- 1Application restriction
- 2Screen lock
- 3Anti-malware tool
- 4Software update
- 5Device encryption
- 6Wi-Fi connection
- 7Location services
- 8Application permissions
- 9Device backup
- 10Remove information
Restrict Installation of Applications from Unknown Sources
Mobile applications distributed from unknown sources have higher risk to contain malicious codes.
iOS users can protect their mobile device from unknown source software by not "jailbreaking" the device. iOS only allows installation of mobile application via the official Apple App Store or the Apple's code signing mechanism.
Function: Detect jailbroken iOS device.
- iTools (Detect jailbroken iOS device, but originally designed for file management in iOS)
Note: You can also identify jailbroken iOS device by manual check
- Search for common apps, such as "Cydia" and "Icy" that are installed after jailbreaking.
- Verify whether any default iOS apps are missing because default apps can be uninstalled on jailbroken iOS device only.
- Recover jailbroken device by making reference to the official Apple website on Use iTunes to Restore Your iOS Device to Factory Settings.
Set Strong Password and Screen Lock
Unauthorised person can access information in an unlocked mobile device without the owner's knowledge.
Purpose: Enable alphanumeric password protection and screen lock -
Step 1: Go to Settings -> Tap Touch ID & Passcode and enter the current passcode if configured -> and enter your old passcode when prompted -> Tap Passcode Options and Choose Custom Alphanumeric Code -> Enter a strong password and tap Next -> Re-enter the password and tap Done
Step 2: Go to Settings and tap Display & Brightness -> Tap Auto-Lock -> Tap 1 Minute -> Back to Settings -> Tap Touch ID & Passcode and enter the password -> Tap Require Passcode -> Tap Immediately
- Set strong password instead of 4 digit passcode for better security, as simple passcode could be easier to guess and trivially peeked by someone around you.
- Create passwords that are easy for you to remember but difficult for others to guess, with assistance of free online tools to learn and practice.
- Don't leave your mobile device unattended.
Use Up-to-date Anti-malware Security Software
Mobile applications and files that look innocent can contain malicious codes and may not be easily noticed by user before it causes significant damages.
iOS users can protect their mobile device from malware attack by not "jailbreaking" the device. iOS only allows installation of mobile application that has been approved by Apple. Apple reviews all applications in the official Apple App Store to filter out malicious software, so the risk of encountering malware on iOS device would be low.
Note: In general, no security tool can perform full anti-malware scan on all files in an iOS device because Apple has enforced a process called sandboxing to prevent third party applications from accessing other application files or making changes to the device.
- Stay alert to symptoms that might indicate a malware infection, such as battery drain, performance clogging, unusual large data usage, etc.
- Be aware that fake anti-malware software and rogue pop-up security alerts are popular ways for tricking users to download malware onto their devices.
Update Operating Systems, Mobile Applications and Browsers
Mobile devices with known security weaknesses are more susceptible to malware infection and other cyber attacks.
Function: Detect outdated iOS, browser and program in mobile device.
- Check and Secure website (Detect outdated Internet browser and plug-in)
- iTunes / Over-the-air (Check for iOS updates)
Purpose: Enable automatic update of mobile application.
Tap Settings and then tap iTunes & App Store -> Turn on Updates in the Automatic Downloads configuration list
- Uninstall end-of-support software products or upgrade to another software product that has security updates.
- Avoid performing sensitive operations, such as online banking, from a mobile device without security updates, as not all iOS devices will support the most recent version of iOS.
- Do not visit suspicious websites or follow the links provided in those websites, as they may force a browser to download files without user's knowledge.
Encrypt Your Mobile Device
Data in a mobile device can be leaked out, if it is lost or stolen.
By default, data encryption is already enabled for iPhone 3GS and later, and for all iPad models. However, you are advised to further secure your iOS device by protecting the encryption key with a strong password.
- Use Find My iPhone feature that allows you to remotely track, lock or erase your iOS device in case it is lost or stolen.
Remove Insecure and Unnecessary Wi-Fi Connection Profile
Mobile devices with insecure Wi-Fi connection profile have higher risks to join untrusted or spoofed Wi-Fi networks automatically.
Purpose: Remove Wi-Fi network profile and disallow iOS device to rejoin remembered Wi-Fi network automatically.
Step 1: Tap Settings and then tap Wi-Fi -> Turn off Ask to Join Networks
Step 2: Locate the Wi-Fi network to forget and tap the Detail Disclosure button -> Tap Forget this network -> Tap Forget
Note: The Wi-Fi network must be in range for it to appear in the list of available networks to forget. If the Wi-Fi network is no longer in range, the user must reset all network settings, which will forget all Wi-Fi networks.
- Avoid handling personal or sensitive information when using public Wi-Fi
- Disable wireless connection after use.
Disable GPS and Location Services
Mobile device allow installed applications and visited websites the ability to know and track user location without users’ knowledge.
- Remove applications required location tracking, if no operational needs.
- Disable GPS function and location services after use.
Remove Mobile Applications that Abuse Sensitive Permissions
Mobile applications, obtained sensitive permissions can perform high risk actions without user knowledge, such as enable camera and send SMS.
iOS users can protect their mobile device from risky mobile applications by not “jailbreaking” the device and only downloading mobile applications from official Apple App Store. iOS has enforced a process called sandboxing to prevent third party applications from accessing other application files or making system changes. Moreover, Apple reviews all mobile applications in the official Apple App Store to filter out malicious software, so the risk of encountering high risk applications on iOS device would be low.
- Before installation, research for whether the mobile application is reputable by researching via public search engine using the application name with other keywords for example "review", "complaints", "compare", etc.
Perform Device Backup
Data cannot be recovered in case of malware infection, hardware failure and device loss.
- Backup regularly and protect your backup data securely.
- Test the restore procedures to ensure the backup data can be restored.
- Assess security risks before synchronising data to cloud services and avoid automatic backup of sensitive data to them.
- Protect your online user account with a strong password and enhanced authentication mechanism such as 2-factor authentication if available, in particular those for cloud backup. Please visit InfoSec website for more good practices on Handling User Account and Passwords.
Remove Personal Information before Giving Away or Selling Your iOS Device
Your personal information can be accessed if the data was not removed properly.
Purpose: Backup the device, logout the cloud service, and erase the content and settings.
- Steps on how to remove your personal information from an iOS device
- You may make reference to the vendor's webpage for transferring content from a current iOS device to a new iOS device.
Disclaimer: The health check settings here are proactive in nature and intended for improving mobile device security, as they may change the user experience and interfere with the functionality and utility of some applications. The exact process for applying the security features during the health check will vary between different products. It is recommended to follow the instructions contained in the user manual provided at the official website of the manufacturer where possible.
Users are also recommended to observe the Important Notices of CSIP and read the user agreements and privacy policies of the security software and tools before download and use them.