Encrypting the data stored on your iPhone/iPad with disk encryption

Published: June 25th, 2013

Mobile devices are with us all the time … if you are a parent, you phone is probably at your side more than your kids.  With all the secrets of your life residing on your phone, protecting those against access should your phone be lost or stolen is important.  If you use your phone for work, then this may be critical. E.g. if you are a doctor or nurse and use your phone for access to email or other data that may contain patient-related information, then HIPAA essentially requires that easily-lost mobile devices like this are locked down and encrypted.

This article explains how to protect yourself if you have an iPhone, iPad, or iPod Touch.

1. Make sure that your OS and device are not too old to be secure

Make sure that your device is relatively recent: an iPhone 4 or better will do the trick.

You need to have an iPhone 4+, iPod Touch 3rd Generation+, or a recent iPad. Essentially, any Apple device that shipped with at least iOS v4.0+.  It is this version of iOS that supports improved AES-based disk encryption and the hardware that shipped with it that contains AES processors on these devices.

Older devices may have a basic form of encryption, but it is not really useful, and designed for data wipe only and not for security.

2. Passcode-protect your device

Next, you need to add a passcode to your device.

When your device is passcode-protected then Apps that support the Apple Data Encryption API will encrypt the data stored at rest on the device.  Adding a passcode automatically causes all supported data to be encrypted and for the encryption codes to be derived from your passcode … so unless someone knows your passcode, they can’t access your encrypted files.

  1. Click on “Settings”
  2. Click on “General”
  3. Scroll to “Passcode Lock” and touch it.  Enter a 4-digit passcode
    1. Recommended: Change “Require Passcode” to immediately, so that data is encrypted as much as possible
    2. Recommended: Change “Simple Passcode” from “On” to “Off” and enter a complex password as the passcode.  This will make it more painful to unlock you phone, but will also make it no longer trivial to guess your passcode and unlock your encrypted data by brute force.
Note: What is encrypted?
  • All mail stored by the built-in Mail application.
  • Data stored by third party apps that use the “Data Encryption API”
  • Nothing that is being synchronized with iCloud
  • Not your texts, or skype history, etc
So, mostly, this takes care of your email as long as you are using the built-in email app.

3. Use a service with Remote Wipe

Remote wipe allows you to erase all of your iPhone or iPad data remotely in the case that your device is lost or stolen.  This erases all encrypted and all non-encrypted data.

  1. Apple’s iCloud Data wipe service allows this. Provided it is enabled and Find My iPhone is setup., anyone with access to your iCloud account can wipe your device.
  2. LuxSci’s Moble Sync service also supports remote wipe of data on demand.  This does not need to be pre-configured on your phone.  However, the wipe will not occur until your device next tries to check your email or sync your calendars/contacts/tasks.  So, if you find your device, you may have time to turn off Internet access, avoid the wipe, and backup the device or delete your MobileSync account, before things are cleared.

4. Caveats?

Always some caveats.  Here is what else you need to know:

  1. Remote wipe will not affect devices that are not connected to the Internet.
  2. iOS encryption will mostly only apply to your email.
  3. The encrypted email could be decrypted by someone who has access to both your device and the computer that you use to backup your device…. see: Limitations of Data Protection in iOS 4.
  4. 4-digit passwords really do little good in keeping someone from cracking your encrypted data.
  5. For best security, do not store sensitive data on your phone at all.  Instead, use apps or web-based services which can display data to you, but that keep the data stored elsewhere (not cached or saved locally).  This is the recommended solution for HIPAA compliance… as even with the best encryption, if a single device is stolen, that is a reportable event under the HIPAA Omnibus rule.

Leave a Comment


You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.