{"id":100930,"date":"2016-08-19T14:56:22","date_gmt":"2016-08-19T18:56:22","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=100930"},"modified":"2017-05-30T17:11:42","modified_gmt":"2017-05-30T21:11:42","slug":"security-hardening-of-ios","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/about\/policies\/security-hardening-of-ios\/","title":{"rendered":"Security Hardening of iOS (iPad & iPhone)"},"content":{"rendered":"\n\n\n\n\n
ISO Guideline:<\/strong> 1.3<\/td>\n<\/td>\n<\/tr>\n
Effective Date:<\/strong> 5\/18\/2011<\/td>\n <\/strong><\/td>\n<\/tr>\n
Responsible Office:<\/strong> BU Information Security<\/td>\n <\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/a>Background<\/h2>\n

Computing devices like the iPad of iPhone provide ever-expanding capabilities to store, handle and display information.\u00a0 These devices provide very good security features and are capable of protecting information classified by BU as Confidential<\/em> or Restricted Use<\/em> data.<\/p>\n

Confidential<\/em> data includes such things as student grades and other FERPA records, research results, sensitive information regarding faculty, staff, alumni, etc. while Restricted Use<\/em> includes things like financial account numbers, SSNs, driver\u2019s license numbers, HIPAA data, etc.\u00a0 See the BU Data Protection Standards<\/a> for more information.<\/p>\n

But in order to provide the proper protection, these devices must be properly configured.\u00a0 This document provides the steps require to properly secure an iPad or iPhone.<\/p>\n

\n

Checklist<\/h1>\n<\/div>\n

These are the things that need to be done.\u00a0 Details on how to do each one are in the Procedures<\/a> section below.<\/p>\n

Standard Security Settings<\/strong><\/p>\n

You should do these steps for all iOS devices.\u00a0 These steps are required<\/em> for any device that may contain Confidential<\/em> or Restricted Use<\/em> information.\u00a0 (For examples of these kinds of data, see Background<\/a> above)<\/p>\n

    \n
  1. Update firmware to the latest version<\/li>\n
  2. Require a passcode<\/li>\n
  3. Set auto-lock timeout<\/li>\n
  4. Disable grace period for lock<\/li>\n
  5. Erase data upon excessive passcode failures<\/li>\n
  6. Enable Data Protection<\/li>\n
  7. Enable Fraud Warning in Safari<\/li>\n<\/ol>\n

    Extended Security Settings<\/strong><\/p>\n

    These steps are required for any device that may contain Restricted Use<\/em> information<\/p>\n

      \n
    1. Encrypt device backups through iTunes<\/li>\n
    2. Turn off \u201cAsk to Join Networks\u201d<\/li>\n
    3. Forget unused Wi-Fi networks to prevent automatic rejoin<\/li>\n
    4. Enable remote wipe functionality \u2013 Optional, but recommended<\/strong><\/li>\n
    5. Erase all data before return, repair, or recycle<\/li>\n<\/ol>\n
      \n

      <\/a>Procedures<\/h1>\n<\/div>\n

      Standard Security Settings<\/h2>\n

      You should do these steps for all iOS devices.<\/p>\n

      These steps are required<\/em> for any device that may contain Confidential<\/em> or Restricted Use<\/em> information.<\/p>\n

      1. Update firmware to the latest version<\/strong><\/p>\n

      Apple iOS devices ship with the most current version of the firmware available when the device was manufactured, but new updates often address security vulnerabilities in addition to bug fixes and new features.<\/p>\n

      2. Require a passcode<\/strong><\/p>\n

      One of the easiest ways to secure your iOS device is to require a simple passcode.<\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap General<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Passcode Lock<\/p>\n

      4)\u00a0\u00a0\u00a0\u00a0\u00a0 Type in a passcode.\u00a0 The passcode will be 4 numbers in length.<\/p>\n

      5)\u00a0\u00a0\u00a0\u00a0\u00a0 Type in the same passcode<\/p>\n

      This is the guideline for the default 4-digit pin passcode.\u00a0 For even more security, you can opt for a longer numeric passcode or an alphanumeric passcode by going to Settings > General > Passcode Lock > Slide<\/em> Simple Passcode to off. <\/em>You will now be prompted to enter a passcode of your choice.<\/p>\n

      If you enter only a numeric passcode, a numeric keypad will still be displayed at the lock screen. A longer numeric passcode may be easier to enter than a shorter alphanumeric passcode, while providing similar security.<\/p>\n

      3. Set auto-lock timeout<\/strong><\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap General<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Auto-Lock<\/p>\n

      4)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap \u201c5 Minutes\u201d or one of the other values.\u00a0 Lower values are more secure.<\/p>\n

      4. Disable grace period for lock<\/strong><\/p>\n

      The grace period allows the device to be unlocked after auto-locking without providing an unlock code.\u00a0 A value of “Immediately” will fix this by requiring the passcode to be entered regardless of when the device was last locked.\u00a0 <\/strong><\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap General<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Passcode Lock<\/p>\n

      4)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Require Passcode<\/p>\n

      5)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Immediately<\/p>\n

      5. Erase data upon excessive passcode failures<\/strong><\/p>\n

      Devices can be configured to automatically erase user settings and data after ten passcode failures.\u00a0 As excessive passcode failures typically indicate the device is out of physical control of its owner, enabling this may protect the confidentiality of information stored on the device.<\/p>\n

