How To Secure Your iPhone: 12 Experts Reveal 26 Essential Security Tips

Apple iPhone security guide

The ultimate iPhone security guide: 26 tips from 12 experts

© 2018 Bloomberg Finance LP

Just because you've invested in a smartphone that isn't exposed to quite the same degree of malware and exploit issues as an Android device, that doesn't mean you can safely ignore good practice when it comes to iPhone security. This is why I've asked 12 security experts to share their knowledge as far as keeping your iPhone secure is concerned. Here are their 26 tips to help you do just that.

The iPhone threat landscape

If you are an iPhone user, then you probably already know that you've got a smartphone that runs a pretty tight ship as far as operating system security is concerned. There are the odd few hiccups every now and then, such as when the new iPhone 11 launched with a confirmed security vulnerability right out of the box. Or how about the mobile threat report from July 2019 that revealed how malware developers were producing variants aimed directly at iOS despite the barriers to successful deployment?

However, the truth of the matter is that Apple has a pretty secure operating system in iOS; but that doesn't mean that you can, or should, ignore the myriad threats to your data security. When exploit acquisition platforms have offered as much as $2 million (£1.5 million) to anyone with a zero-click iPhone jailbreak exploit, you can bet there are plenty of people trying to get access to, and control of, your iPhone.

Sure, most users, most of the time, aren't going to have to worry about these kinds of highly-targeted, very advanced attack scenarios. Most of the time it's conventional threats such as phishing, malware and physical access to your smartphone data that you need to be concerned about. Let the tips commence!

1. Go truly random with your PIN

"One of the easiest ways to secure your iPhone is picking a truly random PIN code," Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says, "do not use your date of birth, phone number, or ID number."

2. One iPhone, different passwords

"Lots of people use the same password across all of their accounts," Oz Alashe, CEO at CybSafe, says, "the obvious problem with this is that once someone has your password for one account, they have them all." From iOS 12, the iPhone password manager comes with a useful feature called password auditing. "This checks all of your stored passwords and informs you if you have any duplicates," Alashe says, "to find the password audit, navigate through Settings|Passwords, and Accounts|Website and App Passwords, and then input your password." Alongside every account that has a reused password, you’ll find a warning symbol. "Tap the ‘Change Password on Website button’ to resolve this," Alashe says.

3. Watch for fake apps

"We have seen a rapid growth in mobile threats, including fake apps masquerading as legitimate ones on app stores," Raj Samani, chief scientist at McAfee says, "people need to be aware that this is a method used by criminals to trick them into entering personal information such as credit card information, contact details and passwords, as well as tricking consumers into downloading malware." To avoid falling victim to scams like this, "stop and take the time to double-check the legitimacy of the app before downloading," Samani says, "go to the retailer’s website on your mobile browser and look for a link to the app from an official website."

4. Use a Password Manager

"A password manager is one of the best and easiest things you can set up to generate and store strong passwords," a Palo Alto Networks spokesperson says. This can help you to avoid using common and weak passwords that are traded on the dark web and make account takeovers easy pickings for cybercriminals. "Preferably, find a password manager that requires two-factor authentication for extra protection," the spokesperson says.

5. Enable two-factor authentication (2FA)

"2FA, such as your phone’s fingerprint reader, adds a second layer of security to your accounts," Emmanuel Schalit, CEO at Dashlane, says, "this simple step significantly decreases the risk of someone maliciously accessing your device or accounts." It's such a simple tip, and when an increasing number of sites and apps have 2FA options available, such a great way to protect your accounts and the data within.

6. Don't use SMS for two-factor authentication (2FA)

Avoid using SMS text messaging for those two-factor authentication codes that add an extra layer of security to your logins. This is especially true when it comes to cryptocurrency accounts. "Theft of cryptocurrency is currently a key driver for SIM swap attacks," Sam Bakken, senior product marketing manager at OneSpan, says, "due to the large sums that can be quickly stolen, and the low chance that stolen funds can ever be recovered."

