Learning iOS Security

Chapter 1. iOS Security Overview

Out of the box, iOS is one of the most secure operating systems available. There are a number of factors that contribute to the elevated security level. These include the fact that users cannot access the underlying operating system. Apps also have data in a silo (sandbox), so instead of accessing the system's internals they can access the silo. App developers choose whether to store settings such as passwords in the app or on iCloud Keychain, which is a secure location for such data on a device. Finally, Apple has a number of controls in place on devices to help protect users while providing an elegant user experience.

However, devices can be made even more secure than they are now. In this chapter, we're going to get some basic security tasks under our belt in order to get some basic best practices of security. Where we feel more explanation is needed about what we did on devices, we'll explore the technology itself either in this chapter, or others.

This chapter will cover the following topics:

Pairing
Backing up your device
Initial security checklist
Safari and built-in app protection
Predictive search and spotlight

To kick off the overview of iOS security, we'll quickly secure our systems by initially providing a simple checklist of tasks, where we'll configure a few device protections that we feel everyone should use. Then, we'll look at how to take a backup of our devices and finally, at how to use a built-in web browser and protections around a browser.

Pairing

When you connect a device to a computer that runs iTunes for the first time, you are prompted to enter a password. Doing so allows you to synchronize the device to a computer. Applications that can communicate over this channel include iTunes, iPhoto, Xcode, and others.

To pair a device to a Mac, simply plug the device in (if you have a passcode, you'll need to enter that in order to pair the device.) When the device is plugged in, you'll be prompted on both the device and the computer to establish a trust. Simply tap on Trust on the iOS device, as shown in the following screenshot:

Trusting a computer

For the computer to communicate with the iOS device, you'll also need to accept the pairing on your computer (although, when you use libimobiledevice, which is the command to pair, does not require doing so, because you use the command line to accept. This command is covered in Chapter 6, Debugging and Conclusion). When prompted, click on Continue to establish the pairing, as seen in the following screenshot (the screenshot is the same in Windows):

Trusting a device

When a device is paired, a file is created in /var/db/lockdown, which is the UDID of the device with a property list (plist) extension. A property list is an Apple XML file that stores a variety of attributes. In Windows, iOS data is stored in the MobileSync folder, which you can access by navigating to \Users\(username)\AppData\Roaming\Apple Computer\MobileSync. The information in this file sets up a trust between the computers and includes the following attributes:

DeviceCertificate: This certificate is unique to each device.
EscrowBag: The keybag of EscrowBag contains class keys used to decrypt the device.
HostCertificate: This certificate is for the host who's paired with iOS devices (usually, the same for all files that you've paired devices with, on your computer).
HostID: This is a generated ID for the host.
HostPrivateKey: This is the private key for your Mac (should be the same in all files on a given computer).
RootCertificate: This is the certificate used to generate keys (should be the same in all files on a given computer).
RootPrivateKey: This is the private key of the computer that runs iTunes for that device.
SystemBUID: This refers to the ID of the computer that runs iTunes.
WiFiMACAddress: This is the Mac address of the Wi-Fi interface of the device that is paired to the computer. If you do not have an active Wi-Fi interface, MAC is still used while pairing.

Why does this matter? It's important to know how a device interfaces with a computer. These files can be moved between computers and contain a variety of information about a device, including private keys.

Having keys isn't all that is required for a computer to communicate with a device. When the devices are interfacing with a computer over USB, if you have a passcode enabled on the device, you will be required to enter that passcode in order to unlock the device.

Once a computer is able to communicate with a device, you need to be careful as the backups of a device, apps that get synchronized to a device, and other data that gets exchanged with a device can be exposed while at rest on devices.

Backing up your device

What do most people do to maximize the security of iOS devices? Before we do anything, we need to take a backup of our devices. This protects the device from us by providing a restore point. This also secures the data from the possibility of losing it through a silly mistake. There are two ways, which are most commonly used to take backups: iCloud and iTunes. As the names imply, the first makes backups for the data on Apple's cloud service and the second on desktop computers.

