Kenneth van Wyk: Shutting down security gotchas in iOS 6

What to do if you have data on your iPhone or other iOS device that you want to protect

I and many of my fellow iOS users spent some time last week upgrading our iPhones, iPads and/or iPod Touches. If you are among those people, or even if you're one of the cautious souls who decided to wait before downloading iOS 6, you probably want to know what security gotchas await and what you can do to keep from getting burned.

First off -- and admittedly this is true of all iOS devices, not just those upgraded to iOS 6 -- the single most important thing you as a consumer can do to protect your data on your iOS device is to use a strong passcode. (Go to Settings --> General --> Passcode Lock, then "Turn Passcode On" and turn OFF the "Simple Password" toggle.)

While you're on that Passcode Lock screen, you might also want to tweak the Require Passcode setting by selecting a brief period of time before the device locks itself. "Brief" can be as short as "immediate." The downside is that you have to enter your passcode every time you let your device rest a bit. It's a trade-off between convenience and security. I suggest going with as short a time period as you can stand. Start short, then turn it up a bit if it really annoys you.

Why does this matter? Why isn't a four-digit PIN adequate? Because a lost or stolen device with a weak passcode puts all the data stored on the device at risk, as well as anything on iCloud or other network services you use.

And the passcode isn't just for locking and unlocking the device. It is used as part of the encryption key for data on the device (such as your email and app data that has "full protection"). If you use a simple PIN, an attacker won't have a hard time breaking that encryption and getting to your most sensitive stuff.

Of course, using a real passcode can be massively annoying. I use passcodes on my own iOS devices, and I'm not going to pretend it's never annoying. But that annoyance is nothing compared to the pain of having your data compromised. If the data on your device matters to you, there is no better single thing you can do as a consumer to protect it (other than not having the data on the device in the first place).

I also recommend turning off access to Siri and Passbook when your device is locked. This will prevent an attacker from getting into a lot of your data; if Siri can be accessed from a locked device, then an attacker could just say, "Siri, what appointments do I have today?" for example. I write more about Passbook below, but if you're using it for anything important (such as payments or boarding passes), this setting will prevent an attacker from getting access to that data when the device is locked. Note that these are not the default settings, so you need to change them if you want to lock attackers out in this way. (Both of these things can be done on the Passcode Lock screen of General Settings.)

Now, how about all those whiz-bang new features in iOS 6? What are the security pitfalls for a consumer to avoid there? I'm glad you asked.

Let's start with Passbook. You can store movie tickets, boarding passes, payment credentials and a slew of other types of data in Passbook, provided that your vendor's app supports it. Passbook promises to be a convenient, single place to store things like that so that you can quickly access the bar-code data when you're at a movie theater, supermarket, airport and so on.

So how secure is Passbook? Well, it's brand new, so the jury is still out. Any application that touches our finances needs the highest levels of security. Encryption of the user data is a minimum requirement. Does Passbook adequately encrypt that data so your passes are protected on a lost or stolen device? Apple hasn't said. It needs to; with Passbook, it can't afford to display the cavalier attitude toward security that it sometimes has demonstrated.

In any event, the fact that a Passbook pass can be displayed on a device's lock screen means that Passbook isn't (at least by default) using the strongest built-in encryption supported by the platform. This reinforces my recommendations to use a strong passcode and to turn off access to passes on a locked device.

Until Apple is more forthcoming and the security community has done deep analysis on Passbook, it's probably best to use it only for things that you don't consider real money. I'll be testing it that way. And I would strongly suggest that you steer clear of Passbook if you aren't going to use a strong passcode on your device.

There's another hidden consumer security issue in iOS 6. Prior to this release, your apps had access to your device's Unique Device IDentifier (UDID). They can, and frequently did, use the UDID to track users and sessions, as well as to collect marketing data about your usage. Apple wisely deprecated access to UDIDs recently, and they're now completely inaccessible to apps via the review process in the Apple App Store.

That's all to the good, but UDIDs have been replaced by a thing internally called "identifierForVendor." This identifier, which is unique per vendor, can be used similarly to UDIDs for tracking your activities, sessions, etc.

How is that an improvement? For one thing, each vendor identifier gets wiped when the device is wiped, so if you decide to sell your device, the new user won't get your same ID.

The nice part for consumers: You have the ability to restrict access to vendor identifiers. (Go to Settings --> General --> About --> Advertising and turn ON the "Limit Ad Tracking" toggle.)

On the other hand, security-minded users will like the new privacy settings available in iOS 6 that go well beyond location data. You can now enforce privacy settings for access to your contacts, calendar data, reminders and other things. Anytime an app requests access to these items, the user will be prompted to allow or forbid that access. The privacy settings are reached through Settings.

These are just a few things that we can do as consumers to make our iOS 6 devices a bit more secure. It's also worth spending some time stepping through all the system settings as well as settings for each app (including its notifications), of course.

Then dive into iOS 6 and enjoy the many enhancements that we now have to play with.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place