7. Protect your SIM

"Put a PIN in your iPhone SIM," Cesar Cerrudo, CTO at IOActive, says, "so if your phone gets stolen, the thieves won’t be able to use it. If you don't do this, thieves can change the iPhone SIM and put it in another unlocked phone." Once they have your SIM in another phone they can request an SMS code for resetting the password to all your accounts, including iCloud, Facebook, Instagram, Twitter and so on. "Even if you have two-factor authentication enabled," Cerrudo says, "they can use this method to get the code and access your accounts."

8. Don't get juice-jacked

"Don’t fall victim to juice-jacking," Pascal Geenens, security evangelist (EMEA) at Radware says, "use USB data blockers and safely charge your phone in public places." USB outlets at train stations, airports and coffee shops are iPhone magnets; but can you be sure the outlet is not hiding a hacking device that installs malware or copies data from your phone as soon as you plug it in? "A data blocker is a simple USB dongle that sits between the USB socket and your USB charging cable," Geenens says, "it only connects the power lanes of the USB and will block the data pins. It is cheap, low tech, yet very effective and very much recommended when traveling."

9. Be wary of permissions

"It’s time for all of us to more scrupulous when it comes to the apps that we install and the permissions we grant them," says Sam Bakken, senior product marketing manager at OneSpan. Accessibility permissions are incredibly powerful and can lead to malware taking action on your behalf, from inside your apps. "We need to think hard about whether there’s actually good reason to grant an app the permissions it asks for," Bakken says, "and to be safe, we should default to not granting those permissions even if it means you can’t use that particular app." If in doubt, it’s better to ask the developer for more information than just allowing it anyway.

10. Don't auto-join Wi-Fi networks

The risk of your iPhone automatically connecting to a saved Wi-Fi location increases your chances for a "Man in the Middle" attack where a cybercriminal tricks you into connecting to a rogue wireless access point. "For iPhone users, it is recommended that for every saved, open Wi-Fi hotspot, they should turn off the auto-join function," says Morey Haber, CISO at BeyondTrust. "This prevents a hacker from using the same service set identifier (SSID), like for your favorite coffee shop, as a rogue access point to trick traffic through their device to capture your data," he concludes.

11. Wipe clean before selling

Liviu Arsene, a senior e-threat analyst with Bitdefender, says users should "remove their iPhone from their Apple account," before selling or even passing onto a family member, "otherwise the device will continue to sync to your account." The official Apple advice also recommends unpairing from your Apple Watch, backing up the iPhone, signing out of your Apple accounts and use the "erase all content and settings" option from Settings|General|Reset.

12. Don't jailbreak your iPhone or sideload apps

 "As a rule, do not jailbreak your phone and also avoid sideloading, which means downloading apps from outside of the App Store," says Tom Lysemose Hansen, CTO at Promon. It is quite common for users to install gaming emulators, for example, but you never know what you will get when sideloading apps that don't come directly from Apple. "They are unlikely to conform to the required levels of security and may have even been designed with malicious intent," Lysemose Hansen says, "this means that you may unknowingly download malware onto your device, allowing for the remote extraction of usernames, passwords, credit card details, and other personally identifiable information."

13. Check for unknown configuration profiles

Check for any unknown or suspicious profiles by going to Settings|General. "Profiles are more dangerous than malware on iOS since they give attackers access to more of the device that just one app," JT Keating, vice-president of product strategy at Zimperium, says, "and they are not vetted to the same extent as apps entering the App Store."

14. Use fewer apps

It may go against the grain of having an iPhone with ever more storage capacity and then install fewer apps, but that's what Joseph Carson, chief security scientist and advisory CISO at Thycotic says you should do to stay more secure. "When you no longer need to use an app, delete it," Carson says, "and when you need it again then you can download it again." Carson decided some while ago to remove most social media apps from his phones, "due to the continuous invasive features they have and only now use a browser to access social media," Carson says, "and remove cookies often. This makes it harder for social media companies to collect information and consistently track you." Remember that every additional application on your iPhone increases its attack surface. "The attack surface of your iPhone is the sum of iOS vulnerabilities and the vulnerabilities in every single installed application," Pascal Geenens, security evangelist (EMEA) at Radware says.

15. Use airplane mode

Use Airplane mode, or turn off your iPhone, when you are not using it. "Take some downtime to get balance and security," Joseph Carson, chief security scientist and advisory CISO at Thycotic says, "your phone cannot be hacked when you completely power it off and when you want some quiet time switch it into airplane mode or enable do not disturb."