We'll cover how to take a backup on iCloud first.

iCloud backups

An iCloud account comes with free storage, to back up your Apple devices. An iOS device takes a backup to Apple servers and can be restored when a new device is set up from those same servers (it's a screen that appears during the activation process of a new device. Also, it appears as an option in iTunes if you back up to iTunes over USB—covered later in this chapter).

Setting up and checking the status of iCloud backups is a straightforward process. From the Settings app, tap on iCloud and then Backup. As you can see from the Backup screen, you have two options, iCloud Backup, which enables automatic backups of the device to your iCloud account, and Back Up Now, which runs an immediate backup of the device.

iCloud backups

Allowing iCloud to take backups on devices is optional. As you'll see in Chapter 5, Mobile Device Management, and Chapter 6, Debugging and Conclusion, you can disable access to iCloud and iCloud backups. However, doing so is rarely a good idea as you are limiting the functionality of the device and putting the data on your device at risk, if that data isn't backed up another way such as through iTunes. Many people have reservations about storing data on public clouds; especially, data as private as phone data (texts, phone call history, and so on). For more information on Apple's security and privacy around iCloud, refer to http://support.apple.com/en-us/HT202303. If you do not trust Apple or its cloud, then you can also take a backup of your device using iTunes, described in the next section.

Taking backups using iTunes

Originally, iTunes was used to take backups for iOS devices. You can still use iTunes and it's likely you will have a second backup even if you are using iCloud, simply for a quick restore if nothing else.

Backups are usually pretty small. The reason is that the operating system is not part of backups, since users can't edit any of those files. Therefore, you can use an ipsw file (the operating system) to restore a device.

These are accessed through Apple Configurator (which is covered further in Chapter 4, Organizational Controls), or through iTunes if you have a restore file waiting to be installed. These can be seen in ~/Library/iTunes, and the name of the device and its software updates, as can be seen in the following screenshot:

IPSW files

Backups are stored in the ~/Library/Application Support/MobileSync/Backup directory. Here, you'll see a number of directories that are associated with the UDID of the devices, and within those, you'll see a number of files that make up the modular incremental backups beyond the initial backup. It's a pretty smart system and allows you to restore a device at different points in time without taking too long to perform each backup.

Backups are stored in the \Documents and Settings\USERNAME\Application Data\Apple Computer\MobileSync\Backup\ directory on Windows XP and in the \Users\USERNAME\AppData\Roaming\Apple Computer\MobileSync\Backup\ directory for newer operating systems.

To enable an iTunes back up, plug a device into a computer, and then open iTunes. Click on the device for it to show the device details screen. The top section of the screen is for Backups (in the following screenshot, you can set a back up to This computer, which takes a backup on the computer you are on).

Tip

I would recommend you to always choose the Encrypt iPhone backup option as it forces you to save a password in order to restore the back up.

Additionally, you can use the Back Up Now button to kick off the first back up, as shown in the following screenshot:

iTunes

Viewing iOS data in iTunes

To show why it's important to encrypt backups, let's look at what can be pulled out of those backups. There are a few tools that can extract backups, provided you have a password. Here, we'll look at iBackup Extractor to view the backup of your browsing history, calendars, call history, contacts, iMessages, notes, photos, and voicemails.

To get started, download iBackup Extractor from http://www.wideanglesoftware.com/ibackupextractor. When you open iBackup Extractor for the first time, simply choose the device backup you wish to extract in iBackup Extractor. As you can see in following screenshot, you will be prompted for a password in order to unlock the Backup keybag. Enter the password to unlock the system.

Unlock the backups

Note that the file tree in the following screenshot gives away some information on the structure of the iOS filesystem, or at least, the data stored in the backups of the iOS device, which we'll cover in detail in Chapter 6, Debugging and Conclusion. For now, simply click on Browser to see a list of files that can be extracted from the backup, as you can see in the next screenshot:

View device contents using iBackup Extractor

Note the prevalence of SQL databases in the files. Most apps use these types of databases to store data on devices. Also, check out the other options such as extracting notes (many that were possibly deleted), texts (some that have been deleted from devices), and other types of data from devices.

Now that we've exhausted backups and proven that you should really put a password in place for your back ups, let's finally get to some basic security tasks to be performed on these devices!

