Security made by Apple

12 10 2013

Today smartphones are often used to save all the data you need in the digital world. Ring binders, box files, and slips of paper are out. Your device then might be more valuable than your wallet containing cash and credit cards.

Huffington Post reports that about 1.6 million iPhones were stolen in the U.S. last year. UK magazines report over 160 iPhones, and over 314 mobile phones are stolen in London every day. Law enforcement has previously criticized Apple and other mobile phone providers for not offering better mobile phone security or embedding persistent technology to prevent phones from being inoperable once they are stolen.

Finding technical solutions that will remove the economic value of stolen smartphones is critical to ending of violent street crimes commonly known as ‘Apple Picking‘.

You can be lucky if a less sophisticated thieve simply takes your device to make some free calls before you can report and your carrier blocks the SIM card. Then he sells your device and the new proud owner begins setting up the device as a new iPhone with a new Apple ID.

But there are also very bad guys behaving like terrorists and trying to destroy everything they are able to. A victim could suffer humiliation, identity theft, and lifetime suspension from services and social networks.

Loosing a device with sensitive data may compromise your identity in the digital world followed by severe problems with law.

At WWDC 2013, Apple unveiled Activation Lock, a new feature in iOS 7 that locks stolen phones even after thieves wipe them.

Apple’s Craig Federighi (CEO Software Development) …
We think this is going to be a really powerful theft deterrent.

Apple on its website …
Losing your iPhone feels lousy. Thankfully, Find My iPhone can help you get it back. But if it looks like that’s not going to happen, new security features in iOS 7 make it harder for anyone who’s not you to use or sell your device. Now turning off Find My iPhone or erasing your device requires your Apple ID and password. Find My iPhone can also continue to display a custom message, even after your device is erased. And your Apple ID and password are required before anyone can reactivate it. Which means your iPhone is still your iPhone. No matter where it is.

First let’s have a look on what the actual features of iOS are to prevent that your data are compromised?

  • 1 Using a string-based complex Unlock Code
  • 2 Activating Apple’s Find My iPhone service
  • 3 Setup Restrictions with an unlock code different from the device’s unlock code

Additionally a secure password keeper like 1Password is an indispensable tool if you save credentials for banking accounts, E-Mail accounts, and websites on your device what is frequently done because your mobile device is always with you.

1 Using an Unlock Code …

Device Access …

iOS supports flexible security policies and configurations that are easily enforced and managed. This enables enterprises to protect corporate information and ensure that employees meet enterprise requirements, even if they are using devices they’ve provided themselves (BYOD).

Passcode Protection …

In addition to providing a cryptographic protection, passcodes prevent unauthorized access to the device’s UI.

By default, the user’s passcode can be defined as a four-digit PIN. Users can specify a longer, alphanumeric passcode by turning on Settings – General – Passcode – Complex Passcode. Longer and more complex passcodes are harder to guess or attack, and are recommended not only for enterprise use.

By setting up a device passcode, the user automatically enables Data Protection. iOS supports four-digit and arbitrary-length alphanumeric passcodes. In addition to unlocking the device, a passcode provides the entropy for encryption keys, which are not stored on the device. This means an attacker in possession of a device can’t get access to data in certain protection classes without the passcode.
The passcode is tangled with the device’s UID unique identifier of your device), so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. This means it would take more than 5 years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers, or 21 years for a nine-digit passcode with numbers only.

To further discourage brute-force passcode attacks, the iOS interface enforces escalating time delays after the entry of an invalid passcode at the Lock screen. Users can choose to have the device automatically wiped after 10 failed passcode attempts.

20130801-090617.jpg

For details about passcode policies, see the

iPhone Configuration Utility documentation

For more details regarding further suitable settings of your device see my blog

Emergency Guide

The article contains download links for the related mind map visualizing all recommended settings.

2 Activating Find My iPhone service …

The first action you probably do is to look where your mobile device actually is by using Apple’s Find My iPhone service. But if the thief is at all smart he won’t give you a chance to find your iPhone or iPad. Instead of leaving Find My iPhone on, the thief might turn it off and/or factory reset/wipe the device themselves. If the goal is to resell the device and not steal your personal information, this method is pretty handy.

You never heard of Apple’s Find My iPhone feature?

Here is a short visualized description.

These settings only work after turning on iCloud.
Admittedly this feature only works if your iPhone (or iPad) is connected to the internet.
So don’t forget to activate the option ‘Notify me when found’.

3 Setup Restrictions …

You find this security feature when going to Settings – General – Restrictions. There you can prevent different settings of your device from being changed. If a thief already hacked the device’s unlock code he again is confronted with a barrier, the 4-digit passcode for restrictions. If you use this recommended feature enter a 4-digit passcode which is different from your device’s unlock code to improve security. See my mind map ‘Emergency Guide’ for details about functions for which access should be restricted or in other words, changes are not allowed.

It’s out of question that you usually will not get back your iPhone if it’s stolen. Additionally many thieves are professionals so that your iPhone usually will be reset to factory settings and all the actions you undertook to secure your device are useless.

What did Apple add to iOS 7?

