Here’s what you need to know about security when you’re updating your iPhone and iPad.
iOS 9 is nigh upon us! It’s time to review steps you can take to ensure your privacy, data integrity, and security. Some options are new, but if you never made use of them before, now is the time.
Make a secure backup in iTunes
Oh, yes, yes, iOS devices are unwired and have been for years. You never need to connect an iPhone, iPad, or iPod touch to iTunes ever again. But there are three distinct advantages in backing up to your Mac or PC compared to using an iCloud backup.
- It’s secure. If you back up to iCloud, your backup is accessible to anyone who gains access to your login credentials. While it’s unlikely you’d be subject to a mass attack, someone targeting you individually for whatever reason could potentially gain access. (You can make this harder by enabling two-factor authentication, described later.)
- It’s faster. Backing up with iTunes happens at the speed of a USB transfer. If you need to do a full restore later, apps and other purchased material that’s downloaded locally to the computer with iTunes will be copied over USB rather than pulled down from the cloud. (Tip: Update all the apps in iTunes after you make your backup so the latest versions are available if you have to do a restore later.)
- You can retain your passwords. If you check the box in iTunes for an encrypted backup, account passwords and Health data are backed up—these aren’t kept in iCloud or in unencrypted iTunes backups. Under Automatically Back Up, select This Computer, then check the Encrypt box. The first time, you’ll be prompted for a password. Choose a strong one or a long memorable one and make a note of it. I’d recommend against checking the box to store it in your Keychain unless your computer is never accessible to anyone else, or you always lock it when it’s not in use.
Now you can carry out an iOS 9 update, and in the event your device fails to upgrade properly and needs to be restored, you have a complete backup that can be rapidly loaded, and you have to re-enter relatively few of your passwords.
(One more tip: Make sure you know all the Apple IDs and passwords that you use with your iOS device and have them handy. After updating, you’ll be prompted to tap them in one character at a time during setup.)
Set or lengthen a passcode
Apple is gradually moving from four to six digits for many kinds of security codes, although iOS 9 still doesn’t require one of that length. However, it encourages you to move in that direction: whenever you change the passcode, it shows a six-digit entry field instead of four-digit. (Your mileage may vary: This occured on one iOS 9 device I tried, but not another.)
If you don’t have a passcode already, I highly recommend setting one. With Touch ID, you have to set a code, but on an iOS device without one, go to General > Settings > Passcode and set one.
Six digits isn’t magically better than four, but there is some concern that four digits provides more opportunities to guess a password or use brute-force techniques. A six-digit code that’s not a pattern like 123456 or 654321 or 111222 or the like takes up to 100 times longer to iterate through.
You can also pick a passcode that’s neither four nor six digits quite easily. iOS 9 removes a step by letting you tap Passcode Options when setting or changing a passcode. You can pick an alphanumeric (letters and numbers) or a numeric code that’s any number of digits you choose.
There’s one more safeguard you can put on, though it can be risky. At the bottom of Passcode or Touch ID & Passcode settings, enable Erase Data and after 10 failed attempts to authenticate—listed in declining order as you try them—the iOS devices wipes itself. You can restore it from a backup.
Turn on Find My iPhone
Find My iPhone, which works with all iOS devices (and OS X computers, too), is a recovery assistant that tries to help you find (with a sound) or track (with location information) your misplaced or stolen hardware, and gives you an option to wipe it clean if you don’t think you can get it back.
Apple encourages you to turn it on, but you can enable it at any point in Settings > iCloud > Find My iPhone. With Find My iPhone enabled, your phone cannot be wiped by another party and set up again without the iCloud account name and password, which makes it less useful to steal. There’s been a significant decline in iPhone thefts since Apple added this feature.
Turn on two-factor authentication
Apple has upgraded its two-step verification system for Apple ID accounts, where a code is sent after you enter a password, to something that’s simpler to use and more deeply integrated into both iOS 9 and the upcoming El Capitan. I explained in July the ins and outs of the new system, which should be available as iOS 9 ships. You can enable the current two-step system at any time, and then upgrade to two-factor when it’s up and running, too.
With the new two-factor authentication approach, every time you enter an Apple ID password for the first time on a device or Apple website (and for some things, every time), you’re prompted to enter a code that appears on all trusted devices—hardware that you’ve linked to your Apple ID account to receive these codes. The code can also be sent via SMS or spoken on a voice call by an automated system.
The advantage of a second factor is that even if your password is guessed or stolen, nothing short of a major security breach in Apple’s system would allow a malicious party to access anything protected by that Apple ID account unless they also gain access to your iPhone, iPad, Mac, or phone number. This prevents “wholesale” cracks where passwords are intercepted or stolen, making each attack “retail”: a one-at-a-time operation that would have to target you and probably involve having physical access to your stuff.
Block those attacks
The best offense is a good defense, and iOS already provided some good options that are made better in iOS 9 and with upgrades Apple has made all around. Take advantage of them now while you’re in upgrade mode. You may never be aware of the benefits: deterred attacks can be invisible. But you’re more secure nonetheless.