Binarycse Blog

Once the iPhone connects online through Wi-Fi or the mobile network, it has all of the same vulnerabilities as any networked device; unencrypted data could be intercepted by casual hackers or proactive identity thieves. At press time, the iPhone hadn’t received any large-scale attacks or viruses, but you should still protect your data as a precaution.

Many iPhone features and Internet services offer ways to encrypt your data, but you have to turn them on (or make sure they’re already on) to stay safe. We’ll explain how to protect email, passwords, and other sensitive details no matter where you connect.

Use Email Securely

Internet email began as a trusted service, with both sides of a conversation expecting the recipient to be who he or she claimed to be. Encryption came as an add-on, and while common now, certain mail hosts offer different ways of enabling the feature.

When your iPhone (or any other device) checks your email, it can encrypt your login information as well as messages sent and received to prevent any snoopers from reading your email or intercepting your password. Use encryption, which the iPhone calls SSL (secure sockets layer), as long as your email provider supports it. The iPhone switches this on by default.

Some providers call SSL by its current, formal name, TLS, which stands for “transport layer security.” Check with your email provider to be sure it uses this protection, whatever name it goes by.

Of the preset account types recognized by the iPhone—Microsoft Exchange, apple’s MobileMe, Gmail, Yahoo Mail, and AOL— almost all offer SSL support to varying degrees. Exchange servers require complete SSL; MobileMe supports SSL for receiving and requires it for sending; Gmail requires it for both; and AOL requires it for sending but makes it optional for receiving. SSL doesn’t yet work with Yahoo Mail on the iPhone. The only reason not to use SSL would be because your email provider doesn’t support it; otherwise, verify that it’s on. From the home screen, tap Settings > Mail Contacts, Calendars, then tap the name of the account you want to check. To make sure you are receiving email securely, scroll down and tap Advanced. Under Incoming Settings, make sure that Use SSL is switched on.

To make sure you’re sending email securely, tap the account name to return to the previous screen, then scroll down to the Outgoing Mail Server, and tap on the server name (in case there are more than one). Make sure that Use SSL is switched on.

You can’t miss that SSL slider. Leave it on unless your mail provider doesn’t support it.

Yahoo Mail uses a proprietary login method called XYMPKI. In July 2007, security researcher Dave Cridland discovered that part of that method involved sending login name and password without encrypting them, which could enable a hacker to access your email by “sniffing” (recording) the login sequence, then replaying it later. Until SSL is enabled on the iPhone, avoid checking 
Yahoo Mail on an open (that is, unencrypted) network until Apple and Yahoo announce an update.

Use Webmail to Retrieve Messages Securely 

Look for the lock on the icon to verify security.

Occasionally, you might find that a Wi-Fi access point firewall won’t allow you to contact your mail server. Try using your email provider’s webmail interface in Safari, but keep the transmission secure with SSL. Two indicators that SSL is working in Safari are that the website’s URL begins with “https://” instead of “http://” and a lock icon appears to the right of the URL.

Not every webmail provider offers secure webmail. Of the main iPhone options—MobileMe, Gmail, Yahoo, and AOL—only Gmail offers a secure web connection athttps://mail.google.com/mail/. (However, if you use Exchange or a different ISP, contact your administrator to see whether a secure webmail solution exists for you.)

Some websites, such as www.mail2web.com allow you to check another provider’s email with an SSL-encrypted connection. This can be secure as long as the website offering the service is also secure itself. Mail2web connects to all of the services we tried besides Yahoo, which doesn’t allow you to check your email with other programs unless you pay for to its Yahoo Mail Plus service ($19.99 a year, mailplus.mail.yahoo.com).

Encrypt Email 

If you’re close enough to friends that you have a secret language, they can retrieve an encrypted mail by answering a question only they know.

Security experts like to say that sending email is like using a postcard. Anyone can read it in transit. However, using encryption on an email message is like putting a letter into an envelope. It’s not totally unbreakable (otherwise, how would your recipient read it?), but very strong encryption provides good enough security for people who prefer their communications to be private. With well-encrypted email, even if someone intercepts a message, it could take years to decrypt the contents,  if they’re successful at all. OpenPGP is the de facto standard for encrypted email, although most people call it PGP (Pretty Good Privacy for short).

Right now there’s no way to encrypt your email using PGP on the iPhone through the Mail program. Instead, consider using Hushmail, which supports PGP encryption. It’s a webmail service, so you can access it from Safari.

With PGP, a public key is used only to encrypt mail; it has no function for unlocking messages. Only the recipient’s private key can open the data. That way, anyone can protect a message sent to you, but only you can read it. Ordinarily, to send email to a PGP user, you tell your mail program about this person’s public key. Hushmail works a little differently, by keeping the encryption transparent to users.

