iPhone: The weakest link in your data-security system?

Posted on by Mike Evans

Whole-disk encryption, encrypted backups, password safes, offsite backups: All are weapons in your security armoury. On the Mac, data security and integrity is something that can be easily implemented, although only a minority of users are motivated to take all these precautions. Your iPhone (or smartphone in general) is perhaps the weakest wall in the castle, though. Recently I came across this item on which is enough to get you worried. As the author quite rightly says, a four-digit password on a smartphone is easily cracked and a thief can gain access to a vast amount of data.

Just imagine how much stuff is stored on your iPhone. Even the unprotected Contacts and Calendar can provide a lot of useful identity-theft material. But the big problem lies with applications which are permanently logged in to cloud data such as Dropbox, MobileMe, even GoodReader which can access web archives including Dropbox. It doesn't bear thinking about.

Fortunately, while it doesn't take away the stress when it happens, we can take comfort from the fact that most phone thieves are in for the quick buck. An iPhone represents an easy £50 or £100 in the local pub. Few will be motivated to spend time and effort cracking codes to steal your identity or rob your bank account. In most cases the phone will be reset and your data will be gone. 

iPhone users also have the ability to zap a lost phone remotely, provided someone connects it to the internet, and the Find My Phone facility can even pinpoint the device to a few yards. Anecdotal evidence suggests, though, that the police are not interested in such methods and, probably, have no intention of investigating the crime.

If the worst happens and your phone does go AWOL, it's a useful precaution to change as many passwords as you can - starting with Dropbox. Unlike on the Mac or PC, where you have a real problem because Dropbox keeps an offline folder of all your data, the iPhone relies on selective as-needed downloads. So a change of password should prevent major risk.

1Password, which I use to store all my sensitive information, is the real worry - the thought that someone has a complete record of everything in one file, albeit a securely encrypted file. To change all the passwords stored in 1Password would be a major undertaking. It's therefore vital that the 1Password master key should be as secure as possible consistent with being able to remember it. A passphrase incorporating a few capitals, numbers and symbols is probably as secure as you can get (within the capabilities of memory) without choosing something really random. And don't use that same password for anything else, least of all on on-line account.

As with all security, there's always a weak link somewhere. But the important thing is to be aware of these vulnerabilities and do as much as you can reasonably do to minimise them.

∞ Permalink