What could happen to your personal data if you lose your mobile device? It depends on what security you have in place.
Defense in depth is a security concept whereby an attacker must clear multiple hurdles before they can access a target. With this thinking in mind, let’s consider the hurdles someone must overcome to access your data if your mobile iOS device is lost or stolen. Even if you don’t own an iOS product, consider the following protections versus the features your mobile platform offers.
Image: High security! (chris whitehouse) / CC BY-SA 2.0
This first hurdle requires a passcode to access your iOS device. Make sure you have a device passcode set. Be sure that you are using a strong passcode and avoid commonly used PINs.
For an even stronger passcode, go to Settings > General > Passcode Lock and turn off the Simple Passcode option. Simple Passcode limits you to a 4 digit number, which only provides 10,000 possible combinations, which could be cracked quickly by an automated program. Create a passcode of at least 8 characters, using both upper and lowercase letters, numbers, and symbols. With an English language keyboard on iOS you will have 52 alpha, 10 numeric, and 23 symbols, providing 858, or 2,724 trillion possible combinations.
Enabling the Erase Data option on the Passcode Lock screen will erase all your data after 10 failed attempts and will provide even more protection against guessing your passcode.
None of this protection will help if you are using a common PIN or have not set your passcode.
Many apps provide the ability to set an app passcode to restrict app access. Evernote is one example. The same rules cited above apply. This provides an additional obstacle to attackers and should be used if available. Be sure to use a passcode that is different from your device passcode.
File System Access
You used strong passcodes, so can the attacker still get access? Yes. Unless your app data has been erased from the device they can still access your mobile device filesystem. Using jailbreak techniques and third party tools run from a desktop computer, it is possible to get file system access. The data itself must therefore be secured.
App data that has been encrypted properly cannot be understood without the right key. Many apps secure data directly by using industry standard techniques such as AES and Public Key Cryptography, resulting in secure data storage. File system access alone will result in viewing jumbled meaningless data that can only be translated to clear readable text using the proper key. This reinforces the importance of strong app passcodes/keys. Make sure that any application you are using to store personal data such as bank accounts, medical information, or any Personally Identifiable Information (PII) makes use of strong encryption.
Apple requires confirmation that any app using strong mass-market encryption (any industry standard algorithm using greater than 64-bit symmetric, such as AES256, or greater than 1024-bit asymmetric encryption) has been registered with the U.S. Department of Commerce Bureau of Industry and Security before it is approved for sale in the App Store. Since this is a legal requirement due to national security from the standpoint of the U.S. government, you can feel more confident that your data is secure with these levels of encryption.
Another option for securing app data is Apple’s Data Protection APIs, which became available with iOS 4. This protects app data at the file level, without any custom encryption/decryption code from the app publisher. Data protection must be enabled by the app and requires that a device passcode is set. Used properly, app data can remain encrypted while the device is locked, providing another method of data protection if your device is lost or stolen.
Is it safe?
Consider the obstacles cited above the next time you enter data into your mobile device. How safe is your information? Think about what apps store which data, and how secure those apps are. If you are not sure what encryption method an app publisher is using, if any, don’t be afraid to ask them. You’re the customer and you have a right to know. Use strong passcodes for both your device and app. Finally, think twice about the apps you use to make sure that they are not misusing your personal or device data.
iOS Security Whitepaper
AQ Toolkit CommonCrypto – provides crypto functions for iOS developers
Protecting Data Using On-Disk Encryption – iOS App Programming Guide