10 iOS Security Tips to Lock Down Your iPhone
Mobile security experts share their go-to advice for protecting iPhones from hackers, thieves, and fraudsters.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt6e7f40d75934934c/64f0d2d06f5509fee82bcb16/iOSSecurityIntro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Now more than ever, we depend on smartphones to keep us connected to each other, to our employers, to our finances and healthcare providers. We use our phones to shop, bank, and access corporate applications and information. But are our iPhones as secure as they could be?
"iPhone owners tend to feel more confident in the security of their phones than Android owners, and for good reason," says Randy Pargman, former FBI computer scientist and senior director of threat hunting and counterintelligence at Binary Defense.
But that doesn't mean iOS is immune to security issues. Back in April, we learned attackers has been exploiting two unpatched iOS vulnerabilities since at least January 2018. Last year, researchers discovered more than 20,000 iOS apps were published without App Transport Security (ATS), a set of rules and app extensions Apple built as part of the Swift development platform. ATS is turned on by default; without it, critical information was being transported without encryption.
"It's true that iPhones and the whole Apple ecosystem keep customers safer from malicious apps, but that doesn't mean that all the data stored in the apps is safe from theft," Pargman continues. "Many apps store sensitive information on servers operated by the app developer or transfer the information unencrypted over the Internet. As soon as your information leaves your iPhone, it is outside of your control to protect it."
The security of iOS doesn't mean users can ignore basic threats to data security. Most people don't have to worry about advanced targeted attacks or zero-day exploits; however, they are still exposed to phishing attacks, device theft, and malware that could put their information at risk. If you're using Safari or another browser to navigate the Web, share data, or order goods, you're just as vulnerable on your iPhone as you would be on Windows or Android. Those who store financial, health, and other sensitive data on their iPhones should take extra precautions.
These precautions are even more essential at a time when people are relying on their iPhones to work remotely. Wandera research shows collaboration software adoption jumped nearly 190% between early February and the end of April, says Michael Covington, vice president of product strategy at Wandera.
"Though mobile devices have been broadly adopted within the workforce, COVID-19 has forced many businesses to finally put those devices to use, with more enterprise applications being opened up to mobile devices and remote access finally being allowed," he says.
Many businesses have changed data access policies to enable access for remote users.
"From work files to health records and banking data, the pandemic has forced more frequent use of the mobile device as people try to stay productive and connected, while balancing the needs of entire families now forced to work with a limited set of shared resources," Covington says.
Many people who have been isolated at home have started to let their guard down when it comes to practicing strong security, Covington says. Phishing attacks are taking advantage of the pandemic, preying on global fear and uncertainty, increasing their chances of getting hit.
Now is a good time to take a closer look at your iPhone security posture. More than 20 mobile security experts weighed in to share their go-to tips to strengthen privacy and security of your mobile device. Here, we share their most popular suggestions and tips you may not think of.
What did we miss? Feel free to share your favorite iPhone security advice in the Comments section, below.
Chances are good you have an app or two that hasn't been used in a while. These apps are not only taking up space, they could be a security risk. Apps no longer maintained by developers don't receive updates and security fixes. They should be updated or deleted if not in use.
When browsing the Apple App Store -- the only place where you should be downloading apps -- experts advise smart shopping. Take time to read reviews for each app to learn whether it's legitimate or whether users had a bad experience. "Do a little research before you download apps," advises Jack Gold, founder and principal analyst at Jack Gold Associated. "The Internet is pretty good at letting you know if an app is bad or doing things it shouldn't be doing."
Wandera's Covington advises only using official apps for sensitive data like banking and health records. Get into the habit of only using these interfaces so that you're less likely to fall victim to a phishing scheme targeting your personal information.
That's the most popular piece of advice experts offered, following by downloading the updates as soon as they're available. Even if an update doesn't mention patches, these regularly come with fixes for security holes discovered since the previous update. If left unpatched, these app and iOS vulnerabilities could put devices and data at risk.
"One of the most common mistakes people can make is not updating their devices to the latest release of the mobile operating system," says Rick Holland, CISO and vice president of strategy at Digital Shadows. "If there isn't a launch event talking about the latest new features, these updates are critical ... [they] often fix critical vulnerabilities with exploits in the wild."
Apple makes the iOS process simple. When an operating system update is available, you will see a notification on your Settings icon. "Automatic Updates" also can be enabled so you don't have to worry about manually updating every time a new version of iOS is available.
It doesn't. Third-party apps often request permission to access iPhone features and data they don't truly need -- for example, your location, camera, contacts, and microphone. Experts advise going through your apps to ensure they only have access to the things they need and only use your location when necessary.
By going to Settings > Privacy, you can view which apps have access to your contacts, calendar, photos, Bluetooth, microphone, camera, and health data. You can drill down further in Location Services, where you can disable location-sharing and change location access for each app.