16. Use biometric authentication

Although there have been some security issues with iPhone biometrics getting fooled by hackers, for the most part, and for most people, they remain the recommended user authentication method. "Use biometric authentication such as fingerprint, voice, or facial recognition," Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says, "to add an extra layer of protection."

17. Read app reviews

"Before you download an app, make sure you’re taking the time to read reviews," Sam Bakken, senior product marketing manager at OneSpan says, "especially the negative ones as miscreants are known to create fake positive reviews of their apps to hook more victims."

18. Go stealthy

"If you are concerned about curious eyes, then use a privacy screen protector, so that people next to you can’t see what your iPhone is displaying," Cesar Cerrudo, CTO at IOActive says, "I would also advise updating your notification settings to show previews only when unlocked," Otherwise, if you leave your iPhone locked but unattended, or it’s stolen, then someone will be able to see the notifications. "This is important," Cerrudo says, "as if your phone has been stolen and requests to reset your password arrive by SMS code." If a code appears as a notification on screen, well, Robert is your mom's brother.

19. Roll your sleeves up

 "Some users might want to go the extra mile and manually configure some iOS features such as disabling location data from photos, revoking apps from accessing various sensors such as location, camera, microphone, or even setting up the phone for a complete wipe if 10 wrong passcode attempts have been entered," Liviu Arsene, senior e-threat analyst with Bitdefender says.

20. Businesses should look to their MAM for help

"Use a mobile application management (MAM) platform to distribute your company's private apps and keep them off the public app store," Winston Bond, senior technical director (EMEA) at Arxan says, "you will reduce the risk of hackers finding back doors and avoid confusing all those consumers who install your stock checking app by accident."

21. Prevent losing your iPhone turning into a security disaster

"These days, our iPhones often have greater access to more sensitive information than our Macs do," a Palo Alto Networks spokesperson says, "whether it’s mobile banking apps, wallet apps or stored credit cards, you definitely wouldn’t want these to fall into the wrong hands unprotected." Make sure these settings, therefore, are enabled before taking your brand new iPhone outside:

Passcodes to lock the iPhone.

Encryption of information on the device.

Lost device tracker.

Deleting or wiping data if too many bad passcodes are tried or if you activate it remotely.

22. Keep your apps updated

"It can be all too easy to avoid that little notification reminding you to update your apps or phone software," Sam Bakken, senior product marketing manager at OneSpan, says, "but repeatedly hitting 'remind me later' can unknowingly expose you to security threats." Developers are often working to make sure software is as secure as possible. Having the latest version means also having the most secure version, it's not rocket science.

23. Patch, patch and patch again

"By patching, we refer to the security updates you’re constantly reminded of when they come through, requiring you to be without your iPhone for 5 minutes as it updates the current system," a Palo Alto Networks spokesperson says, "this is essential for device security as a new patch could include new information and software to deal with current cyber threats."

24. Disable "Load Remote Images" in email settings

"You are consistently being tracked for everything you read and do in email," Joseph Carson, chief security scientist and advisory CISO at Thycotic says, "one way to get back in control is to disable the 'Load Remote Images' option in your iPhone email settings." Carson explains that cybercriminals want to know as much as possible about your device, so they need to find ways for you to share details with them. "A technique to do this is to include hidden remote images within emails," Carson says, "which means when you click on an email it makes a request to an online server to download that image (even a single pixel) which then shares details about your device with the server such as browser version, OS and sometimes location." 

25. Enable USB restricted mode

"Enable USB restricted mode in the Passcode settings by turning off the option,” Paul Bischoff, privacy advocate at Comparitech.com, says, "USB accessories are not permitted on the lock screen. This will prevent malware from being installed on your iPhone through the USB charging port."

26. Learn to spot the warning signs of phishing

"Phishing or smishing, a phishing attack that happens via text message, can compromise your iPhone in seconds," Richard Archdeacon, advisory CISO at Duo Security says, "so it’s important to be able to spot the tell-tale signs to avoid falling victim to one of these scams." So, watch out for typos or other signs that the message may not be legitimate, especially if you weren't expecting to receive it. "Before clicking any links," Archdeacon says, "validate suspicious texts or emails by going to the company's official website and contacting them directly to see if the message was legitimate."

