-steal-banking-info

 

Macintosh

(a) Turn the File Vault feature on and setup encryption on external drives.  When you turn file vault on, Apple will ask to store the decoding key with Apple.  This I believe would allow the police or your estate access to decrypt your drive. Your choice, but remember if you forget the password the data isn’t accessible as far as we know.

(b) Under user & groups don’t allow guest user.

(c) Ensure your mac will sleep and lock the screen, or need the password when awoken.

(d) Under Security & Privacy

Ensure allow apps is set to mac app store and identified developers. If you require “Anywhere” consider why?  This feature prevents unsigned apps from running, any apps today you need should be from the store, or from known developers who have a signing certificate from Apple. Gone are the days of just running any old app on your macintosh.

(e) Set the FireWall ON, and review the list of exceptions. This is a bit difficult to setup but a bit of Googling will inform you why each app needs to open tcp/ip/udp ports for use.

(f) Privacy, review why apps should have access to your data

(g) Keychain

Remember all the passwords with possible safari suggested passcodes in the keychain or with a password app. This reduces exposure to key loggers as the auto-insert of login credentials in Safari should be secure.

(h) In Mavericks and IOS 7 turn on the iCloud keychain. You will need to approve it from an existing device or via a system wide passcode. In general access to the data from a new device requires a password, or approval from one of your other Apple devices. This is a nice feature to ensure you can auto-enter login & password data from all your devices, along with that two factor identification data from SMS or Google’s Authenticator app.

(i) Ensure you have a legal warning if this is a business related computer. Some countries require such warnings to lay foundations for prosecutions.

sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText ”Warning Text”

 

"This is a private computer system owned by Company and is for authorised use only. If found contacting us at #### , or email at XXX@YYY.com"

 

Backups

Backups to iCloud is great, but who can see the data? A weak point is the backup of your device in iTunes.  I recommend a backup with password to an encrypted disk. This is because the private encryption keys for your iOS device are stored in the backup, which opens up an easier attack vector for someone trying to decrypt the contents of your iOS device.

Yearly you might consider buying a hard disk and doing a full backup of your iOS devices via iTunes, then a full time machine backup of your Macintosh, and storing that encrypted hard disk somewhere other than your home, so that after a robbery or fire you might be able to at least restore things back to a point a year back or so.

Still because address, calendar and email live in the cloud that information wouldn’t be lost. More complex solutions as time machine backups over VPN, or backups to Amazon Glacier etc can be done if your backup and restore needs are more critical than the average consumer.

 

Loose thoughts:

 The NSA provides a Macintosh/IOS security document, worth reading:

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

&

https://ssl.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf

 

Run over by a NYC taxi

Having a paper list of passcodes/passwords in your personal papers would be acceptable if you want any heirs or your estate to have access to any of your data, email or Internet accounts etc. The law is murky for online services do anything for estates or heirs, so best to have the passwords/passcodes accessible in a controlled manner if you want anything digitally to survive your death.


© John M McIntosh 2013-2019