With Apple’s release of IOS 5 and iCloud, there are now several ways to get data easily in to and out of your IOS device. However, with the additional methods that make it easier for you to access your data when and where you need it, there also comes the danger of unauthorized access. This how-to helps you understand when, where, and how data is sent and stored with IOS and iCloud. With Apple products it is not always clear that a feature increases or lessens security, so the article will also point out some caveats.

iCloud

iCloud is partly Apple’s rebranding of its poorly received MobileMe service; and partly new features that take advantage of iTunes 10.5 and iOS5. At first look, many iOS friends I spoke to were not overly impressed with the features.  Many commented, “I’ve been syncing for years with Google on my iPhone.”  Even customers who don’t plan to use the core syncing services in iCloud should review and understand its new features, as there are somethings available for most everyone. Features such as Wi-FI sync, cloud backup, etc., are not easily done or possible with third party applications or utilities.

iCloud can be turned off completely; however. It can also be configured to act only as an easy method to find your iPhone. Simply activate your iCloud account using your Apple ID, and then turn off everything except “Find My iPhone” as shown in the following two screen shots. The settings shown can be found under Settings–iCloud.

Tap Settings-iCloud to get to the Find my iPhone settings

Turn on Find my iPhone and you’ll be able to locate your iPhone, regardless of location, should you lose it

 

The only data that gets shared with Apple is your location.  The GPS location, along with the Track my iPhone website will help you locate your iPhone if you accidentally lose it.

iCloud – Apps

Apple’s rebranding of MobileMe is most obvious in its Mail syncing —it is useable only with Apple’s MobileMe addresses. Despite this weakness, the MobileMe mail service does keep your data secure both when sending and receiving email using the industry standard secure socket layer (SSL). Apple is also using authorization through your MobileMe account to send email, which will cut down on the amount of spam that is sent through Apple’s mail servers.  (You can also point other mail applications to your @me address using the settings here: http://support.apple.com/kb/HT4864).

To activate iCloud email, you can either point your browser to http://www.iCloud.com or create an @me.com account through the IOS device by selecting Settings–iCloud, and then sliding the Mail button to On. You will then be prompted to create one as shown in the Figure Create @me.com account.

Since the email is for an @me.com account, any email to you will be sent through Apple’s servers.

You can create you iCloud Mail account right on your device with a @me.com mail address

Once your account is created, data is stored on both your IOS device and on Apple’s email servers. If you are also using iCloud (or manual configuration of Applications to access iCloud) on other computers and devices, then the data will be stored on these additional computers and devices as well. 

Generally speaking, most business users will not be interested in the @me email accounts, as businesses prefer to use their own domain names for marketing and identification.  However, separate accounts can be set up under email, and the IOS device will not sync any of the other accounts with iCloud. If by chance you are using the @me accounts for business, then check with your company policy as to whether you are allowed to sync the email back down to other computers you own or control.

The Contacts, Calendar, Reminders, Bookmarks, and Notes are treated much the same way, keeping the IOS device in sync with the iCloud and any configured computers. However, the major difference with these apps is the support of offline syncing through iTunes. This means that if your corporate policy prohibits or discourages using third parties to store or sync your calendar and contacts you can still sync them by syncing with your computer through iTunes, meaning the information never leaves your computer or phone. These apps also have the advantage of not needing an @me email address from Apple.

Configuration for these apps is not shown, as they are simply click and activate.

Unlike the core applications, Photo Stream and Documents and Data work differently—these are not syncing services as with the other apps.

Photo stream takes all of your pictures and places them in your iCloud. This means pictures from multiple devices will also be pushed to the cloud. Photos from other devices are also downloaded. Unlike contacts, there is currently no easy way to manage pictures from the phone. This means deletions on the phone do not translate to removed pictures on the stream.

The Documents and Data setting allows individual applications to place data in the cloud. This will in theory allow third party applications to share data through the iCloud.  This could provide additional backups of your data, or it could also be used for services to identify where you were on a particular document or task.

iOS 5

IOS 5 provides basic security functions to protect both your private and company data in the case of loss or theft. 

As with any good security measure, security starts with the physical control of the device. IOS provides “screen saver” functionality in its Auto-Lock feature under Settings–General and is configurable in 1-5 minute increments (see Figure Auto-Lock). This setting defines the number of inactive minutes the device will wait before locking the device.

You can configure you iPhone to auto lock after a set period of inactivity

The Auto-Lock setting is not enough in itself to keep your IOS device secure.  Auto-Lock needs to be combined with Passcode Lock (also under Settings–General).  To activate Passcode select the top option "Turn Passcode on" in the Passcode Options screen:

You can further secure device with a passcode. Select Settings—General—Passcode Lock

Once you select the option, you will be prompted to enter a 4-digit passcode (see Passcode Screen), and then prompted to re-enter the code.

Configure your 4 digit passcode

A 4-digit passcode is relatively unsecure if someone is allowed to guess indefinitely, so if you are using this method, you should also enable the “Erase Data” option on this same screen. Whenever you activate the “Erase Data” option you will be prompted with a warning that the iPhone will be erased after 10 wrong guesses as shown here:

Your phone can be set to wipe itself if too many attempts to access it are made

An even more secure method is to not use 4-digit codes, but instead a combination of letters and numbers, which can be activated using the “Simple Passcodes” option. To use this feature, move the slider next to “Simple Passcodes” to OFF. Longer passwords are cumbersome on phones though, so I prefer the shorter numbers and setting the phone to erase my data if there are too many guesses made.

There is currently a gap in the iPhones security and Siri…if you allow Siri access without typing the passcode, then questions that return data in the form of contacts and other information effectively bypass the passphrase. Therefore, Siri should be turned off—which is not the default setting—when the screen is locked.  I recommend turning Siri off whenever the screen is locked:

Even if your device is locked, you can allow access to the iPhone 4S’ newest feature, Siri

The following screen shot shows my preferred settings:

Here are all of my preferred iCloud settings

iTunes and Wi-Fi Sync

Apple has released Wi-Fi syncing with its iTunes, which is a nice feature for you if your company does not want you syncing across the Internet or using third party syncing apps. You are tied to your local area network’s Wi-Fi for Wi-Fi sync, but the speeds are more than adequate for keeping your contacts and email up to date. 

There is not a whole lot known currently about how secure the Wi-Fi sync is, but regardless of its own security, third party untrusted open Wi-Fi should be avoided for general computing purposes unless the traffic can be protected in virtual private networks. Time will tell if VPN support will include the Wi-Fi sync.

If you’re using your own computers and trusted (secured and encrypted) Wi-Fi then the data will only be transmitted securely and stored on your computers and IOS device.

Wi-Fi sync also supports backing up your device via Wi-Fi. The target can either be your computer or Apple’s iCloud. The advantage iCloud has for the backup is that you don’t need a computer and the backup is off site in case a disaster ruins both your phone and the computer; however, the biggest disadvantage is that the backup is not encrypted whenever it is stored on Apple’s servers. There is currently an option to encrypt the backup when you store it on your computer, so hopefully Apple will add this feature in the future.

Summary

By understanding and carefully selecting the options available on your IOS device, you can ensure only the data you intended is shared outside your IOS device. This article has provided the basic understanding and configuration steps necessary to use your iPhone or iPad more securely.