Initial security checklist

Apple has built iOS to be one of the most secure operating systems in the world. This has been made possible by restricting access to much of the operating system by end users, unless you jailbreak a device. In this book, we don't cover jail-breaking devices much due to the fact that securing the devices then becomes a whole new topic. Instead, we have focused on what you need to do, how you can do those tasks, what the impacts are, and, how to manage security settings based on a policy.

The basic steps required to secure an iOS device start with encrypting devices, which is done by assigning a passcode to a device. We will then configure how much inactive time before a device requires a PIN and accordingly manage the privacy settings. These settings allow us to get some very basic security features under our belt, and set the stage to explain what some of the features actually do, and how we can set them via a policy in subsequent chapters of this book.

Configuring a passcode

The first thing most of us need to do on an iOS device is configure a passcode for the device. Several things happen when a passcode is enabled, as shown in the following steps:

The device is encrypted.
The device then requires a passcode to wake up.
An idle timeout is automatically set that puts the device to sleep after a few minutes of inactivity.

This means that three of the most important things you can do to secure a device are enabled when you set up a passcode.

Best of all, Apple recommends setting up a passcode during the initial set up of new devices. You can manage passcode settings using policies (or profiles as Apple likes to call them in iOS), which we will cover in Chapter 4, Organizational Controls, and Chapter 5, Mobile Device Management.

Best of all—you can set a passcode and then use your fingerprint on the Home button instead of that passcode. We have found that by the time our phone is out of our pocket and if our finger is on the home button, the device is unlocked by the time we check it. With iPhone 6 and higher versions, you can now use that same fingerprint to secure payment information, which is covered in Chapter 2, Introducing App Security.

Check whether a passcode has been configured, and if needed, configure a passcode using the Settings app. The Settings app is by default on the Home screen where many settings on the device, including Wi-Fi networks the device has been joined to, app preferences, mail accounts, and other settings are configured.

To set a passcode, open the Settings app and tap on Touch ID & Passcode
If a passcode has been set, you will see the Turn Passcode Off (as seen in the following screenshot) option
If a passcode has not been set, then you can do so at this screen as well
Additionally, you can change a passcode that has been set using the Change Passcode button and define a fingerprint or additional fingerprints that can be used with a touch ID

There are two options in the USE TOUCH ID FOR section of the screen. You can choose whether, or not, you need to enter the passcode in order to unlock a phone, which you should use unless the device is also used by small children or as a kiosk. In these cases, you don't need to encrypt or take a backup of the device anyway. The second option is to force the entering of a passcode while using the App Store and iTunes. This can cost you money if someone else is using your device, so let the default value remain, which requires you to enter a passcode to unlock the options.

Configure a Passcode

The passcode settings are very easy to configure; so, they should be configured when possible. Scroll down on this screen and you'll see several other features, as shown in the next screenshot. The first option on the screen is Simple Passcode. Most users want to use a simple pin with an iOS device. Trying to use alphanumeric and long passcodes simply causes most users to try to circumvent the requirement. To add a fingerprint as a passcode, simply tap on Add a Fingerprint…, which you can see in the preceding screenshot, and follow the onscreen instructions.

Additionally, the following can be accessed when the device is locked, and you can choose to turn them off:

Today: This shows an overview of upcoming calendar items
Notifications View: This shows you the recent push notifications (apps that have updates on the device)
Siri: This represents the voice control of the device
Passbook: This tool is used to make payments and display tickets for concert venues and meetups
Reply with Message: This tool allows you to send a text reply to an incoming call (useful if you're on the treadmill)

Each organization can decide whether it considers these options to be a security risk and direct users how to deal with them, or they can implement a policy around these options.

Passcode Settings

There aren't a lot of security options around passcodes and encryption because by and large, Apple secures the device by giving you fewer options than you'll actually use. Under the hood, (for example through Apple Configurator and Mobile Device Management, covered in Chapter 4, Organizational Controls and Chapter 5, Mobile Device Management, respectively) there are a lot of other options, but these aren't exposed to end users of devices. For the most part, a simple four-character passcode will suffice for most environments. When you complicate passcodes, devices become much more difficult to unlock, and users tend to look for ways around passcode enforcement policies. The passcode is only used on the device, so complicating the passcode will only reduce the likelihood that a passcode would be guessed before swiping open a device, which typically occurs within 10 tries.

