iOS Security Guide 2022

Smartphones are an integral part of almost every aspect of our lives. We use them for an endless amount of personal and professional tasks. But with cybersecurity on the rise, consumers and businesses alike need to be aware of iOS security risks.

Apple’s iOS is Australia’s most popular mobile operating system. It holds just over 55% of the market share. Due to this popularity, iOS security is vital for protecting your data and identity information. 

This guide will examine and assess the security risks involved with using iOS devices. It will cover big topics like:

• identity security
• sensitive data storage and transfer
• operating system updates
• viruses and hackability
• third party app use, including custom-built software.

iOS security overview

You can break iOS security up into three main sections.

Device integrity

Any device relies on a mix of software and firmware to operate. Hackers and malicious actors can modify or subvert this code and take over the device.

Practising good iOS security involves ensuring the bootloaders and operating systems haven’t been compromised.

Data at rest

Data at rest refers to any information stored on your device.

Proper iOS security protects this data with encryption, passcodes, Touch ID, and other functions.

Data in transit

Data in transit refers to any data that is being sent to or from your device.

Good iOS security involves encrypting this data, so it’s unreadable to any party that intercepts it.

These three areas provide an overview of what individuals and businesses need to consider when securing their devices and data.

Vulnerability in any of these areas can lead to identity theft, data breaches, and various other types of cybercrime.

In summary, all devices, stored data and sent data need to be secure.

Taking care of your data starts with configuring your device/s. For businesses that use Apple devices as part of their core operations, this is essential for business continuity, reputation, and in some cases, regulatory compliance.

iOS security updates

One of the best ways to keep on top of your iOS security is to update your devices frequently. Apple releases new versions of iOS each year. However, it doesn’t require mandatory updates.

New software is tested, but often, it’s not until it’s out in the wild that vulnerabilities emerge. This situation can lead to security gaps. For example, in March 2022, Apple released the iOS 15.4.1 update. They also included a call for everyone to update to the new version due to severe security concerns.

Modern software development is complex. These “zero-day flaws” are to be expected with new releases. In the cases of the 15.4.1 fixes, hackers could have been able to control devices, steal passwords, and obtain digital verification signatures and sensitive data.

In light of this, our advice is to:

Turn on automatic updates

Use the latest versions of each software. Apple gives its users the option to do updates manually or automatically. However, downloading and installing updates takes a little time. As a result, some users put off updates.

But, this procrastination could be costly when it comes to iOS security updates. The latest versions, patches, and fixes address iOS security issues.

Setting automatic updates for businesses that use iOS devices as part of their company fleet is wise. You can’t always know or trust that operatives will do this themselves, so configure your devices so that iOS security updates are automated — or performed remotely.

Test beta versions of iOS

iOS beta versions are available before the full release. It’s essential to stay ahead of the curve and test the beta version.

For businesses, AppleSeed for IT provides a way to evaluate beta and prerelease versions within your particular work environments.

For developers, you should use Developer Preview Programs to test your apps against the upcoming OS releases.

Stay informed

Consumers and businesses should stay in tune with cybersecurity guidance and advice. As new features and functions are released, iOS security information is generated.

Keep an eye on the Apple security updates page. Additionally, watch out for news about flaws, vulnerabilities, and any iOS security updates.

iOS encryption

Data, identity, and financial information are all things consumers need to protect. iOS employs encryption across its products to safeguard:

• hardware
• software
• and user data

For a deep dive into Apple’s methods and practices, you can read the Apple Platform Security guide —  a thorough 200+ page document that explains a variety of security concepts and processes.

Apple employs a technology called Data Protection to protect information stored on the device. This technology allows for a balance between safety and responsiveness to incoming information, like calls, emails, messages, and other data.

Data Protection is enabled by default on apps like:

• Mail
• Calendar
• Photos
• Health
• Other third-party apps

The Data Protection system is controlled on a file basis. Each file is assigned a class. These classes are:

Class A

Provides complete protection while the phone is locked

Class B

Files are protected unless the phone is unlocked

Class C

If the device is not switched on or not yet authenticated, data is inaccessible and encrypted

Class D

These files are encrypted on the device but don’t have additional layers of encryption.

You should assign any classified or sensitive information Class A. These measures should include email, file storage, and attachments.

One exception is where emails are being received while the phone is locked. In this situation, emails are assigned Class B encryption during the process, but they are re-encrypted once the phone is unlocked.

How secure is iOS?

It’s important to note that while Apple’s iOS has security risks, it’s one of the most secure systems on the market. Security and privacy are two of Apple’s biggest priorities. When iOS devices are released, the likelihood of being compromised is relatively low.

However, consumers and businesses shouldn’t be complacent. iOS devices have been attacked in the past and will be in the future.

Malware and spyware attacks are more common on other operating systems. However, insecure networks and phishing are two big iOS security concerns.

Cybersecurity is about more than just making sure devices are protected. It’s also about thinking about your online behaviour and how that can leave you vulnerable to attacks.

Another thing to consider about cybersecurity is that there is no such thing as fully safe or secure. As we become aware of and address one vulnerability, sophisticated new attacks emerge. So always try to stay up-to-date on unknown risks.

What should authorising officers do?

The Australian Cyber Security Centre (ACSC) report from the last financial year shows the sheer scale of cybercrime. Self-reported losses totalled $33 billion. Over one in four attacks involved critical infrastructure.

While individual data and finances are at risk, businesses are often targeted because they promise more significant rewards. These rewards could be financial or access to massive data sets and sensitive information.

Organisations face a big risk because of the popularity of Bring Your Own Device (BYOD). These devices can sit outside the control of security professionals. As such, they can represent a potential threat.

The ASAC recommends that organisations and cyber security professionals implement the Essential Eight.

These are a set of practices that the Australian Signals Directorate (ASD) initially developed for Microsoft machines and servers. However, it provides excellent guidance for modern-day smartphones and broader iOS security.

The Essential Eight can help organisations know how to manage:

• company-owned devices they provide their fleet
• BYOD devices used for work
• guide a general set of practices

Here is a high-level view of these practices:

Application control

Application control should be enforced by cryptographic signatures. Administrators should take advantage of iOS security features that allow them to approve particular versions of applications.

Patch application

Administrators should ensure patches are immediately available for their devices. Additionally, administrators should be able to patch their devices and any supervised devices remotely.

Microsoft Office macros

Microsoft Office macros are a significant vulnerability. iOS doesn’t support these features, but administrators need to keep an eye on new Office for iOS products.

Microsoft disabled Excel macros in 2021. That’s positive news for organisations whose users download Word and Excel files from the internet. However, it’s still an area where organisations need to be cautious.

User application hardening

Organisations should ensure vulnerable apps, like web browsers, do not support Java. Additionally, they should employ content blockers.

Administration privileges

Current iOS security protocols restrict admin permissions for users and apps by default. Admins should keep these settings enabled.

Patch operating systems

Just like with applications, you should update iOS patches immediately. Again, administrators should remotely patch relevant devices.

Multi-factor authentication

Administrators should authenticate devices and user IDs with 2FA or multi-factor logins.

Daily backups

Daily backups can prevent data loss. Additionally, it can ensure that the information can be retrieved if files or corrupted or devices are lost.

Security risks that come with using iOS devices

As we’ve noted earlier, iOS has many security advantages compared to alternative operating systems. That said, you need to be aware of security risks, whether you’re a business or a consumer.

Here are some areas you should consider and some of the risks associated with non-compliance.

iOS Devices

Supervised devices can come in two categories.

a) business-owned devices

b) employee’s personal devices they use for work (BYOD)

Without enabling supervised modes, organisations can’t be sure their controls are being followed. Additionally, if a device is lost or stolen, it can’t be remotely secured.

Supervising ioS devices means organisations can:

• enforce security policies
• monitor device status
• manage Activation Lock
• enable Lost Mode

These settings are essential for devices that hold or send sensitive data. Additionally, they are necessary for devices that interact with your organisation’s systems.

Finally, supervised mode stops data from syncing or backing up on home computers.

Organisations can apply these principles to all devices used for business purposes — company or personally owned.

Identity security

Cloud-based servers and remote work have increased cybersecurity risks. These days, users connect to company resources from any location and various devices. To access these resources, employees need to sign in via credentials.

During the COVID-19 pandemic, this became one of the biggest cybersecurity vulnerabilities. Many firms had to move quickly to ensure business continuity. As a result, they were unprepared.

However, there are several settings that businesses can consider. They can cover access to the devices themselves and how they interact with company servers and resources.

Stronger lock screens & other options

How consumers or employees access their devices is a big part of iOS security. Many people use a 4-digit code to unlock their smartphones.

Apple does lock the phone completely after ten incorrect attempts. While this rules out attempts to brute force the password, a 4-digit code can still be guessed or stolen. Once the hacker is inside the device, they can wreak havoc.

It’s best to choose a 6-digit or alphanumeric passcode because they are harder to guess or crack.

However, these aren’t the only options available. You can also use things like:

FaceID or TouchID: Using unique biometric data can reduce your device’s chances of exposure.

2FA: 2FA or two-factor identification is a great way to bump security. When users sign in, they need their password, plus a second method. There are lots of ways to go here, like a temporary code being sent via text, email, or messaging. Bonus points if you can vary the second method to make it less predictable to malicious actors.

Managed opt-In

Managed opt-in is a great way for organisations to access which applications and devices can access sensitive information. Without this process, unauthorised devices can find their way onto devices. This situation can result in hacks, data theft, and financial losses.

By using managed opt-in, you can ensure that sensitive or classified info is only shared between approved applications.

VPNs

Organisations should perform sensitive data transfers through a VPN. A VPN will provide an extra layer of security for classified information by encrypting data sent over private networks.

These considerations are particularly important in an era of remote work. They can authenticate and authorise users’ devices and applications, alongside managing permissions.

Finally, they can be used for your internal communications and to protect your organisation’s data.

Backups

As mentioned earlier, regular backups are important. Without them, lost devices can lead to lost data. While cloud storage has eliminated some of these problems, many businesses and consumers are still losing critical information through corrupted files and device theft or loss.

Devices that store essential data can take advantage of automated backups.

Email

Organisations should use email clients that allow protective marking. Without these settings, the risk is that they could over or under classify emails. Under-classified emails could be vulnerable to data theft, giving hackers important financial or sensitive information.

One alternative is to configure servers to allow users to enable protective marking manually.

Mobile device management

Mobile device management (MDM) solutions help businesses keep on top of the devices that connect with their infrastructure. The Apple Business Manager (ABM) is a cloud portal hosted by Apple that lets companies manage their:

• Device Enrollment Program (DEP)
• Apple IDs
• Volume Purchase Program (VPP)
• content

Additionally, it allows businesses to manage how admins are created and what they can control.

This intuitive and straightforward portal can also control how applications are managed. Organisations can quickly vet or deploy the apps used on their connected devices. These policies are beneficial for BYOD situations.

Viruses & hacks

Some people believe that iOS devices can’t get viruses. But if you use Safari, Chrome, or other internet browsers, you can be vulnerable.

iOS devices are designed with protection against viruses in mind. Installing regular iOS security updates helps to stamp out potential vulnerabilities. Turning off cookies and Bluetooth and using a VPN can all protect against viruses and malware.

Hacks are possible too. But installing regular updates, using strong passwords, and practising good internet hygiene will all reduce these chances significantly.

Native Apps

Native apps, by design, have the best iOS security features. However, some of these apps can contain critical information that requires considered protection.

Some of these apps are:

• iOS Calendar
• iOS Camera
• iOS Books
• iOS Contacts

Information stored or transferred from devices that use these apps won’t be afforded adequate security protection. Some of these applications can automatically transfer data (and metadata) or be moved to unmanaged locations.

Organisations with sensitive or classified information should consider using custom-built apps for these functions.

Third-party apps, including custom-built software

Non-native iOS apps can pose a security risk. These apps included any software that Apple does not build.

The big risk with custom-built apps is that they:

• Won’t suitably handle classified/sensitive data
• Won’t have sufficient encryption
• Can expose or mishandle your private data

To be clear, apps are still classed as non-native if they are purchased or downloaded from the AppStore.

Businesses that plan to deploy these apps need to test them carefully. These tests need to think about:

• data at rest
• data in transit
• examine encryption mechanisms

Ensuring these standards are met is the only way to secure your data.

These risks underline the importance of working with tested, reputable custom app developers. At DreamWalk, for example, they have an outstanding track record of designing and developing secure award-winning apps.

Their process uses the best industry practices across strategy, design, development, and maintenance. These processes include providing the best methods for data storage, transfer, and encryption.

Conclusion

iOS security should be a concern for consumers and businesses. While security is a big priority for Apple, iOS devices for personal and business use still carry some risk. With cybercrime becoming more common and more sophisticated, vigilance is essential.

The big takeaway here is to ensure you install iOS security updates. These new versions will fix bugs, patches, and other vulnerabilities as they are discovered.

Third-party software should only be used when it comes from trusted and reputable custom app developers. Using experienced and knowledgeable developers will ensure that your data storage, transfer, and encryption will be at the level you need to secure classified or sensitive information.