Hushmail users can send encrypted messages to other Hushmail users or to people who have uploaded their public keys to Hushmail. A slightly less secure option hides encrypted messages on the Hushmail server and emails the recipient with instructions on how to retrieve the message by answering a security question correctly. After five incorrect guesses, access is denied.

There are some catches to using Hushmail on the iPhone’s version of Safari. Before starting, be sure to close all other open Safari pages. When composing a message, once you tap the Send button, you’re not done; tap the pages icon in the lower-right and switch to the main Hushmail page. If you don’t, the message won’t send.

Hushmail is free, but it also offers subscription services, enabling 250MB of storage, access to customer support, and assurance that your account won’t be deleted due to inactivity. Hushmail is also working on a mobile Web client, but nothing yet for the App Store.

When you connect to Wi-Fi, if no password is required to join the network, anyone can sniff your packets. This means that an eavesdropper within physical range of your network can listen in on anything that’s sent or received. If your iPhone is set to check email automatically, you might reveal sensitive data by joining such an open network, especially if you don’t use SSL. (If you do use SSL, intercepted communications will be garbled by that encryption.)

Under Settings > Wi-Fi, there’s an option called Ask to Join Networks. However, this option only does what it says the first time you connect; whether you have this option on or off, the iPhone will never ask before rejoining a network with the same name.
So, if you visit a network with a common name, like “linksys,” your iPhone will automatically join every network it discovers with that name. In a single cab ride, you could unintentionally expose your iPhone to dozens of networks with the same name.

If you use Wi-Fi at home, make sure your network has a unique name, so when you’re away from home, you don’t have to worry about someone else having the same name for their Wi-Fi network.

You can also tell the iPhone to stop automatically joining a nearby network by tapping Settings > Wi-Fi > The network’s name, then tapping Forget this Network.

If you plan to join an open network and aren’t using SSL in email, turn off automatic email checks by tapping Settings > Fetch New Data > Manually. Then join the network, and don’t check your email. Restrict your activity to things that don’t reveal sensitive data, like reading websites or playing Hold’Em.
Enable Show SMS Preview to see the beginning of an incoming text message before you’ve entered your passcode.

If you lose your iPhone, or if a thief manages to slip it out of your pocket, all of your email and data are in someone else’s hands. Stop them from peeking by locking your phone with a passcode.

It’s really easy to set up. Tap Settings > General > Passcode Lock, and set a 4-digit passcode by entering it twice. Just be sure to pick a different PIN than the one you use for your bank card.

Tap Require Passcode to change the duration of idle time before the iPhone asks for the passcode again, saving yourself from annoyance. As Apple suggests, a shorter time period is more secure. Chances are, you’ll be the one entering the code most frequently, so try to strike a balance between convenience and the need for security.

Keep in mind, however, that if someone wants to return your lost phone or contact your family in an emergency, they’ll be stuck at that input screen. To fix this, on your computer, use an image editor to create a picture containing your contact info. Email the graphic to your phone, and set it as wallpaper. Those details will appear behind the passcode prompt.

Use A VPN 

If VPN setup gets too complicated, talk to your job’s IT administrator or VPN provider for help.

Suppose you’ve found Wi-Fi access that you don’t trust, but you really need to check your email. As with a computer, you can encrypt your traffic by using a Virtual Private Network. The VPN sends all incoming and outgoing data to a server on another network, all while using encryption. Most people use this to pretend that they are on a network that they’re otherwise not connected to, such as reaching an internal office file server while away. But it has the added benefit of encrypting the connection, making it useful for people that use lots of open Wi-Fi networks.

The iPhone supports three VPN protocols (each of which are good): Cisco IPSec, L2TP over IPSec, and PPTP. If you are already running one of these at home—great! But, if like most people, you’re not, you may want to consider renting a VPN. Some iPhone-friendly VPN providers are listed in VPN Providers Love the iPhone.

Securely Erase the iPhone 

On the reset screen, only tap Erase All Content and Settings if you really mean it.

One of the features Apple touted about the iPhone 2.0 firmware update was the ability to remotely wipe all of the data from a missing or otherwise compromised iPhone, at least for corporate users. As we went to press, the only way to remotely wipe the iPhone was from a Microsoft Exchange server, and then only by an administrator on that server. For residential customers in the united States, there’s no way to remotely erase an iPhone by asking AT&T to do it.

If you decide to sell or give away your iPhone, it’s smart to erase it manually first. Tap General > Reset > Erase All Content and Settings. Connect your iPhone to a power supply first, because the process will eat up a lot of battery power as it overwrites the data. Apple says it takes about an hour per 8GB of space on the iPhone, so plan accordingly.

VPN Providers Love the iPhone 

The iPhone’s built-in VPN client supports common VPN standards. Here are some VPN providers that cater specifically to iPhone users. Renting a VPN is not the same as getting Internet access. Rather, it provides a secure connection from your iPhone (or any other networked computer) to a VPN server somewhere else on the Internet, confounding any snoopers on an unsecured Wi-Fi network.