Securing your iPhone

NICKS STIG:

Settings –> Wi-Fi Networks –> Ask to Join Networks

This must be enabled so your phone doesn’t simply join a strong signal network. This would leave you open to Man-in-the-Middle attacks.

Settings –> Wallpaper –> Image with Warning

Include a wallpaper that informs users of contact information and return information.

Settings –> General –> Date & Time –> Set Automatically

This is two-fold for security. Good date and time ensures proper and true logging time stamps in the event of your phone needing forensic information gathered. Also the phone will periodically check-in for time syncs giving a better chance for tracking the phone in the event of a loss.

Settings –> General –> Auto-Lock

Change the setting to 1 minute for quick closure. While this is annoying it means your phone will be secure in case you leave your phone unattended.

Settings –> General –> Passcode Lock –> Turn Passcode On

Settings –> General –> Passcode Lock –> Require Passcode Immediately

Settings –> General –> Passcode Lock –> Show SMS Preview Off

If locked a SMS preview comes up revealing information despite the locked state of the phone.

Settings –> General –> Network –> VPN On

The iPhone expands your surfing habits by giving you always on access. What we forget is you are broadcasting unencrypted traffic all over. You are given the option to use L2TP or PPTP. L2TP is extensively more secure than PPTP. You should try using a DD-WRT Linksys at the house for your own network or signup for a VPN online.

Settings –> General –> Bluetooth

The iPhone gives very little control of bluetooth which is unforutante. The device while on menu options will be discoverable. Due to recent Blue Snarfing hacks you must be careful to exit the menu and remove yourself from openeness. Leave bluetooth off if you aren’t using it. Helps save battery and your privacy.

Settings –> Mail

Ensure that you are using hosts that allow for SSL encryption certificates. Possible actions are to forward your mail to a host like Dreamhost that allows for SSL IMAP/SMTP. This is also helpful for converting gmail to IMAP rather than POP3.

Settings –> Mail –> Preview

Change preview to None. You never know who is looking over your shoulder while your email comes in.

Settings –> Safari –> JavaSciprt Off

Safari and the iPhone have already had vulnerabilities. This is a weighted option, most websites need it and Safari offers no white-list of acceptable sites.

Settings –> Safari –> Plug-Ins Off

Quicktime and others in the Safari browser leave you open for those security risks.

Settings –> Safari –> Block Pop-ups On

No need to explain, not only are they annoying but they can initiate cross-site scripting hacks.

Settings –> Safari –> Accept Cookies Never

The From visitied allows for casual surfing but you never know what the cookie contains when saved. This is an audit trail of activity. This may interrupt surfing sites so From visited maybe a better real-world setting.

Settings –> Phone –> Show My Caller ID Off

Why am I telling everyone who is calling on their screen? Some people won’t answer if it is unknown. Those who know me and want to talk do.

That should do it! A good start to securing your new sudo-smartphone.

Updated: