in Business, private, secure, Tech

Ask HN: How to make iOS more private and secure ?, Hacker News

1.9k Views


            

            

                  

Change the name of your iPhone. The default name may include your actual name, which can be seen in more places than you’d think.

Wipe / reset your iPhone every now and then. There is residual data left on the phone from app / data deletion (left over databases even). A factory reset will clear this, OS updates can help as well. The “Other” section of your iPhone storage is dangerous.

Make sure the emergency feature to disable TouchID / FaceID is enabled. When turned on it kills biometrics until you put in your (hopefully unique and complex) password. Otherwise, biometrics is safer.

Don’t add any mail accounts to the native iOS mail app.

Ensure that access to USB accessories while the phone is locked is turned off.

Work only on LTE and your own private Wi-Fi (your job will have very complex monitoring tools like FireEye). Disable cellular data on any apps that you won’t actively be using.

Backup your iPhone to a secure location when traveling, wipe your phone and then re-build your phone using the backup upon arrival. Destroy the backup after.

Don’t open any shady URLs and make sure you always update iOS. Turn on auto-update.

Security is critical on iOS as some apps have the ability to log you in or restore a session without any sort of credential check. This is despite the fact that unique device identifiers are not supposed to be used by devs.

Protect yourselves!
            

                  

>Security is critical on iOS as some apps have the ability to log you in or restore a session without any sort of credential check. This is despite the fact that unique device identifiers are not supposed to be used by devs.

I’ve noticed this before. How is that possible?
            

                  

Some apps with persistent “anonymous” logins save an identifier to the keychain and sync it with iCloud so that it persists between installations and across devices.
            
            
            

                  

I think the GP means even after uninstalling / reinstalling the app, which should wipe all data from the phone
            

                  

>>Backup your iPhone to a secure location when traveling, wipe your phone and then re-build your phone using the backup upon arrival. Destroy the backup after.

Do you think better it’s is better to have an interim account after reset the phone and before rebuild the phone with the backup?
            

                  

>Don’t add any mail accounts to the native iOS mail app.

Woah, I haven ‘t heard this advice before — is the argument that the native mail app is less sandboxed than an App Store app? If so that makes a lot of sense (especially given P0’s recent exploit chain involving an IMAP client vulnerability), sigh.
            
            

                  

MDM related APIs change so often I just tell people to assume that all the native apps are less sandboxed.

Another thing you can do is to download apps using one Apple ID, then login again to the App Store with a different Apple ID.

The tricky thing about iOS is things are always changing, so precautions that might seem fruitless today may be critical tomorrow.
            
            

                  

Off the top of my head:

– Change your DNS resolver to something you trust

– Use a paid VPN service (bonus points if it disables your internet when it’s not connected to the VPN)

– Enable erasing data after several failed password attempts

– Disable notification previews on the lockscreen / when locked

– Disable Siri, control center, widgets, etc. on the lockscreen / when locked

– Disable Touch / Face ID when entering a risky location (airport, etc.)

– Disable location services, camera, microphone, etc. for every app you can

– Disable sending analytics to Apple and app developers

– Use a privacy conscious search engine (DuckDuckGo, StartPage)

– Install a good content blocker (1Blocker)

– Don’t use apps like Facebook that violate your privacy

That’s all I can think of for now.

                  

Disabling iMessage and JavaScript in Safari would also help, given the recent Project Zero exploits we’ve seen.
            

                  

Disabling iMessage means texts go unencrypted. I’d say that for 99 .9% of threat models, keeping it on is the right move.
            

                  

>(bonus points if it disables your internet when it’s not connected to the VPN)

I believe that, unless the VPN specifically disables it, you can go to any VPN in settings->VPN and enable “connect on demand” – the system will only send data if the VPN reports it’s active. Apps can also request connect-on-demand themselves.
            

 (

                  

I tried using many content blockers (free ones) but not even a single one of them was able to prevent YouTube ads from playing.

Have you any suggestions here?
            

                  

1Blocker X is brilliant. Use the YouTube website, not the app; content blocking only works inside Safari afaict (for instance, Firefox on iOS doesn’t seem to benefit from the content blocker).
            

                  

None of them are going to stop YouTube ads, that’s just not how the built in content blocker works. You might be able to with pinhole but setting that up on mobile is a world of fun …
            

                  

>- Disable Touch / Face ID when entering a risky location (airport, etc.)

Is it going to be a manual disable?
            

                  

You can trigger Emergency SOS (aka “cop mode” – either to call them or to avoid them, tbh) by pressing the power button five times on iPhone 7 and below or holding side button a volume button on iPhone 8 and up. Dismiss the prompt to call 911, and then your phone will be in a state where Touch ID / Face ID is disabled until you successfully use your passcode again.

It appears Wallet still works so you should still be able to get to boarding passes without unlocking the device.
            

                  

VPNs are debatable. While it’s true they’re a better solution for open WiFi networks, remember you’re simply changing who has access to your connection data

It’s not so clear VPN providers , even paid ones have your best interests in mind

For higher levels of security, it would be better the VPN was controlled by yourself
                         

                  

– Change your DNS resolver to something you trust

Does that mean setting up your own DNS server that resolves directly to the root servers?
                         

                  

If you have a Mac, use Apple Configurator to set iOS device-wide MDM / security policies, some of which cannot be set using the on-device Settings app.
                         

                  

I am not sure I fully understand your question. Perhaps restate some of your goals more concretely?

Or link to a longer form post?

For me, I can’t tell if you are looking for some architectural patterns you hope apple will adopt?

Or for a discussion about DuckDuckGo, DNS over https, and VPN usage, Firefox focus, etc?
            

                  

I think it’s fairly clear auslegung is asking about the second. Mentioning “my iPhone” and “Any suggestion is appreciated, I’m willing to at least try it.” doesn’t indicate that auslegung wants to make changes to how iOS is architected.
            

Brave Browser

Payeer

Read More

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Broad excited to have front row seat for Archer and Smith battle

Broad excited to have front row seat for Archer and Smith battle

Hong Kong protesters messing with the characters, part 2, Hacker News