      Remediation:\u00a0 <\/strong><\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap General<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Passcode Lock<\/p>\n

      4)\u00a0\u00a0\u00a0\u00a0\u00a0 Turn on Erase Data<\/p>\n

      6. Enable Data Protection<\/strong><\/p>\n

      With devices that support hardware encryption (iPhone 3GS and later, iPod Touch 3rd gen and later, and all iPads), iOS 4 \u00a0and up allows applications to use an encryption key derived from a user’s passcode to protect application data.\u00a0 Enabling this feature is as simple as setting a passcode on the device.<\/p>\n

      To verify that data protection is enabled:\u00a0 <\/strong><\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap General<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Passcode<\/p>\n

      4)\u00a0\u00a0\u00a0\u00a0\u00a0 “Data protection is enabled” should be displayed at the bottom of the screen<\/p>\n

      Note: If the device originally shipped with iOS 3 (e.g. the iPhone 3GS, iPad, and iPod Touch), this feature will not be available until the device is restored after upgrading to iOS 4+.\u00a0 This feature is not available on older devices, such as the iPhone 3G and earlier models, at all, as they do not support hardware encryption.<\/p>\n

      Data protection, if used properly, will protect files by always requiring your passcode, even if your iOS device is jailbroken or compromised by other hacking methods.\u00a0 If data protection is not used, jailbreaking and these hacking methods will allow free access to all of your files.<\/p>\n

      It is important to understand that applications must be specifically designed to utilize data protection. Do not store or use sensitive data with applications that do not make use of data protection. More information regarding this feature is available on Apple’s site at\u00a0iOS: Understanding data protection<\/a><\/p>\n

      The iOS mail app built into all iOS devices automatically uses data protection and is secure.\u00a0 Other notable apps that use the data protection feature are GoodReader (file reader), PriorityMatrix (productivity\/organization), SharePlus (a file management system), and USB Disk Pro (file transfer system).<\/p>\n

      7. Enable Fraud Warning in Safari<\/strong><\/p>\n

      Fraud warning in Safari helps protect users from visiting potentially fraudulent Internet sites.\u00a0 If a user navigates to a known fraudulent site covered by this service, Safari will not load the site and instead display a warning to the user about its suspect nature.<\/p>\n

      Remediation:\u00a0 <\/strong><\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Safari<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Turn on Fraud Warning<\/p>\n

      Extended Security Settings<\/h2>\n

      These steps are required<\/em> for any device that may contain Restricted Use<\/em> information.<\/p>\n

      1. Encrypt device backups through iTunes<\/strong><\/p>\n

      In iTunes, with the device connected, check “Encrypt\u00a0[device type] backup” under Options and select a strong password.<\/p>\n

      2. Turn off \u201cAsk to Join Networks\u201d<\/strong><\/p>\n

      Requiring the user to manually configure and join a Wi-Fi network reduces the risk of inadvertently joining a similarly named yet untrusted network (e.g. \u201cdefault\u201d instead of \u201cdefault\u201d).<\/p>\n

      Once you have configured your device to connect in all the usual place you will want to connect (BU, home, etc.), turn off \u201cAsk to Join Networks\u201d to mitigate this risk<\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Wi-Fi<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Turn off \u201cAsk to Join Networks\u201d<\/p>\n

      3. Forget unused Wi-Fi networks to prevent automatic rejoin<\/strong><\/p>\n

      By default, an iOS device will remember and automatically rejoin networks that it has previously associated with.\u00a0 The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined.\u00a0 Additionally, if previously joined network has a common SSID, such as \u201cdefault\u201d or \u201clinksys\u201d, it is very probable that the iPhone will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it.<\/p>\n

      It is fine to store and remember your normal networks (BU, Home, etc.), but other networks should be removed and not saved in the future.<\/strong><\/p>\n

      To do this:\u00a0 <\/strong><\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Wi-Fi<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap the Wi-Fi network to forget<\/p>\n

      4)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap \u201cForget this network.\u201d<\/p>\n

      Note: the Wi-Fi network must be in range for it to appear in the list of available networks to forget; if the Wi-Fi network is no longer in range, the user must reset all network settings, which will forget all Wi-Fi networks.<\/p>\n

      Enable remote wipe functionality \u2013 Optional, but recommended<\/strong><\/p>\n

      The intent with this is to ensure that if the device is lost, the data can be erased remotely.\u00a0 There are number of ways to accomplish this with iOS:<\/p>\n

      Remote wiping can be initiated by MDM (Mobile Device Management, for enterprise users), Exchange, or iCloud.<\/p>\n

      In iCloud, users can use \u201cFind my iPhone\u201d to either locate a missing iOS device or remotely wipe all of their data. This can be found at www.iCloud.com<\/a><\/p>\n

      Note: You must have an Apple ID connected to your iOS device and iCloud to use this feature.<\/p>\n

      Erase all data before return, repair, or recycle<\/strong><\/p>\n

      In order to prevent an unauthorized user from being able to recover sensitive information from the device, the disk should be overwritten via the “Erase All Content and Settings” setting before it is out of the user’s physical control.<\/p>\n

      To securely erase a device:\u00a0 <\/strong><\/p>\n

      1)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Settings<\/p>\n

      2)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap General<\/p>\n

      3)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Reset<\/p>\n

      4)\u00a0\u00a0\u00a0\u00a0\u00a0 Tap Erase All Contents and Settings<\/p>\n

      \n

      References<\/h1>\n<\/div>\n