Security Hardening of iOS (iPad & iPhone)

ISO Guideline: 1.3
Effective Date: 5/18/2011
Responsible Office: BU Information Security

Background

Computing devices like the iPad of iPhone provide ever-expanding capabilities to store, handle and display information.  These devices provide very good security features and are capable of protecting information classified by BU as Confidential or Restricted Use data.

Confidential data includes such things as student grades and other FERPA records, research results, sensitive information regarding faculty, staff, alumni, etc. while Restricted Use includes things like financial account numbers, SSNs, driver’s license numbers, HIPAA data, etc.  See the BU Data Protection Standards for more information.

But in order to provide the proper protection, these devices must be properly configured.  This document provides the steps require to properly secure an iPad or iPhone.

Checklist

These are the things that need to be done.  Details on how to do each one are in the Procedures section below.

Standard Security Settings

You should do these steps for all iOS devices.  These steps are required for any device that may contain Confidential or Restricted Use information.  (For examples of these kinds of data, see Background above)

  1. Update firmware to the latest version
  2. Require a passcode
  3. Set auto-lock timeout
  4. Disable grace period for lock
  5. Erase data upon excessive passcode failures
  6. Enable Data Protection
  7. Enable Fraud Warning in Safari

Extended Security Settings

These steps are required for any device that may contain Restricted Use information

  1. Encrypt device backups through iTunes
  2. Turn off “Ask to Join Networks”
  3. Forget unused Wi-Fi networks to prevent automatic rejoin
  4. Enable remote wipe functionality – Optional, but recommended
  5. Erase all data before return, repair, or recycle

Procedures

Standard Security Settings

You should do these steps for all iOS devices.

These steps are required for any device that may contain Confidential or Restricted Use information.

1. Update firmware to the latest version

Apple iOS devices ship with the most current version of the firmware available when the device was manufactured, but new updates often address security vulnerabilities in addition to bug fixes and new features.

2. Require a passcode

One of the easiest ways to secure your iOS device is to require a simple passcode.

1)      Tap Settings

2)      Tap General

3)      Tap Passcode Lock

4)      Type in a passcode.  The passcode will be 4 numbers in length.

5)      Type in the same passcode

This is the guideline for the default 4-digit pin passcode.  For even more security, you can opt for a longer numeric passcode or an alphanumeric passcode by going to Settings > General > Passcode Lock > Slide Simple Passcode to off. You will now be prompted to enter a passcode of your choice.

If you enter only a numeric passcode, a numeric keypad will still be displayed at the lock screen. A longer numeric passcode may be easier to enter than a shorter alphanumeric passcode, while providing similar security.

3. Set auto-lock timeout

1)      Tap Settings

2)      Tap General

3)      Tap Auto-Lock

4)      Tap “5 Minutes” or one of the other values.  Lower values are more secure.

4. Disable grace period for lock

The grace period allows the device to be unlocked after auto-locking without providing an unlock code.  A value of “Immediately” will fix this by requiring the passcode to be entered regardless of when the device was last locked. 

1)      Tap Settings

2)      Tap General

3)      Tap Passcode Lock

4)      Tap Require Passcode

5)      Tap Immediately

5. Erase data upon excessive passcode failures

Devices can be configured to automatically erase user settings and data after ten passcode failures.  As excessive passcode failures typically indicate the device is out of physical control of its owner, enabling this may protect the confidentiality of information stored on the device.

Remediation: 

1)      Tap Settings

2)      Tap General

3)      Tap Passcode Lock

4)      Turn on Erase Data

6. Enable Data Protection

With devices that support hardware encryption (iPhone 3GS and later, iPod Touch 3rd gen and later, and all iPads), iOS 4  and up allows applications to use an encryption key derived from a user’s passcode to protect application data.  Enabling this feature is as simple as setting a passcode on the device.

To verify that data protection is enabled: 

1)      Tap Settings

2)      Tap General

3)      Tap Passcode

4)      “Data protection is enabled” should be displayed at the bottom of the screen

Note: If the device originally shipped with iOS 3 (e.g. the iPhone 3GS, iPad, and iPod Touch), this feature will not be available until the device is restored after upgrading to iOS 4+.  This feature is not available on older devices, such as the iPhone 3G and earlier models, at all, as they do not support hardware encryption.

Data protection, if used properly, will protect files by always requiring your passcode, even if your iOS device is jailbroken or compromised by other hacking methods.  If data protection is not used, jailbreaking and these hacking methods will allow free access to all of your files.

It is important to understand that applications must be specifically designed to utilize data protection. Do not store or use sensitive data with applications that do not make use of data protection. More information regarding this feature is available on Apple’s site at iOS: Understanding data protection

The iOS mail app built into all iOS devices automatically uses data protection and is secure.  Other notable apps that use the data protection feature are GoodReader (file reader), PriorityMatrix (productivity/organization), SharePlus (a file management system), and USB Disk Pro (file transfer system).

7. Enable Fraud Warning in Safari

Fraud warning in Safari helps protect users from visiting potentially fraudulent Internet sites.  If a user navigates to a known fraudulent site covered by this service, Safari will not load the site and instead display a warning to the user about its suspect nature.

Remediation: 

1)      Tap Settings

2)      Tap Safari

3)      Turn on Fraud Warning

Extended Security Settings

These steps are required for any device that may contain Restricted Use information.

1. Encrypt device backups through iTunes

In iTunes, with the device connected, check “Encrypt [device type] backup” under Options and select a strong password.

2. Turn off “Ask to Join Networks”

Requiring the user to manually configure and join a Wi-Fi network reduces the risk of inadvertently joining a similarly named yet untrusted network (e.g. “default” instead of “default”).

Once you have configured your device to connect in all the usual place you will want to connect (BU, home, etc.), turn off “Ask to Join Networks” to mitigate this risk

1)      Tap Settings

2)      Tap Wi-Fi

3)      Turn off “Ask to Join Networks”

3. Forget unused Wi-Fi networks to prevent automatic rejoin

By default, an iOS device will remember and automatically rejoin networks that it has previously associated with.  The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined.  Additionally, if previously joined network has a common SSID, such as “default” or “linksys”, it is very probable that the iPhone will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it.

It is fine to store and remember your normal networks (BU, Home, etc.), but other networks should be removed and not saved in the future.

To do this: 

1)      Tap Settings

2)      Tap Wi-Fi

3)      Tap the Wi-Fi network to forget

4)      Tap “Forget this network.”

Note: the Wi-Fi network must be in range for it to appear in the list of available networks to forget; if the Wi-Fi network is no longer in range, the user must reset all network settings, which will forget all Wi-Fi networks.

Enable remote wipe functionality – Optional, but recommended

The intent with this is to ensure that if the device is lost, the data can be erased remotely.  There are number of ways to accomplish this with iOS:

Remote wiping can be initiated by MDM (Mobile Device Management, for enterprise users), Exchange, or iCloud.

In iCloud, users can use “Find my iPhone” to either locate a missing iOS device or remotely wipe all of their data. This can be found at www.iCloud.com

Note: You must have an Apple ID connected to your iOS device and iCloud to use this feature.

Erase all data before return, repair, or recycle

In order to prevent an unauthorized user from being able to recover sensitive information from the device, the disk should be overwritten via the “Erase All Content and Settings” setting before it is out of the user’s physical control.

To securely erase a device: 

1)      Tap Settings

2)      Tap General

3)      Tap Reset

4)      Tap Erase All Contents and Settings

References

History

Date Action By Supersedes
5/18/2010 Original Quinn Shamblin, BU Information Security –Original–
6/12/2012 Modifications