Apple has been making waves with its insistence on strong encryption for iOS devices. Intelligence agencies have taken notice, making alarming pronouncements about how they’ll no longer be able to track terrorists and other evildoers in the cloud. From the debate, it’s easy to think that iOS encryption makes your data unbreakable, but that’s not quite true. Fortunately, there are ways to protect your iPhone.
Don’t panic — most of your data is encrypted by default. Apple deserves credit for making iPhone encryption a standard feature. Since the 3GS came out, Apple has consistently built 256-bit AES encryption into iOS devices. There’s a unique identifier (UID) built into each phone’s hardware, which automatically encrypts data stored on your phone — including messages, pictures, and call history — by default. Without your passkey, it’s very hard for unauthorized users to access that data.
With iOS 9, Apple has pushed for even more security by making developers encrypt all apps, using HTTPS. In addition, it has added App Transport Security (ATS), a feature that lets apps include a list of websites they need to communicate securely with, decreasing the risk of information leaks. Yet, despite Apple’s efforts, there still are some holes users need to be aware of.
HTTPS can be Bypassed
iPhone encryption does not always protect info sent to or from your phone very well. Soon after ATS came out, Google released code to disable it, so developers could make your phone display ads. The problem goes beyond annoying popups, though — the code allows app developers to bypass HTTPS iPhone encryption, potentially allowing hackers or government agencies to read data your phone sends and receives.
Even when it’s on, HTTPS just isn’t that secure, as it depends on web servers to encrypt data. If a server doesn’t support the latest SSL/TLS standards, your iPhone encryption won’t work correctly. Additionally, a hacker with access to the server may be able to defeat the encryption and spy on any information you send.
Security Flaws Compromise Your Safety
Apple generally patches vulnerabilities when they are discovered, but that won’t stop hackers from exploiting them first — and security flaws are discovered all the time. One recent vulnerability exposed recent Apple Pay transactions, which are supposed to be confidential. Other bugs let attackers track browsers in private browsing mode, or bypass secure connections to leak information.
The AirDrop Vulnerability is particularly nasty. It’s been around since iOS 7, but was only found recently. Hackers within Bluetooth range can use it to load malware onto your iPhone, potentially taking it over and reprogramming it.
Although Apple was able to decrease the risk in iOS 9, it wasn’t able to come up with an immediate fix. This left iOS 9 users with inadequate protection against a known vulnerability, and put users of earlier versions at even more risk. Default iPhone encryption won’t protect you from these exploits.
iPhone Email Encryption Isn’t Good Enough
iPhone encryption protects emails with the same SSL/TLS standard used in HTTPS website connections. Like HTTPS, it can be undermined by a compromised server or a determined hacker. If your recipient uses an email client that doesn’t support encryption, your message will be totally decrypted, allowing anyone to spy on it in transit.
To secure your email, you need client-side encryption. Client-side encryption scrambles your email before it leaves your iPhone, and only decrypts it once it reaches your recipient’s mailbox. Even if a hacker intercepts it, they won’t be able to read it.
S/MIME encryption is a client-side protocol that’s included as part of the iPhone encryption package, but it has problems of its own. You can only send encrypted emails to users who also have S/MIME installed, and can’t send group messages. Additionally, you’ll have to collect and verify the public key of anyone you’d like to email before you can send them a secure message. It may be alright for exchanging messages with a few tech savvy friends, but it simply won’t work for most of the people you email.
There’s no need to collect keys or learn new programs, and you can send group messages — even to recipients who don’t have Virtru installed. Virtru Pro gives you even more control over your email security, allowing you to set time limits on emails or just revoke them — even after they’ve been read. You can also disable forwarding to stop recipients from sharing sensitive messages. Get Virtru for safe, easy encryption across all your devices.