Six ways they can still hack your iPhone

Originally published on the Rubica blog and MSP Insights.

You’ve heard someone say “But I have an iPhone. I know I’m secure.” When choosing devices, security-forward tech pros tend to choose Apple products because of their control over the entire supply chain, including the App Store. It’s one of the many reasons people think it’s easier to secure an iPhone versus an Android device. Last year, however, there were about as many attacks targeting iPhone as Android, and any exploited vulnerabilities are likely to affect all iOS users because of that single supply chain. Android has different manufacturers sharing the same platform, so it’s harder to find a vulnerability that will work across the entire ecosystem.

All the more reason you should be protecting iPhones with an extra layer of security. At Rubica we specialize in plugging security holes for customers and companies so that they can work from anywhere. Having a hardened iPhone makes that possible, so here’s what we tell our IT staff to watch.

Six Steps to secure an iPhone

1. Only download the apps you really need

Choose apps carefully.

• Last year the App Store had to purge apps that contained malware on several occasions; any of these could take down a business that isn’t running security on each employee device.

Do a moment of research.

• Does it look legit? Are there enough good reviews? Is it free? Be especially cautious with app permissions that will try to request access to sensitive content like your device camera, microphone, and location data. Ensure you’re only giving apps permission to things they need to function.

2. Beware public wifi on an iPhone

Use a secure VPN

• like Rubica to encrypt your traffic. Without it, free or public wifi is by far the greatest security risk to employees and businesses. All of the security controls in iOS can be perfectly functional (and sadly useless) if connecting to a compromised wifi hotspot where attackers love to launch man-in-the-middle attacks. That way attackers can’t see data flowing (such as passwords and other sensitive information) between your device and the hotspot.

3. Use strong iCloud password security

Always use strong passwords

• or you leave iCloud accounts vulnerable. You don’t want cybercriminals to have access to the company’s photos, files, email, browsing history, calendar and messages (or your competition, should corporate data go up for post-ransomware auction).

Consider a password manager

• like LastPass or Myki. Strong passwords and multi-factor authentication will make it very difficult to hack your account and prevent subsequent hacks to gain access to your other accounts and any services or identities joined to them.

4. Fresh software updates

Don’t defer the update.

• I hear your pain. The more you update, the more people have to install and manage that process (with an extra layer of complication for people working from home). But it’s the best protection against the constant cyberattacks looking for holes in a security strategy. Even though Apple continuously releases security updates to their operating systems, there is still a possibility of zero-day exploits. A zero-day attack happens once a software flaw gets exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability—hence “zero-day.”

As soon as you see it, install it,

• and teach your team to do the same.

5. Ditch the malicious links

Tap carefully.

• Especially after the coronavirus pandemic, SMS messages, emails, and social media direct messages are ever-more laden with evil links. No matter how many security controls are built into iOS, you can’t prevent a human from getting fooled and tapping something tricky.

Use an anti-malware app

• because even smart people use their phones when they’re sleepy, and no one is alert 100% of the time. An anti-malware app like Rubica protects against known phishing links and other constantly-evolving malware.

6. Protect your phone number

Reserve phone numbers for people only.

• It’s all cybercriminals need to spy on messages and calls, track locations, and even intercept MFA codes sent through text messages.

Get a burner phone number.

• Consider strategic use of Google Voice or other burner phone numbers for things like company billing and loyalty programs, restricting your real phone number for only trusted contacts and need-to-know business associates.

The next time you hear a someone saying they don’t need security because they have an iPhone, you’ve got six ways to help them out.