">

Just because you've invested in a smartphone that isn't exposed to quite the same degree of malware and exploit issues as an Android device, that doesn't mean you can safely ignore good practice when it comes to iPhone security. This is why I've asked 12 security experts to share their knowledge as far as keeping your iPhone secure is concerned. Here are their 26 tips to help you do just that.

The iPhone threat landscape

If you are an iPhone user, then you probably already know that you've got a smartphone that runs a pretty tight ship as far as operating system security is concerned. There are the odd few hiccups every now and then, such as when the new iPhone 11 launched with a confirmed security vulnerability right out of the box. Or how about the mobile threat report from July 2019 that revealed how malware developers were producing variants aimed directly at iOS despite the barriers to successful deployment?

However, the truth of the matter is that Apple has a pretty secure operating system in iOS; but that doesn't mean that you can, or should, ignore the myriad threats to your data security. When exploit acquisition platforms have offered as much as $2 million (£1.5 million) to anyone with a zero-click iPhone jailbreak exploit, you can bet there are plenty of people trying to get access to, and control of, your iPhone.

Sure, most users, most of the time, aren't going to have to worry about these kinds of highly-targeted, very advanced attack scenarios. Most of the time it's conventional threats such as phishing, malware and physical access to your smartphone data that you need to be concerned about. Let the tips commence!

1. Go truly random with your PIN

"One of the easiest ways to secure your iPhone is picking a truly random PIN code," Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says, "do not use your date of birth, phone number, or ID number."

2. One iPhone, different passwords

"Lots of people use the same password across all of their accounts," Oz Alashe, CEO at CybSafe, says, "the obvious problem with this is that once someone has your password for one account, they have them all." From iOS 12, the iPhone password manager comes with a useful feature called password auditing. "This checks all of your stored passwords and informs you if you have any duplicates," Alashe says, "to find the password audit, navigate through Settings|Passwords, and Accounts|Website and App Passwords, and then input your password." Alongside every account that has a reused password, you’ll find a warning symbol. "Tap the ‘Change Password on Website button’ to resolve this," Alashe says.

3. Watch for fake apps

"We have seen a rapid growth in mobile threats, including fake apps masquerading as legitimate ones on app stores," Raj Samani, chief scientist at McAfee says, "people need to be aware that this is a method used by criminals to trick them into entering personal information such as credit card information, contact details and passwords, as well as tricking consumers into downloading malware." To avoid falling victim to scams like this, "stop and take the time to double-check the legitimacy of the app before downloading," Samani says, "go to the retailer’s website on your mobile browser and look for a link to the app from an official website."

4. Use a Password Manager

"A password manager is one of the best and easiest things you can set up to generate and store strong passwords," a Palo Alto Networks spokesperson says. This can help you to avoid using common and weak passwords that are traded on the dark web and make account takeovers easy pickings for cybercriminals. "Preferably, find a password manager that requires two-factor authentication for extra protection," the spokesperson says.

5. Enable two-factor authentication (2FA)

"2FA, such as your phone’s fingerprint reader, adds a second layer of security to your accounts," Emmanuel Schalit, CEO at Dashlane, says, "this simple step significantly decreases the risk of someone maliciously accessing your device or accounts." It's such a simple tip, and when an increasing number of sites and apps have 2FA options available, such a great way to protect your accounts and the data within.

6. Don't use SMS for two-factor authentication (2FA)

Avoid using SMS text messaging for those two-factor authentication codes that add an extra layer of security to your logins. This is especially true when it comes to cryptocurrency accounts. "Theft of cryptocurrency is currently a key driver for SIM swap attacks," Sam Bakken, senior product marketing manager at OneSpan, says, "due to the large sums that can be quickly stolen, and the low chance that stolen funds can ever be recovered."

7. Protect your SIM

"Put a PIN in your iPhone SIM," Cesar Cerrudo, CTO at IOActive, says, "so if your phone gets stolen, the thieves won’t be able to use it. If you don't do this, thieves can change the iPhone SIM and put it in another unlocked phone." Once they have your SIM in another phone they can request an SMS code for resetting the password to all your accounts, including iCloud, Facebook, Instagram, Twitter and so on. "Even if you have two-factor authentication enabled," Cerrudo says, "they can use this method to get the code and access your accounts."

8. Don't get juice-jacked

"Don’t fall victim to juice-jacking," Pascal Geenens, security evangelist (EMEA) at Radware says, "use USB data blockers and safely charge your phone in public places." USB outlets at train stations, airports and coffee shops are iPhone magnets; but can you be sure the outlet is not hiding a hacking device that installs malware or copies data from your phone as soon as you plug it in? "A data blocker is a simple USB dongle that sits between the USB socket and your USB charging cable," Geenens says, "it only connects the power lanes of the USB and will block the data pins. It is cheap, low tech, yet very effective and very much recommended when traveling."

9. Be wary of permissions

"It’s time for all of us to more scrupulous when it comes to the apps that we install and the permissions we grant them," says Sam Bakken, senior product marketing manager at OneSpan. Accessibility permissions are incredibly powerful and can lead to malware taking action on your behalf, from inside your apps. "We need to think hard about whether there’s actually good reason to grant an app the permissions it asks for," Bakken says, "and to be safe, we should default to not granting those permissions even if it means you can’t use that particular app." If in doubt, it’s better to ask the developer for more information than just allowing it anyway.

10. Don't auto-join Wi-Fi networks

The risk of your iPhone automatically connecting to a saved Wi-Fi location increases your chances for a "Man in the Middle" attack where a cybercriminal tricks you into connecting to a rogue wireless access point. "For iPhone users, it is recommended that for every saved, open Wi-Fi hotspot, they should turn off the auto-join function," says Morey Haber, CISO at BeyondTrust. "This prevents a hacker from using the same service set identifier (SSID), like for your favorite coffee shop, as a rogue access point to trick traffic through their device to capture your data," he concludes.

11. Wipe clean before selling

Liviu Arsene, a senior e-threat analyst with Bitdefender, says users should "remove their iPhone from their Apple account," before selling or even passing onto a family member, "otherwise the device will continue to sync to your account." The official Apple advice also recommends unpairing from your Apple Watch, backing up the iPhone, signing out of your Apple accounts and use the "erase all content and settings" option from Settings|General|Reset.

12. Don't jailbreak your iPhone or sideload apps

 "As a rule, do not jailbreak your phone and also avoid sideloading, which means downloading apps from outside of the App Store," says Tom Lysemose Hansen, CTO at Promon. It is quite common for users to install gaming emulators, for example, but you never know what you will get when sideloading apps that don't come directly from Apple. "They are unlikely to conform to the required levels of security and may have even been designed with malicious intent," Lysemose Hansen says, "this means that you may unknowingly download malware onto your device, allowing for the remote extraction of usernames, passwords, credit card details, and other personally identifiable information."

13. Check for unknown configuration profiles

Check for any unknown or suspicious profiles by going to Settings|General. "Profiles are more dangerous than malware on iOS since they give attackers access to more of the device that just one app," JT Keating, vice-president of product strategy at Zimperium, says, "and they are not vetted to the same extent as apps entering the App Store."

14. Use fewer apps

It may go against the grain of having an iPhone with ever more storage capacity and then install fewer apps, but that's what Joseph Carson, chief security scientist and advisory CISO at Thycotic says you should do to stay more secure. "When you no longer need to use an app, delete it," Carson says, "and when you need it again then you can download it again." Carson decided some while ago to remove most social media apps from his phones, "due to the continuous invasive features they have and only now use a browser to access social media," Carson says, "and remove cookies often. This makes it harder for social media companies to collect information and consistently track you." Remember that every additional application on your iPhone increases its attack surface. "The attack surface of your iPhone is the sum of iOS vulnerabilities and the vulnerabilities in every single installed application," Pascal Geenens, security evangelist (EMEA) at Radware says.

15. Use airplane mode

Use Airplane mode, or turn off your iPhone, when you are not using it. "Take some downtime to get balance and security," Joseph Carson, chief security scientist and advisory CISO at Thycotic says, "your phone cannot be hacked when you completely power it off and when you want some quiet time switch it into airplane mode or enable do not disturb."