"Apps will often request permissions to access areas and functions of your iPhone that they have no business accessing and that have no bearing whatsoever on the functionality of the app in the first place," says digital privacy expert Attila Tomaschek. "For example, flashlight apps have been notorious for such practices, asking for access to users' camera, microphones, photos, messages, contact lists, location data, and more."
There is "no fathomable reason" why an app like this should have such broad access to your iPhone, Tomaschek says, which is why it's important you limit permissions of each app to only what is needed.
We may be used to unlocking our iPhones with biometric data, but a secure passcode remains important.
"Even if you can solve a lot with facial recognition and fingerprints, the code lock is still a central component in the access control of the iPhone," says Ahmed Mohamed, systems engineer and security researcher at Metron Pvt. "If you still use a four-digit code here, you are taking an unnecessary risk because these codes are relatively easy to crack." He and other experts suggest creating an alphanumeric password containing both letters and numbers.
To do this, access Settings > Touch ID & Passcode (or Face ID & Passcode). Go to Change Passcode and tap Passcode Options to view the option for Custom Alphanumeric Code. Don't share this passcode with anyone else, and don't add another person's biometric data so they can unlock your device without your permission.
Experts urge iPhone owners to enable multifactor authentication (MFA) where possible and to create strong, unique passwords for each of the applications they use.
"Some people also think biometrics -- fingerprints, facial recognition, etc. -- are a replacement for passwords, but they should really think of them more as a replacement for usernames," says Ken Underhill, master instructor at Cybrary. "It's good to remember that a strong, complex password and/or code is still beneficial." He echoes what security pros recommend: creating strong and unique passwords across all accounts, not just for the iPhone itself.
A key area of concern is iCloud, where accounts could grant intruders access to files, services, photos, and data if they're able to log in. Here, MFA is essential, and like all applications, iCloud should be secured with a password different from any other passwords stored on your device.
"Even though the threat of spyware being installed on your iPhone is scary, the way that I've seen most attacks against iOS carried out by criminal groups is not by hacking the phone itself, but by guessing or stealing the victim's iCloud account password and simply logging in as them." If someone can get to your iCloud backup, they can access the same data that's on your device without having to steal or break into the phone itself.
"Have lots of passwords on your phone, too," says Chris Hazelton, director of security solutions at Lookout. "Use a mobile password aggregator to create unique passwords for all your mobile apps. The latest mobile OS have integrations with password aggregators that make them easy to use and even speed up signing into apps."
If you're worried about your device falling into the wrong hands, you can prevent an attacker from brute-forcing authentication with the "erase data" option. This automatically deletes all data on your phone after 10 consecutive incorrect login attempts. Access Settings > Touch ID & Passcode and scroll to the bottom to toggle Erase Data to the On position.
"Be warned, though, that this could be an extremely risky proposition if you're prone to forgetting your passcode or if you have young children that like to play with your iPhone, because once that data's gone, it's really gone if you don't regularly back it up," digital privacy expert Tomaschek says.
Some websites use cross-site tracking to monitor your online activity so content providers can advertise products and services tailored to your interests. Apple gives the option to turn this off, which can be managed in Settings > Safari. Scroll down until you see "Prevent Cross-Site Tracking" under Privacy & Security and turn it on. This doesn't mean you'll see fewer ads, but it does mean advertisers won't be able to collect your browsing data to deliver targeted ads. In this section of the Settings app, you can also block pop-ups or enable fake website warnings.
You can also opt out of interest-based ads in the App Store and Apple News by going to Settings > Privacy > Advertising. Further, you can turn off location-based ads provided by iPhone, iPad, and Mac by accessing Settings > Privacy > Location Services > System Services. Here, you can switch off Location-based Apple Ads to limit the number of targeted ads you see.
Safari uses Google as its search engine by default, but users can opt to swap it for the more privacy-focused DuckDuckGo if they prefer. Access Settings > Safari > Google to view and change your default search engine.
Experts urge iPhone owners to avoid clicking any links that appear suspicious or come from unknown sources. Modern phishing attacks don't only target desktops and laptops. They also arrive via SMS or email, and many use shortened URLs or QR codes to hide the Web address. Unsuspecting users can surrender access to their device by tapping a malicious link in an email or text or by accidentally accessing a fraudulent website.
Mobile phishing is the most common mobile threat, Lookout Security's Hazelton says. More than 45% of Lookout's users encountered mobile phishing in the past three months, up from 32.5% in the middle of 2019. "Understand that any link, across any app on your smartphone, can take you to a site that will try to capture your credentials for work or play," he says. Many "tells" can indicate a phishing attack: Poor writing or grammar, complex or misspelled URLs, and poor layout are a few.
Some of these attacks might try to snatch iCloud credentials. "Do not respond to emails or texts claiming your Apple ID is locked and requires a reset, as these almost certainly are phishing attempts," says Patrick Wardle, principal security researcher at Jamf. "If there is an issue with your Apple ID, go directly to Apple's official website to resolve."
