Internet privacy and security course
About translation
Previous Next

Chapter 43

iOS. First steps to protect your iPhone and iPad.

For many people iPhones and iPads have become an integral part of the image and indispensable work tools. As part of our course we will try to make your gadget more secure. This chapter is introductory, it will focus on the first steps to setting up security for devices running the iOS operating system. These are simple and basic steps, maybe a bit banal and obvious, but I can't skip them.

Disable iCloud

You have probably noticed that when you get a new device from Apple and enter data of your Apple ID, contacts, documents and saved passwords are immediately downloaded to the device. I do not argue, as it is very convenient. But imagine if your account data falls into the hands of a malefactor? They also just get access to all your information, I wrote about it in the course.

All stored information is hosted on Apple servers, which Edward Snowden did not recommend doing. That was the reason for the cooperation of Apple with NSA USA. If earlier these were unsubstantiated convictions, then after the arrest of the “king of spam” Peter Levashov in Barcelona and his extradition to the USA, the threat of surveillance via iCloud was confirmed. It was thanks to iCloud that the US special agencies in collaboration with Apple tracked down and de-anonymized the famous hacker.

Do you really need this option to sacrifice the security of your data for it? The first step you can take to secure your iPhone or iPad is to use settings, select “iCloud” and disable synchronization (Settings> Passwords and Accounts> iCloud).

 

Tip

Disable iCloud if you have valuable data stored on your phone.

Turn off Siri

The second serious threat is Siri. As in the case of OK Google, this system is able to capture sounds near the phone and react in a certain way to the word beacons. In theory this is a great espionage tool for special services and I can’t believe that they will not make effort to gain access to this tool.

Siri is recommended to be disabled, especially if you are not using it (Settings> General> Siri). To understand how dangerous this function is, read the privacy policy, which can be found in the Siri settings. Here I will give a small excerpt:

When you request a voice assistant, Siri sends certain information about you to Apple in order to better understand and recognize your words.

When using Siri and Dictation, spoken and dictated words are recorded and sent to Apple to process your requests. Your device also sends Apple other information like:
• Your name and nickname.
• Names, nicknames and relations to you of your contacts (for example, “my dad”).
• Music you are listening to.
• Information about devices that support HomeKit in your home (for example, “a lamp in the living room”), as well as the names of your devices and the devices of your family members for whom Family Access is configured.
• The names of your photo albums, the names of the programs installed on your device, as well as quick commands added using Siri.

All this data (your “User Data”) helps Siri and Dictation on your iOS device and any Apple devices paired with it, such as the Apple Watch and HomePod, to better understand and recognize your words. They do not link to other data that Apple may receive as a result of your use of other Apple services.

If you have geolocation services enabled, Apple will also send information about the location of your device at the time of sending the request so that Siri and Dictation could respond to your requests more accurately.

 

Tip

Turn off Siri.

Voice assistants are not only a great tool for spying: using them, experts regularly find ways to bypass the blocking of an iOS device. When this article was being written, the experts found another way to hack iPhone, as you may guess again, not without Siri.

In this case the result of the attack was not full access to the device, but only access to the contacts of the locked phone. To receive it, it was enough to turn on VoiceOver via Siri on a locked device, then call the phone and put up the call with a message. After that on the locked device access to contacts and all related data was opened.

Here is a video demonstration of the attack:

And here is a demonstration of the attack using Siri, which allowed access not only to contacts, but also to photos on the device.

As we are talking about ways to hack the iPhone, for security reasons it would be useful to disable FaceTime if you are not using this program (Settings> FaceTime).

 

Tip

Disable FaceTime.

And be sure to limit the list of applications in the "Face ID and passcode" with the ability to access when you lock the screen to the required minimum. This is very important, since it is an eternal source of vulnerabilities for access to a locked device.

 

Tip

Limit the list of applications that can be accessed by locking the screen to the required minimum.

Turn off geolocation

So you turned off Siri, turned off synchronization, now let's consider the issue of determining geolocation. After reading the information about geolocation and privacy in the settings, you can understand how your location is determined and how Apple manages the data obtained.

Geolocation services use GPS and Bluetooth (where available) along with data on the location of Wi-Fi access points and cell phone towers to determine the approximate location of your device.

Therefore, my advice to go to Settings> Privacy> Geolocation Services and disable the geolocation service and the "Share Position" option. If you need them, it is better to turn them on temporarily, but the constant inclusion of the geolocation function is not the best solution.

Disable fingerprint and retina authorization

Unfortunately, bringing your phone to your finger or eye is not the most difficult task, you understand this well. If the security of your device is important to you, you should use only a password (Settings> Face ID and password-code> Unlock iPhone should be disabled).

 

Tip

Refuse to authorize by fingerprint or retina identifier.

And create a good habit to cover the entered password with your second hand. It's easy, just remember and start doing it regularly. This habit will protect your password from strangers’ eyes and surveillance cameras.

 

Tip

Cover the password entered on the phone with your free hand.

Audit application rights

What I always liked about iOS was the ability to see which applications have access to a particular resource and limit them if you don’t trust the one. Go to Settings> Privacy and, for example, select Microphone. Here will be shown the programs that have access to your microphone, I have two of them: Telegram and iHealth.

Do not forget the password

The phone must be password protected. It can be 4 digits, it is no use complicating your life, but numbers that are difficult to select. This should not be your date of birth or your mother’s date of birth, I’ll explain why.

IOS has such a great feature “Data Protection”, when after 10 incorrect attempts to enter a password, all information from the phone is erased. It turns on like this: Settings> Face ID and password code> Erase data. The main task is to make your password impossible to pick up in 10 attempts. With a four-digit numeric password this is 10 000 variants, of which in 10 attempts you have to guess one. 

Despite publications in the media and the FBI scandal with Apple, special services are guaranteed to have tools for hacking the iPhone with the activated option to delete data after 10 errors. Do not overestimate this option, erasing data is a fairly good protection, but not against all types of threats. Valuable data should not be stored on the phone, store them on your computer in cryptocontainers. This is an incomparably safer place.

Conclusion

Edward Snowden himself refused the iPhone. From his revelations we learned that Apple and NSA have remote access to every mobile device with iOS. Apple injects programs into its devices that can track all aspects of user activity, then this information is collected and processed.

It is worth noting that Apple denies all accusations of remote access to each device and secret cooperation with the special services and besides the words of Edward Snowden we have no other evidence of this. At the same time we have an example of Peter Levashov, when the security services had access to iCloud data, but we have no evidence of remote access to the device itself.

My acquaintances, related to the development of software for state structures of Russia, said that the solutions available in the arsenal allow remote control of the iPhone, but this information dates from the end of 2013 and it is difficult to assess its relevance in 2018.

As part of the course, we will be setting up comprehensive, complex iPhone and iPad protection, but the first steps should be aimed at basic protection from physical access, restricting interception perimeter via Siri and collecting location data. If you can’t completely get rid of GPS, try to limit the number of applications that have access to this data as much as possible.

Accept the idea that an increase in the level of protection of a device will negatively affect its convenience. You must weigh everything up and find for yourself the best balance of convenience and safety.

Previous
3832
Next