16. Use biometric authentication

Although there have been some security issues with iPhone biometrics getting fooled by hackers, for the most part, and for most people, they remain the recommended user authentication method. "Use biometric authentication such as fingerprint, voice, or facial recognition," Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says, "to add an extra layer of protection."

17. Read app reviews

"Before you download an app, make sure you’re taking the time to read reviews," Sam Bakken, senior product marketing manager at OneSpan says, "especially the negative ones as miscreants are known to create fake positive reviews of their apps to hook more victims."

18. Go stealthy

"If you are concerned about curious eyes, then use a privacy screen protector, so that people next to you can’t see what your iPhone is displaying," Cesar Cerrudo, CTO at IOActive says, "I would also advise updating your notification settings to show previews only when unlocked," Otherwise, if you leave your iPhone locked but unattended, or it’s stolen, then someone will be able to see the notifications. "This is important," Cerrudo says, "as if your phone has been stolen and requests to reset your password arrive by SMS code." If a code appears as a notification on screen, well, Robert is your mom's brother.

19. Roll your sleeves up

 "Some users might want to go the extra mile and manually configure some iOS features such as disabling location data from photos, revoking apps from accessing various sensors such as location, camera, microphone, or even setting up the phone for a complete wipe if 10 wrong passcode attempts have been entered," Liviu Arsene, senior e-threat analyst with Bitdefender says.

20. Businesses should look to their MAM for help

"Use a mobile application management (MAM) platform to distribute your company's private apps and keep them off the public app store," Winston Bond, senior technical director (EMEA) at Arxan says, "you will reduce the risk of hackers finding back doors and avoid confusing all those consumers who install your stock checking app by accident."

21. Prevent losing your iPhone turning into a security disaster

"These days, our iPhones often have greater access to more sensitive information than our Macs do," a Palo Alto Networks spokesperson says, "whether it’s mobile banking apps, wallet apps or stored credit cards, you definitely wouldn’t want these to fall into the wrong hands unprotected." Make sure these settings, therefore, are enabled before taking your brand new iPhone outside:

Passcodes to lock the iPhone.

Encryption of information on the device.

Lost device tracker.

Deleting or wiping data if too many bad passcodes are tried or if you activate it remotely.

22. Keep your apps updated

"It can be all too easy to avoid that little notification reminding you to update your apps or phone software," Sam Bakken, senior product marketing manager at OneSpan, says, "but repeatedly hitting 'remind me later' can unknowingly expose you to security threats." Developers are often working to make sure software is as secure as possible. Having the latest version means also having the most secure version, it's not rocket science.

23. Patch, patch and patch again

"By patching, we refer to the security updates you’re constantly reminded of when they come through, requiring you to be without your iPhone for 5 minutes as it updates the current system," a Palo Alto Networks spokesperson says, "this is essential for device security as a new patch could include new information and software to deal with current cyber threats."

24. Disable "Load Remote Images" in email settings

"You are consistently being tracked for everything you read and do in email," Joseph Carson, chief security scientist and advisory CISO at Thycotic says, "one way to get back in control is to disable the 'Load Remote Images' option in your iPhone email settings." Carson explains that cybercriminals want to know as much as possible about your device, so they need to find ways for you to share details with them. "A technique to do this is to include hidden remote images within emails," Carson says, "which means when you click on an email it makes a request to an online server to download that image (even a single pixel) which then shares details about your device with the server such as browser version, OS and sometimes location." 

25. Enable USB restricted mode

"Enable USB restricted mode in the Passcode settings by turning off the option,” Paul Bischoff, privacy advocate at Comparitech.com, says, "USB accessories are not permitted on the lock screen. This will prevent malware from being installed on your iPhone through the USB charging port."

26. Learn to spot the warning signs of phishing

"Phishing or smishing, a phishing attack that happens via text message, can compromise your iPhone in seconds," Richard Archdeacon, advisory CISO at Duo Security says, "so it’s important to be able to spot the tell-tale signs to avoid falling victim to one of these scams." So, watch out for typos or other signs that the message may not be legitimate, especially if you weren't expecting to receive it. "Before clicking any links," Archdeacon says, "validate suspicious texts or emails by going to the company's official website and contacting them directly to see if the message was legitimate."

Follow me on Twitter or LinkedIn. Check out my website.

I'm a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Sec

...