Hey, author here. Happy to answer questions. There's also a big Twitter thread here <a href="https://twitter.com/FiloSottile/status/750273921568485377" rel="nofollow">https://twitter.com/FiloSottile/status/750273921568485377</a><p>To frame the post and the conversation, I am targeting a loose but not universal threat model. If threat of deadly force is higher up in your risk scale than shoulder-surfing, or Apple cooperation is a given, then you might want to make very different choices, but more importantly, you probably need better advice than a blog post.<p>The only things I want to add are pair-locking, maybe a forced VPN profile, and a correction on how to check the Whatsapp fingerprint. You can find all these things in the Twitter thread.
As someone in a country with a serious mugging problem and having lost an iPhone already, one of the biggest security flaws I see is being able to power it off without providing any authentication.<p>What is even the point of Find my Phone and all that if anyone can just instantly switch off all the tracking?? You can't even ring your own number after that, and even law enforcement cannot look up the cell tower logs to see where it's been.<p>There should be an option to require a passcode for power-off, and another option to periodically send Find my Phone tracking even when "powered off," via any available network, until the battery dies.<p>EDIT: I agree they can just take out the SIM and we need to be able to force-power-off anyway.. but what can be done to increase the recoverability of these expensive items?
What I miss in this article in using MDM to harden an iOS devices in the first place. Eg. you can prevent the ability to make backups [0] diminishing that as a route to exfiltrate information. Secondly an always-on VPN [1] to a fixed IP address prevents network information leakage from the moment the device is turned on the first time. A quick search resulted in these two links but I didn't hit a comprehensive guide, other than Apples MDM docs, combining this travel guide combined with iOS MDM hardening.<p>[0] <a href="https://community.rapid7.com/community/infosec/blog/2015/11/26/reduced-annoyances-and-increased-security-on-ios-9-a-win-win" rel="nofollow">https://community.rapid7.com/community/infosec/blog/2015/11/...</a><p>[1] <a href="http://www.howtogeek.com/218851/how-to-enable-always-on-vpn-on-an-iphone-or-ipad/" rel="nofollow">http://www.howtogeek.com/218851/how-to-enable-always-on-vpn-...</a>
A key step missing is to set up the iOS device as Supervised in Apple Configurator and <i>prevent pairing with non-Configurator hosts</i>. Additionally, you can install your own non-removable profile via Configurator on the device disabling a bunch of privacy-damaging features there.
I think two security related changes could be made to iOS that would benefit many people.<p>1) PIN/TouchID locking of contacts, like you can do with notes. Don't allow messages and emails to and from the contact to be decrypted from the encrypted store without authenticating, like you can now do with notes. Would help with securing communications with legal counsel or other privileged parties from being captured.<p>2) A "duress" PIN/TouchID registration; if I unlock my phone with a duress code or imprint my duress-coded fingerprint, reboot the phone (to look like it was a glitch-induced reboot) and present the PIN prompt again. Auto-wipe the phone if the duress code is given again this second time.
I thought I once read that, since Touch ID relies on fingerprints, a US court order can compel you to provide those, thus forcing you to unlock an iPhone in question.<p>This, as opposed to a passcode-only configuration, which a court order cannot compel you to give (I believe since this would fall in the category of 'forcing you to testify against yourself').<p>If that is indeed the case, I imagine it would make better sense to leave Touch ID disabled, unlike what this article suggests.
Nice guide. Just some other OPSEC stuff we have done for occasional problems in the field training human rights defenders and journalists (who needed specific solutions)...<p>You can always use a call relay. So you can give people one phone number that relays to your own real number (for voice calls) - although an voice call is obviously more vulnerable than Signal call etc.<p>Ditto, AFAIK there is the ability to setup a relay for SMS through an Android. I can't remember the app but basically people could SMS that number and it relays to you real number.<p>Before people jump on me, yes I am aware of the weaknesses of both of the above but sometimes a specific type of threat model requires these two tricks. I recommend it unless you are aware of the trade offs.
The OP has responded to questions on Twitter, including TouchID criticism, <a href="https://twitter.com/FiloSottile/status/750273921568485377" rel="nofollow">https://twitter.com/FiloSottile/status/750273921568485377</a>
I was once mugged for a crappy Nokia feature phone. I had a prepaid sim for a long time. Very hard to replace (in Hungary) without loosing the phone number. I managed to convince my muggers to let me take the SIM.<p>Ironically they got caught and I got the phone back.
<a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a><p>Well, at least it prevents the thieves from doing more damage if it's stolen.
About turning off iCloud backup: You say that messages are being stored unencrypted. That may be true as we do not know what happens on Apple servers. But this is about securing the phone for traveling i.e. you would have to worry about the transport. And I would strongly guess that backup traffic would happen with http, probably with pinned certificates.
If I may ask, in what circumstances would one want to go this far in securing their travel phone? Is this meant to be for a "general trip somewhere", or something more specific?
Does any of this avoid the pitfall of a stingray device[1]? Is there any way to prevent 2G?<p>[1] <a href="https://epic.org/foia/fbi/stingray/" rel="nofollow">https://epic.org/foia/fbi/stingray/</a>