iOS Security: Strengths, Weaknesses, and How to Improve It

This article takes a different approach than usual. Instead of focusing on vulnerabilities and hacking methods, we’ll look at how iOS device owners can protect their data. We’ll examine the techniques used by law enforcement to break into iPhones, how your data can be extracted, and what you can do to defend yourself. The main topic: how to safeguard your data if your iPhone’s passcode becomes known to an attacker.

iOS Is Quite Secure

Modern versions of iOS (as of this writing, iOS 11.4 official release, 11.4.1 beta 3 public beta, and iOS 12.0 developer beta) have an exemplary data encryption implementation and excellent cryptographic key protection. The key is dynamically generated during boot based on your passcode and is securely protected by the Secure Enclave coprocessor. The keychain, which stores all Safari account passwords, authentication tokens, and cryptographic keys, adds another layer of protection. If you set a six-digit passcode or a stronger alphanumeric password, decrypting anything from a powered-off phone is impossible—even if the memory chip is extracted.

Backups: Even More Secure

iOS’s backup system is a model of security. Local backup encryption in iOS 10.2 and later is so strong that even a top-end Nvidia GTX 1080 can only try about a hundred passwords per second. A simple seven-character password would take a single computer thousands of years to crack. Before iOS 11, you could set a long, random backup password that would keep all the world’s computers busy for eternity.

…But That Might Not Matter

With such secure iOS and backups, what’s left to worry about? Just set a six-digit passcode and enjoy your security, right? Unfortunately, a single weak point can ruin everything: the passcode itself. If someone learns your passcode, here’s what they can do:

• Disable Find My iPhone and Activation Lock
• Enable two-factor authentication (if not already enabled)
• Change your Apple ID/iCloud password and access cloud backups, synced data, and iCloud Keychain passwords from all linked devices
• Download photos from iCloud Photo Library
• Lock or erase data from other devices linked to your Apple ID
• Reset the local backup password, connect the phone to a computer, and extract all data
• View or extract all passwords from the keychain on the device

From Multi-Layered Security to Passcode Defense

It’s surprising how much can be done in iOS 11 (and iOS 12 beta) just by knowing the device passcode. On Android, even with the lock code, you can’t easily change the Google account password. Still, Apple has shifted its focus to protecting the passcode above all else. How effective is this?

Currently, there are at least two independent solutions—Cellebrite and GrayKey—used by law enforcement to brute-force iPhone and iPad passcodes. These tools exploit vulnerabilities that, once discovered, could eventually fall into the wrong hands.

GrayKey, for example, works on all devices running iOS 11.3.1 and earlier, provided the phone was unlocked at least once after boot. Four-digit passcodes can be cracked in a week. Six-digit passcodes are much harder due to hardware limitations, and after 300,000 combinations, brute-forcing slows to one attempt every ten minutes. With iOS 11.4 and later, this “slow mode” is the only option, making a four-digit code take over two months to crack, and a six-digit code nearly nineteen years.

USB Restricted Mode

To counter brute-force attacks, Apple introduced USB Restricted Mode. This mode disables all data transfer through the Lightning port after one hour of inactivity, leaving only charging available. If the phone hasn’t been unlocked in an hour, tools like Cellebrite or GrayKey can’t access the device. Even after rebooting or restoring the device, USB Restricted Mode remains active until the device is unlocked.

Apple is working hard to protect your passcode from being cracked. But what if someone sees you enter it or forces you to reveal it? Even then, all is not lost.

Parental Controls: An Extra Layer of Protection

If your phone is stolen or seized, it’s often too late to do much besides locking it via iCloud. However, you can partially protect yourself using parental controls (Restrictions).

Originally designed for parents to limit children’s device usage, Restrictions can also help if your passcode is compromised. To enable Restrictions, go to Settings > General > Restrictions, turn them on, and set a four-digit PIN (different from your device passcode and not easily guessable). Store this PIN securely, as you’ll rarely need it.

When Restrictions are enabled, resetting the backup password via “Reset all settings” will require both the device passcode and the Restrictions PIN. Since the Restrictions PIN is rarely used, it’s much harder for an attacker to guess.

No Protection for Keychain Password Access

Unfortunately, Restrictions do not limit access to passwords stored in the keychain. These often include Google, Apple, and Microsoft account passwords, allowing an attacker to change your iCloud password and unlink your iPhone, even without the Restrictions PIN. For example, your Apple ID password can be viewed in Settings > Accounts & Passwords > App & Website Passwords, after authenticating with Touch ID or Face ID—or, after several failed attempts, with the device passcode.

There’s currently no way to restrict access to keychain passwords without external security policies. At the very least, make sure your Apple ID/iCloud password is not saved in your keychain.

Restricting iCloud Lock and Apple ID Password Changes

Once you’ve ensured your Apple ID/iCloud password isn’t in the keychain, you can further protect your account by restricting changes to account settings. This prevents anyone from accessing your account without first disabling Restrictions. However, access to keychain passwords remains open—a clear oversight by Apple.

How to Protect Against Jailbreak?

Previously, we discussed how to jailbreak an iPhone for full data access. But how do you protect your phone from being jailbroken? The only way is to restrict app installations. Unfortunately, this can be inconvenient for daily use and is likely to be disabled eventually. There’s no separate restriction for installing non-App Store apps, unlike Android. Therefore, we can’t recommend this method for most users.

How Secure Are Restrictions?

The Restrictions PIN is only four digits—10,000 combinations. However, iOS limits brute-force attempts with increasing delays: 1, 5, 15, and 60 minutes after several failed tries. After ten failed attempts, each new attempt is allowed only once per hour. At this rate, it would take about 416 days to try all combinations, which is reasonably secure for most users. Still, the ability to reset the backup password after 416 days means iOS isn’t as secure as, for example, BlackBerry 10 devices, whose backups were encrypted with a binary key stored on BlackBerry’s servers and couldn’t be reset on the device.

What to Do at Border Crossings?

Border agents in many countries, especially the US, are increasingly demanding access to travelers’ devices. In 2017, US border agents made about 30,000 such requests. Resistance is often futile: you have the right to refuse, but they can deny you entry or detain you until you comply.

To protect your data, set a long, random backup password (you don’t need to memorize it; you can reset it later) and enable Restrictions to prevent backup password resets. Border agents won’t have 416 days to brute-force the Restrictions PIN, so they’ll be limited to what’s accessible on the device screen (note: Restrictions do not block keychain password access). You can have a family member set the Restrictions PIN and keep it at home.

Conclusion

iOS development is a zigzag path. Apple tries to compensate for the ability to reset backup passwords with the device passcode by making passcode cracking harder, but leaves keychain password access open. For regular users, the only option is to use “child” Restrictions, which are clearly not meant for serious data protection.

On the plus side, iOS has no secret backdoors or obvious encryption flaws. Apple doesn’t ship bootloaders with naive vulnerabilities (unlike OnePlus), leak digital signatures (unlike Microsoft and Secure Boot keys), or distribute engineering bootloaders (unlike Samsung). The vulnerabilities that do exist are found by professional teams and are not trivial to exploit.