Security through Intelligence

Adam Vincent

Subscribe to Adam Vincent: eMailAlertsEmail Alerts
Get Adam Vincent via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Protect your iDevice

This holiday season many will be unwrapping a new iDevice. For some, an iPhone or an iPad is a slightly newer version of an old favorite, but for others the world of Apple mobile computing is uncharted territory. By applying a few simple security techniques, you can extend sound computer security practices to your iPhone/iPad/iPod, and operate with the confidence that you are protecting your device and your data.

All devices that connect to the Internet are susceptible to malicious software (malware).  Some operating systems or devices may be targeted more frequently than Apple’s, but none are truly infallible.

The techniques outlined below provide simple tips to protect your iDevices.  While some of the recommendations will seem to be common sense, they are often overlooked and put your favorite gadget at risk.  You may not have considered others.  So, apply the list below, and protect your iDevice and more importantly your data.

Use a passcode

Who hasn’t lost or misplaced their device?  If it happens in a public place, and your device isn’t passcode/password protected, a stranger can pick up your iPhone, browse through your email, make unauthorized calls, send text messages to your contacts, and make unauthorized purchases or downloads.  They have direct access to your personal information too.  Setting a passcode offers a lot of protection.

  • Click on Phone Settings
  • Click General
  • Hit the Passcode Lock
  • Important – use a random passcode. Do not use 0000, 2580, 1111, or 1234 as these combinations are the most common and easily guessed passcodes in use today.

Update/Upgrade your device
This may be common sense to those who work in the IT industry, but who makes upgrading their personal device a priority? Out of date “apps”, operating systems and firmware present a risk of a malware infection through web browsing and opening email attachments. Keep your iPhone/iPad/iPod up to date with the latest software, operating systems and firmware. Apple attempts to close security holes, fix battery longevity issues and stop users from “jail breaking” their devices through updates. You can expect incremental updates in between significant upgrades of the Apple iOS, Apple’s mobile operating system.  Staying current is a simple way to stay secure.

Name your device

Something you probably didn’t consider during set-up was how to name your new device. Very often a real name is given to the device (e.g. John Appleseed’s iPhone).  While this doesn’t seem like a big deal, using a real name for a device can expose the owner to malicious activity.  When you utilize the device on a public Wi-Fi hotspot, like Starbucks or a hotel, you inadvertently broadcast a lot of information to those “listening”. One protocol that is particularly “noisy” is the “Apple Filing Protocol” or afp. When afp “talks”, it is searching for iTunes or another OS X device to respond. If someone is “sniffing” this traffic, they will be able to see who is broadcasted over the public Wi-Fi. If you name device after yourself, your name is exposed and you can be easily identified.

When using your device on a public network, strangers can see your device name. If you don’t want to expose your personal identify in a public place, don’t use a personal name for your device.

Handle Email Attachments with Care

Again, this may seem obvious.  Due to the large number of attachments that Apple iOS is able to natively open, Apple devices have been targeted via email with malicious attachments.  To date, Apple has been able to respond quickly to any issues, however I imagine that this issue will get worse before better.  Be cautious opening email attachments.  As a general rule, if you do not know the sender and are not expecting the email, don’t open it. If you know the sender, but we’re not expecting an attachment, contact the sender to make sure they actually sent you the email. Unlike a PC, most Apple products do not run virus scanner software, and they are still vulnerable to viruses.

Cyber Squared will continue to provide updates on mobile device AV products and other important mobile security information. Mobile devices are a target, and although the frequency of attacks has not become critical, it is only a matter of time.

Beware of Public WiFi

Public Wi-Fi continues to increase in availability and popularity.  Know where you are connected.  In some cases, the free Wi-Fi you thought you connected to is not what/where you think it is, and you connect to an unexpected network, down the road, run by a person whom is collecting information.  Be vigilant.  Always be aware of which network you are actually connecting to.  Your iPhone comes with a handy feature establishes your network connection preferences.

  • Click the Phone Settings
  • Click Wi-Fi
  • Click Ask to Join Wi-Fi

Browse Safely
It’s pretty well established that browsing unfamiliar web sites, especially those hosting wares and mp3′s, expose your device to infection. Mobile devices are just as susceptible as a computer.  Since many of these sites offer “mobile” versions of their primary site to better facilitate content viewing on the smaller Apple devices, attackers can actually tailor their attacks to Apple iOS. Once you’ve hit a compromised website with your Apple device, delivering an exploit to the device is trivial and often very difficult to detect.  Here are a few tips to make web browsing safer.

  • Ensure Pop-ups are blocked
    • Click on iDevice settings
    • Scroll down and click on Safari
    • Make sure pop-ups blocked is on
  • Disable Cookies
    • Click on iDevice settings
    • Scroll down and click on Safari
    • Click Accept Cookies and say Never
  • Clear Cookies (in case there are any)
    • Click on iDevice settings
    • Scroll down and click on Safari
    • Click Clear Cookies

“Jailbreak” or Installing 3rd Party Software

This section is aimed at the more adventurous iDevice user, who isn’t satisfied with the constraints Apple places on their devices and apps, and deliberately chooses to “unlock” or “jailbreak” their device. (The actual process of jail breaking your Apple device is out of the scope of this article.)

It’s important to understand that what actually occurs when you jailbreak your Apple device. Utilizing 3rd party software on your Mac or PC, “jailbreaking” involves installing a controlled exploit of vulnerability into your Apple iOS. This allows for the install of a custom operating system with access to the underlying file system, and the ability to install software from a 3rd party.

There are benefits to unlocking your device, but can be serious consequences as well.  If the process fails, you risk the device’s warranty being voided thus rendering your device a very expensive paper weight.

If you do choose to open your device to 3rd party software installation, not approved by Apple, your iDevices’s capabilities can be enhanced.  Beware though, 3rd party software can provide an avenue for malware delivery, and app developers face little or no restrictions when creating apps. While malicious developers have a community of unhappy users to help keep them in-check, it’s not the same as dealing with the rigorous development rules that Apple imposes. When an app developer chooses to include a “back door” into your device or force the phone to do something that you have not approved, the chances of detection are slim.

If you unlock your device, change the root password, “alpine”, as soon as possible. The default password for the “root” account is the same on all unlocked devices. If you do not know how to do this, reconsider unlocking your device.

Keep these tips in mind, and safeguard your Apple devices.  By doing so, you can avoid a number of threats that target the Apple iOS.

Read the original blog entry...

More Stories By Adam Vincent

Adam is an internationally renowned information security expert and is currently the CEO and a founder at Cyber Squared Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect™, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, two children, and dog.