We've all received marketing email packed with images. These pictures often contain hidden tracking code that tells companies whether an email was opened. It's a privacy issues, yes, but it could be a potential security issue if an attacker used the same tools for nefarious purposes. Concerned users can adjust email settings so these images aren't automatically downloaded.
"One of the tips I recommend for iPhone users is to disable download images in the email setting as this can leak sensitive information about your device, browser, and location," says Joseph Carson, chief security scientist and advisory CISO at Thycotic. "It is enabled by default, and disabling it puts you back in control of that by choosing which images you want to download."
It's not enough to be cautious about the emails you receive, but those you send as well. Photos shared via the iOS Photos app include location data by default if your camera has location access enabled. This is handy if you're grouping photos by location or uploading to a shared library; it's less so if the photo ends up in the hands of someone who could exploit this data.
You can turn off the location in photos before sharing them. In the Share process, tap Options and switch off Location.
Security pros advise against connecting to public Wi-Fi networks, especially for activities like shopping, online banking, or anything that would require transmitting personal information.
"While most public Wi-Fi access points are perfectly safe, that's not always true," says Renee Tarun, deputy CISO at Fortinet. "Criminals will often broadcast their device as a public access point, and then when a user connects to the Internet through them, the criminal is able to intercept all the data moving between the victim and their online shopping site, bank, or wherever else they browse to." She advises disabling both Wi-Fi and Bluetooth unless needed.
If you must connect to public Wi-Fi, it's recommended you do so with a VPN so your activity is encrypted and not accessible to any criminals who may be lurking on the network.
Security pros advise against connecting to public Wi-Fi networks, especially for activities like shopping, online banking, or anything that would require transmitting personal information.
"While most public Wi-Fi access points are perfectly safe, that's not always true," says Renee Tarun, deputy CISO at Fortinet. "Criminals will often broadcast their device as a public access point, and then when a user connects to the Internet through them, the criminal is able to intercept all the data moving between the victim and their online shopping site, bank, or wherever else they browse to." She advises disabling both Wi-Fi and Bluetooth unless needed.
If you must connect to public Wi-Fi, it's recommended you do so with a VPN so your activity is encrypted and not accessible to any criminals who may be lurking on the network.
Now more than ever, we depend on smartphones to keep us connected to each other, to our employers, to our finances and healthcare providers. We use our phones to shop, bank, and access corporate applications and information. But are our iPhones as secure as they could be?
"iPhone owners tend to feel more confident in the security of their phones than Android owners, and for good reason," says Randy Pargman, former FBI computer scientist and senior director of threat hunting and counterintelligence at Binary Defense.
But that doesn't mean iOS is immune to security issues. Back in April, we learned attackers has been exploiting two unpatched iOS vulnerabilities since at least January 2018. Last year, researchers discovered more than 20,000 iOS apps were published without App Transport Security (ATS), a set of rules and app extensions Apple built as part of the Swift development platform. ATS is turned on by default; without it, critical information was being transported without encryption.
"It's true that iPhones and the whole Apple ecosystem keep customers safer from malicious apps, but that doesn't mean that all the data stored in the apps is safe from theft," Pargman continues. "Many apps store sensitive information on servers operated by the app developer or transfer the information unencrypted over the Internet. As soon as your information leaves your iPhone, it is outside of your control to protect it."
The security of iOS doesn't mean users can ignore basic threats to data security. Most people don't have to worry about advanced targeted attacks or zero-day exploits; however, they are still exposed to phishing attacks, device theft, and malware that could put their information at risk. If you're using Safari or another browser to navigate the Web, share data, or order goods, you're just as vulnerable on your iPhone as you would be on Windows or Android. Those who store financial, health, and other sensitive data on their iPhones should take extra precautions.
These precautions are even more essential at a time when people are relying on their iPhones to work remotely. Wandera research shows collaboration software adoption jumped nearly 190% between early February and the end of April, says Michael Covington, vice president of product strategy at Wandera.
"Though mobile devices have been broadly adopted within the workforce, COVID-19 has forced many businesses to finally put those devices to use, with more enterprise applications being opened up to mobile devices and remote access finally being allowed," he says.
Many businesses have changed data access policies to enable access for remote users.
"From work files to health records and banking data, the pandemic has forced more frequent use of the mobile device as people try to stay productive and connected, while balancing the needs of entire families now forced to work with a limited set of shared resources," Covington says.
Many people who have been isolated at home have started to let their guard down when it comes to practicing strong security, Covington says. Phishing attacks are taking advantage of the pandemic, preying on global fear and uncertainty, increasing their chances of getting hit.
Now is a good time to take a closer look at your iPhone security posture. More than 20 mobile security experts weighed in to share their go-to tips to strengthen privacy and security of your mobile device. Here, we share their most popular suggestions and tips you may not think of.
What did we miss? Feel free to share your favorite iPhone security advice in the Comments section, below.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024