Finally, to disable a passcode and therefore encryption, simply go to the Touch ID & Passcode option in the Settings app and tap on Turn Passcode Off.

Configuring privacy settings

Once a passcode is set and the device is encrypted, it's time to configure the privacy settings. Third-party apps cannot communicate with one another by default in iOS. Therefore, you must enable communication between them (also between third-party apps and built-in iOS apps that have APIs). This is a fundamental concept when it comes to securing iOS devices.

To configure privacy options, open the Settings app and tap on the entry for Privacy. On the Privacy screen, you'll see a list of each app that can be communicated with by other apps, as shown in the following screenshot:

Privacy Options

As an example, tap on the Location Services entry, as shown in the next screenshot. Here, you can set which apps can communicate with Location Services and when. If an app is set to While Using, the app can communicate with Location Services when the app is open. If an app is set to Always, then the app can only communicate with Location Services when the app is open and not when it runs in the background.

Configure Location Services

On the Privacy screen, tap on Photos. Here, you have fewer options because unlike the location of a device, you can't access photos when the app is running in the background. Here, you can enable or disable an app by communicating with the photo library on a device, as seen in the next screenshot:

Configure what Apps can access your Camera Roll

Each app should be configured in such a way that it can communicate with the features of iOS or other apps that are absolutely necessary.

Other privacy options which you can consider disabling include Siri and Handoff. Siri has the voice controls of an iOS. Because Siri can be used even when your phone is locked, consider to disable it by opening the Settings app, tapping on General and then on Siri, and you will be able disable the voice controls. To disable Handoff, you should use the General System Preference pane in any OS X computer paired to an iOS device. There, uncheck the Allow Handoff between this Mac and your iCloud devices option.

Safari and built-in App protections

Web browsers have access to a lot of data. One of the most popular targets on other platforms has been web browsers. The default browser on an iOS device is Safari.

Open the Settings app and then tap on Safari. The Safari preferences to secure iOS devices include the following:

Passwords & AutoFill: This is a screen that includes contact information, a list of saved passwords and credit cards used in web browsers. This data is stored in an iCloud Keychain if iCloud Keychain has been enabled in your phone.
Favorites: This performs the function of bookmark management. This shows bookmarks in iOS.
Open Links: This configures how links are managed.
Block Pop-ups: This enables a pop-up blocker.

Scroll down and you'll see the Privacy & Security options (as seen in the next screenshot). Here, you can do the following:

Do Not Track: By this, you can block the tracking of browsing activity by websites.
Block Cookies: A cookie is a small piece of data sent from a website to a visitor's browser. Many sites will send cookies to third-party sites, so the management of cookies becomes an obstacle to the privacy of many. By default, Safari only allows cookies from websites that you visit (Allow from Websites I Visit). Set the Cookies option to Always Block in order to disable its ability to accept any cookies; set the option to Always Allow to accept cookies from any source; and set the option to Allow from Current Website Only to only allow cookies from certain websites.
Fraudulent Website Warning: This blocks phishing attacks (sites that only exist to steal personal information).
Clear History and Website Data: This clears any cached history, web files, and passwords from the Safari browser.
Use Cellular Data: When this option is turned off, it disables web traffic over cellular connections (so web traffic will only work when the phone is connected to a Wi-Fi network).

Configure Privacy Settings for Safari

There are also a number of advanced options that can be accessed by clicking on the Advanced button, as shown in the following screenshot:

Configure the Advanced Safari Options

These advanced options include the following:

Website Data: This option (as you can see in the next screenshot) shows the amount of data stored from each site that caches files on the device, and allows you to swipe left on these entries to access any files saved for the site. Tap on Remove All Website Data to remove data for all the sites at once.
JavaScript: This allows you to disable any JavaScripts from running on sites the device browses.
Web Inspector: This shows the device in the Develop menu on a computer connected to the device. If the Web Inspector option has been disabled, use Advanced Preferences in the Safari Preferences option of Safari.