If you’re a REALTOR® and use an iPhone, losing it or having it stolen is a possibility none of us like to think about. Storing private or sensitive client information on your device can put that information in danger in the event that your device falls into someone else’s hands, either physically or as part of a hacking attack over the Internet. Here are some tips for using iPhones and iPads that can reduce your information security risk.
1. Stay Up To Date
It is important to keep the “firmware” on your device up to date, because only the latest version fixes all outstanding security issues. Look at the current version you have installed by going to “Settings”, then “General”, then “About”. You can see if you don’t have the current version by visiting http://support.apple.com/downloads/ (official) or http://ios.e-lite.org/ (unofficial but easier to use) and looking for your device. If your device is out of date and is hooked up to a computer online running iTunes, iTunes should prompt you to upgrade the firmware, which you should do immediately. If your device is too old (i.e., iOS versions 3 or 4) and cannot be upgraded, the vulnerabilities cannot be patched, and it may be time to buy a later-model device. There are unofficial techniques, such as “jailbreaking,” that allow you to receive later updates on an older model, but they are not recommended.
A note for the technical: well-known iOS vulnerabilities – patched and unpatched – are tracked here: http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/
Many of the tips and illustrations below apply only to newer versions of iOS – you may have to search to find these features on older versions.
2. Enable the Auto-Lock Feature and Require a Passcode
To enable the auto-lock feature, from the main settings icon tap “General” and “Auto-Lock”. Then set the desired time; 1 minute is ideal. To require the passcode, tap on “Passcode Lock” from the “Settings” menu, tap “Turn Passcode On”, and enter a delay period – anywhere from “Immediately” to 5 minutes. (The longer the period, the weaker the security. )Then enter your four digit passcode and confirm as prompted. While on the “Passcode Lock” screen, you may want to also disable access to Siri while the device is locked. If you want even stronger security, on that same screen slide “Simple Passcode” to “Off” and enter a complex password longer than 4 characters.
3. Change the SIM PIN
There’s a special card in most cellular devices called a SIM card, which you don’t want to fall into the wrong hands. It is your device’s way of letting your cell phone company know that it is you who are making calls and using the Internet, and it contains personal data stored on your device. In Apple cellular devices this card can have its own passcode/PIN, which is separate from the passcode you use to unlock your phone. The SIM PIN makes it harder for someone to take your SIM card and put it in a different phone to access what’s on it. To set this PIN, from the main settings icon, tap on “Phone”, and choose “SIM PIN”. Change the option to “On” and enter a new PIN that you will remember.
4. Disable Bluetooth When Not in Use
Bluetooth can be used by hackers in a variety of ways (i.e. BlueJacking), so for high security devices keep it turned off, and for other devices keep it turned off when not in use. To turn Bluetooth off, go to “Settings”, then “Bluetooth” and slide it to “Off”.
5. Take Care When Downloading Apps
Even though Apple is supposed to be vetting their App Store carefully, always look carefully at the app’s publisher. Also, when you are installing an app, it will list the permissions it requires. Always read through this list to see if it makes sense. For example, an app that says it will provide weather forecasts should not need to access your contacts, read your text messages, or access your camera. An app requiring excessive privileges should be suspect. The best security practice when it comes to apps is to install as few as possible. The more apps you install, the more chance you’ll run across a malicious one.
6. Secure Your Network
Is there a “bad guy” watching what you do over the network? To reduce that risk, do not use unencrypted Wi-Fi networks (look for the “lock” symbol next to the network name), networks run by people you don’t know, or networks that may allow fellow users that you don’t know and trust. You should be aware that there are various ways of intercepting cellular traffic, and you cannot be assured of the security of your data or voice transmissions. Though some forms of cellular communications are encrypted between your device and the base station (cell tower), hackers have tricked mobile devices into using their bogus base stations instead of the cellular provider’s and intercepted both communications and data. The only way to protect data if you choose to use an insecure network is to use a “Virtual Private Network” (VPN). This is something that may be available via your office’s firewall, and you will likely need the help of a technical person to help set it up. There are also third parties offering an encrypted VPN-like connection through their app, though one must be careful in choosing such an app, since the provider may be able to see your sensitive data.
7. Secure Email and Web Browsing
Another layer of protection against someone seeing what you are doing online and accessing your accounts is to use encryption in your web browser and email software. In the case of web browsing, the website must support secure browsing via “https” (TLS protocol, replacing SSL) and in the case of email, the email server must support similar encryption – something to coordinate with your email provider.
If you use Safari as the web browser on your device there are several settings to address. Under “Settings” and “Safari”, make sure “Block Pop-ups” is set to “On”. Set both “AutoFill” settings to “Off”. Set “Fraud Warning” to “On”. After visiting websites where you have accessed sensitive information, re-visit this screen to delete stored history, cookies, and cache. Some sites may store additional information on your phone without your knowledge. Under “Settings”, “Safari” and “Databases” you can delete these databases.
8. Clear the Keyboard Cache Occasionally
Apple’s mobile devices capture and store all keystrokes (other than password fields) for a year, and someone accessing your device can recover and read this file. If you want to occasionally delete what is stored in the file, go to “Settings”, “General”, “Reset”, and then select “Reset Keyboard Dictionary”. If you are okay with the ramifications on the warning screen, confirm that you want to delete this cache.
9. Be Careful About Automatic Screen Captures
Every time you click “Home”, your device takes a screenshot of your application before sending you Home. Sometimes these screenshots contain sensitive information. Make sure that sensitive information is never on the screen before clicking “Home”.
10. Back Up Your Information
If the worst should happen and you lose or damage your device, ideally you can restore your data from backup. Just connect your device to a computer with iTunes running. Your device should show up in the iTunes menu. Your device should automatically synchronize and be backed up. If not, right-click (or control-click) the device under “Devices” and select “Back Up” – or, in the “File” menu, select “Devices”, then “Back Up”. Also, if you click on your device you will be able to reach the “Summary” tab in “Preferences”. Select “Encrypt iPhone backups” and apply the settings. Always validate that the files are backed up to your computer and are accessible without your mobile device, and be sure to back up your computer in turn, using iCloud and/or other means. You can now also back up your iPhone directly to iCloud, by going to the iCloud button in Settings, going to Storage and Backup, and then turning iCloud backup on. Your first 5 Gb of information is free; the next 10 Gb is $20/year. iCloud will back up photos and videos, device settings, app data, home screen and app organization, messages (iMessage, MMS, and SMS), ringtones, and Visual Voicemail.
11. Discarding Your iPhone or iPad
Assuming you don’t want the next person who picks up your device to have access to all your saved settings and content, you’ll want to eliminate that information from the device. Some people even do this before sending it in for repair. To do this, go to “Settings”, then “General”, then “Reset” and select “Erase All Content and Settings”. After doing this, a forensics specialist may still be able to recover information from the device. If you want to prevent that, you can purchase and run “iErase” by Jonathan Zdziarski from the Apple App Store.
Some Parting Words
There are many possible settings and practices that will lessen the likelihood that your iPhone or iPad will be compromised. This article is just a starting point for individuals and the small business audience. Nonetheless, if you follow at least the steps above, you will have substantially decreased your risk and improved your chances for recovering quickly from an incident.