Securing your iPhone’s Email – Best Practices

November 4th, 2020

Apple offers an array of configuration options for securing your iPhone email. However, there are a number of steps that you will have to take before your device and its emails are actually protected.

Securing your iPhone Email 

Securing your iPhone email: Protect the iPhone itself first

The best place to start securing your iPhone email is by making sure the phone itself is protected. If the phone isn’t secure, then not only could someone access your email, but they could get your documents, pictures, contacts, and everything else you have on it. They could even take over your accounts.

This first step is pretty basic, and it applies to everyone, regardless of whether you have an iPhone or an Android device. Set up a passcode or password, and Touch ID or Face ID if you prefer these methods for unlocking your device.

A strong password will be harder to crack than a shorter passcode, at the sake of convenience. Your choice will depend on how sensitive the data on your phone is. At the lower end, a 6-digit passcode should be fine as long as it isn’t too easy to guess.  Why? Because after several failed attempts, Apple begins to lock the phone for longer periods before a user can make further guesses. There’s even an option that users can set so that the iPhone will erase its data after 10 failed attempts (enable that if the data on your phone is very, very sensitive).

Apple encrypts iPhone data by default, so as long as you have a sufficiently strong locking mechanism in place, attackers cannot access any of your data through the device, including your email.

In addition to these measures, you may also want to:

  • Set your screen to lock after 30 seconds or so.
  • Change your notification settings so that no email details appear on your lock screen, visible to anyone looking at your phone.
  • Make sure you still have USB Restricted Mode on. After iOS 11.4, iPhones needed to be unlocked before they could connect to a USB accessory. While this is a great feature for preventing attackers from connecting to your device when you are away from it, some users may have turned it off without realizing its significance.  USB accessories are notorious being able to exploit security issues to gain unauthorized access to phones, laptops, and other devices.

Update your iPhone and its Apps

This is another general security tip that everyone needs to take heed of. Software is never perfect, and over time, security vulnerabilities are discovered. When good developers find them, they then rush out a patch to fix the vulnerability in the next update.  Although some updates can certainly be frustrating, it’s important to install them as soon as possible to prevent your device from being wide open to these old attacks. This applies to iOS, and all of the apps that you run on the device.

It’s an important step for securing your iPhone email, because otherwise attackers can use the old vulnerabilities to install malware, which can then send them all of your sensitive data.

A good example of this is the Apple Mail bug discovered in 2020, which allowed remote code execution. ZecOps, the firm that discovered it, suspected that it had been used to target Fortune 500 companies, journalists, executives and others.

Other vulnerabilities have allowed attackers to break into phones simply by sending carefully crafted text messages — even if you never explicitly opened the message!

Remove unneeded Apps 

Old Apps can have security issues, as just discussed.  However, even updated Apps can (a) contain unpatched security issues, and (b) contain malware that was purposefully placed there by the app designers.  It is a best practice to:

  1. Delete any Apps from your iPhone that you do not need or that you never use.  You can always re-download it later if you chane your mind.
  2. Carefully consider what Apps you do install.  Is the manufacturer reputable? Is the the one you really wanted, or one that just “looks really similar.”  App designers often name their Apps and create their logos to create confusion, hoping that you will download their App instead of the one you actually want.  Just search for “Zoom” in the App store.  Confusing.

Securing your iPhone Email Backups

Things go wrong. iPhones break and get stolen, so it’s important to have backups of your data, including your emails. A good rule of thumb is to have three copies of everything important. One on your iPhone, one in the cloud, and another physical backup, ideally stored in a separate location to your phone (i.e., your laptop).

If you need to save all of your sent and received email messages in Apple Mail, you can archive them automatically by creating Rules. Otherwise, you can just select the important emails to archive manually.

Part of securing your iPhone email involves securing all of the backups. Presuming you use iCloud, you will need a strong password for your Apple account, and to set up two-factor authentication.

While this may be enough to protect your email backups in many circumstances, according to Apple and the iCloud Security overview:

All traffic between your devices and iCloud Mail is encrypted with TLS 1.2. Consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers. All Apple email clients support optional S/MIME encryption.

This means that  by default, Apple is capable of accessing your iCloud Mail. As Reuters reported in January 2020, Apple routinely hands this and other data over to US Government agencies, while only offering end-to-end encryption that it can’t touch for certain types of sensitive data.

Fully securing your iPhone email backups on iCloud Mail will require S/MIME encryption for your messages, which is not reasonable.

An easy way to set up physical backups is to save your Mailbox on your Mac, or set up iCloud on Windows and save your Mailbox data. Whether you choose to keep the data on the computer or an external hard drive, the device will need to be encrypted with a strong password to secure your iPhone email backups.

Securing the Apple Mail App

Apple may have a better privacy reputation than the other tech companies, but it’s not unscathed. Unencrypted emails are also inherently insecure. While individual Apple Mail messages can be encrypted with S/MIME as mentioned above, many users may prefer to send and store their email through a service that offers a greater range of configuration and compliance options.

One solution is to use a third-party secure email provider, like LuxSci, so that:

  1. Your email messages are stored outside of Apple’s ecosystem
  2. You can have a greater range of security, archival, and backup options
  3. You can still send and receive email through your iPhone Mail App (or other third party Apps).

If you do not like or trust the Apple Mail App, iOS 14 allows you to change the default email App on your iPhone.   After all, even Apple’s Mail App has had its share of security vulnerabilities.  A google search will show you a lot of email application alternatives.

HIPAA Compliance and Apple.

If you are using your iPhone for work and your job requires HIPAA compliance,  you should be aware that Apple’s iCloud email is not HIPAA compliant.  Your organization will need to use a third-party email solution that does provide appropriate HIPAA compliant email, security, and a HIPAA Business Associate Agreement.  And it goes without saying that you should not be texting or sending ePHI through Apple iMessage, either.

LuxSci offers a variety of options that are great for meeting your security and compliance needs.

Talk with our team to see how our solutions can help your organization keep its data safe and navigate the regulatory minefield.