The new feature ‘Activation Lock‘, which works alongside Find My iPhone, should make it much harder for iPhone thieves to use or even resell stolen phones. If the thief hacked your unlock code and wants to resell the iPhone he usually goes to Settings – General – Reset and resets all settings. That means the iPhone can be easily activated with a new Apple ID.

Activation Lock in iOS 7 now won’t let that happen because your iPhone now is bound to your Apple ID and cannot be reactivated without this ID and the related password. This makes iPhones worthless to thieves (at the time!).

20130801-101138.jpg

It starts working the moment you turn on Find My iPhone. With Activation Lock, your Apple ID and password will be required before anyone can:

  • Turn off Find My iPhone on your device
  • Erase your device
  • Reactivate and use your device

This can help you keep your device secure, even if it is in the wrong hands, and can improve your chances of recovering it. Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission. All you need to do is keep Find My iPhone turned on, and remember your Apple ID and password.

We have to keep in mind that the efficacy of activation lock as a deterrent is directly tied to how many potential thieves know it exists. Few bad guys are going to think twice about snatching iPhones until many bad guys know that they won’t be able to sell the things afterwards.

This feature is only available for devices compatible with iOS 7. That means the iPhone 4, iPhone 4S, iPhone 5, iPad 2, iPad 3, iPad 4, the iPad Mini, and the iPod Touch 5th generation and up are all compatible. Everyone else will need to keep a better eye on their stuff.

Requirements …

Does activation lock mean that you never can resell your iPhone if you upgraded to a newer model?

No. Activation lock can be removed by going to Settings – General – … and deactivating the feature by entering your Apple ID and your password. This must be done before reselling the device!

Reselling your device …

Before you resell your device follow these steps:

Method 1
You can remove all settings and information from your iPhone, iPad, or iPod touch by going to Settings – General – Reset and tapping on Erase All Content and Settings.

If you wish to recover the data again, ensure that you have an iCloud or iTunes backup and that it’s up to date.

Newer devices running on iOS 5 and later support hardware encryption. Erasing the device means removing the encryption key that protects the data. This process takes just a few minutes.

Method 2
Use iTunes to restore your iPhone to factory settings.

Plug the phone into a computer running iTunes and wait for it to appear in the ‘Devices’ section of the iTunes sidebar. Select the iPhone from the sidebar and then make sure you’re on the “Summary” tab. Under ‘Version’ select ‘Restore‘. You’ll receive a pop-up dialog informing you that this step will erase your phone and reset it to factory settings. Click Restore to continue.
iTunes will now download the latest firmware for the iPhone, which may take several minutes depending on your connection speed. Once downloaded, iTunes will automatically begin the restore process during which your phone will reboot twice. After the process is completed, the phone will appear in iTunes as a new device and ask you for a device name. Before entering any information, disconnect the phone. It has now been wiped of your personal information and is ready for sale.

Reset …

Keep in mind that a reset (to factory settings with all data being erased) is different from a reset which is necessary if the device stucks that means it’s not responding or not operating as expected. This troubleshooting assistant can help you resolve these most common issues:

  • Display remains black or blank
  • Touch screen not responding
  • Application unexpectedly closes or freezes

Because it’s in the context here are the steps to reset your device without erasing data:

Press and hold the Sleep/Wake button and the Home button at the same time for at least 10 seconds, until the Apple logo appears.

To just restart the iPhone (after it stucks) first turn iPhone off by pressing and holding the Sleep/Wake button until a red slider appears. Slide your finger across the slider and iPhone will turn off after a few moments. Next, turn iPhone on by pressing and holding the Sleep/Wake button until the Apple logo appears. Then enter your passcode and the PIN of your SIM-Card.

An overview …

Over years Apple improved security features and today it’s computer operating system OS X as well as the mobile operating system iOS are seen as the most secure approaches on the market. See this overview of security features of all components of Apple’s ecosystem.

20140704-061234-22354121.jpg

Feel free to download this map from my Box account.

The alternative file formats have been created with iThoughts for iOS (.ITMZ file format). Compatibility to other tools is limited. The DOCX file format is suggested for those who don’t use a mind mapping tool. The file contains the image as well as a detailed outline of all topics.

Application File format
Adobe Reader PDF
Apple iWork/Microsoft Word DOCX
iThoughts ITMZ
MindManager MMAP
XMind XMIND

Summary …

Activation Lock is a first step to reduce crime caused by smartphones. It’s another innovative step of the company and other manufacturers have to follow.

Nothing is really secure today. It’s an ongoing fight between hackers improving their knowledge and companies finding the (ultimate) next step to prevent users from attacks. So it’s a question of time that professional thieves will figure out a way to circumvent Apple’s new anti-theft solution.

So even with Activation Lock I recommend to keep an observing eye on your device which is the best added protection beside all the other security settings mentioned in my mind map ‘Emergency Guide’.

Related links …

The Apple ID

Every app is an island

2-Step Verification

Fingerprint Technology

Emergency Guide

Apple about iOS Security
for more technical details of the operating system.

Glad to have you here on iNotes4You.
Thanks for visiting my blog.


Actions

Information




%d bloggers like this: