How secure is the iPhone?

M.Sc. Jan Hörnemann

How secure is the iPhone?

Apple has been focusing on maximizing privacy for years and has already introduced many new features for this purpose. The private relay, for example, a kind of integrated VPN, as well as advanced encryption and the so-called blocking mode. But what are all these features really good for and how secure is the iPhone from external attacks?

This is exactly the question we asked ourselves, and today we would like to take a look at how well the iPhone is actually secured with its privacy options. Which features really help to maintain data sovereignty and where is Apple possibly still cheating?

5 typical attack surfaces on the iPhone

Before we get into protective measures on the iPhone, let’s first go through possible attack surfaces. There are also a few areas on the iPhone that have experienced security problems in the past and are known to repeatedly reveal vulnerabilities.

Some are obvious, others rather inconspicuous. In fact, however, the iPhone has always had to deal with corresponding leaks, gaps, and risks in its history.

1. Calendar invitations

The calendar on the iPhone has risks. It is the calendar invitations that come from strangers or even subscriptions that then lead to phishing and spam. So, if appointments appear in your calendar that seem strange, you should unsubscribe from the corresponding calendars or ignore the appointments completely. But in any case, something is wrong if dates appear in the calendar that you did not create consciously and by yourself. Caution is advised.

2. Configuration profiles

With the still relatively new configuration profiles, DNS and VPN connections can be added under iOS. As long as they are trusted profiles, this is helpful and handy for not having to fiddle around with the network settings. However, this can also result in connections that are undesired or diverted and can thus be viewed by attackers. Configuration profiles also exist in the area of educational institutions. Here, the configuration profiles are used to provide several devices with the same settings and to manage them via an administrator.

If neither of these applies to you, you should not have a corresponding configuration profile installed on your iPhone. If there is still one in the profile management, something is wrong, and it is probably a malicious profile that has been installed via an undetermined source and without your knowledge.

3. Security vulnerabilities

Apple is known for providing even aging iPhones with updates. This is amazing and one of the main arguments for the security of Apple devices. Unlike Android devices, where it is often unclear whether there will be any updates from the manufacturer after the purchase, Apple actively takes care of the development of iOS and then also makes the updates available for older devices.

However, if you do not install updates, you may also risk security vulnerabilities. These are also found on iOS from time to time, and sometimes they are openly declared in iMessage or other apps. Only the appropriate security updates ensure that an iPhone remains secure. Those who forego this inevitably put themselves in danger and risk vulnerabilities.

4. Sideloading

Sideloading bypasses the restrictions from the App Store. It is clear that such apps also bring potential security vulnerabilities with them. Currently, it is being discussed whether Apple will soon be forced to allow sideloading by the EU’s Digital Markets and Service Act. Sideloading bypasses Apple’s quality assurance, apps can also be made available without Apple’s control. At the same time, this is also a point of criticism, since Apple decides what is offered in the App Store and restricts the freedom of app developers.

5. Fake apps

It rarely happens, but every now and then fake apps are unlocked in the App Store. However, since the apps run in a kind of sandbox and never get full access, the damage is usually limited. Mostly it is about scam, fake subscriptions or other scams. Especially in the area of phishing, scam and spam, however, this can be extremely unpleasant for those affected, especially if the iPhone is also used for business purposes. So don’t fall for supposed virus scanners or apps that redirect you to strange websites. You should also always question where and how you provide an email address.

4 tips for more security on the iPhone

In order to protect your own iPhone accordingly, it is recommended to use the already integrated functions for this purpose. Apple has been focusing on data protection for quite some time, as mentioned before, and has also enabled some features that are directly related to it. Among other things, this also includes the blocking mode.

1. Use blocking mode on iPhone

Roughly speaking, blocking mode on the iPhone disables some APIs and basic functions that could potentially be insecure. Among other things, attachments in iMessage or calls from unknown contacts in FaceTime. The blocking mode thus blocks features on the iPhone that could be exploited if there is a cyberattack.

2. Remove unused apps

If an app is not used, it should be removed. This is basically due to the fact that every app can have a security hole or vulnerability, and some require extensive permissions. But if the app is never or hardly ever used, there is no reason to keep it installed on the iPhone. At best, it simply orphaned, at worst, this very app is a real vulnerability on your iPhone. Remove any apps that you don’t use at least once a month to be on the safe side.

3. Activate extended data protection

Recently, Apple has also added a feature called enhanced privacy. Basically, this involves end-to-end encryption of the iCloud. There are minor exceptions, but on the whole, Apple is finally bringing the long-awaited and desired end-to-end encryption for iCloud to the iPhone. This means that most data can really no longer be intercepted or viewed by third parties. In the broader context, this also increases the corresponding data security on the respective iPhone. The extended data protection is activated in the iCloud settings. You can find out more about this directly from Apple on the corresponding support page.

4. Do not forget browser data

Often underestimated is the data that the browser reveals. Whoever gets hold of this data knows exactly which websites you visit and, as a result, where you may be registered or with which bank you have an account. Anyone who cannot rule out the possibility of third parties gaining access should therefore regularly delete the browser data. This can be done in the settings of Safari. However, it would be even better to use a private browser like DuckDuckGo. There, the corresponding data is not stored at all or at least completely removed afterwards at the push of a button.

Knowledge creates security on all devices

With our hints, it should have become clear where you need to look for vulnerabilities or where to find them, should they exist. Thus, the risk areas always remain in view and with the extended privacy settings and the block mode, the iPhone is already appropriately sealed off anyway. Especially the blocking mode is worth its weight in gold when it comes to increased security.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)
AWARE7 GmbH - Logo

+49 (0) 209 - 8830 6760

info@aware7.de

Google Plus Code F4X5+M2

Company

AWARE7 GmbH
Munscheidstr. 14
45886 Gelsenkirchen
Imprint | Privacy

About us
Open positions

Resources

Free e-learning
Downloads
Projects