Securing Apple iOS 7




The use of Apple devices is becoming increasingly popular for both personal and business uses. As these devices increase in popularity, the need to lock down and secure them from malicious attack is evident. Press stories are regularly released that identify serious data breaches from mobile devices and security researches are predicted that this is set to increase in the near future. This article aims to look at the most recent Apple iOS release, iOS 7. As the features in Apple operating systems mature, the need to lock down and secure devices is more and more important, this article will look at technical controls that can be implemented to secure devices from unauthorised access.


One of the most important aspects of securing data from unauthorised access is via appropriate encryption. Two types of encryption exist and both are necessary in order to secure data on the device and leaving the device. Data in transit protection can be offered via the built in virtual private network (VPN) connection. The native VPN on iOS 7 does afford some protection for data in transit, however, organisations should be aware that the VPN can be manually terminated by the user – so procedures need to be built into place to ensure that this remains on at all times to secure data in transit from the device to the corporate network.

Equally as important is data at rest on the mobile device. iOS 7 offers data at rest protection for the device, but only for applications that opt in to use the Data Protection API’s on the operating system. This protection is only offered when the device is locked, therefore, organisations need to be aware of this risk and implement controls appropriately. Further options exist in iOS 7 to allow files to be encrypted on a per file basis, so organisations may wish to consider opting in for this. Out of the box, the only apps encrypted by default are the mail applications.


As with any mobile device, authentication to the device and to unlock the encryption of the device is an absolute necessity. Threats here may come from users losing the device and unauthorised users gaining physical access. Controls therefore need to be sufficient to prevent unauthorised users accessing the data on the device.

iOS 7 comes with native controls to support this requirement. The device allows a strong 7 character password featuring alphanumeric and special characters. Organisations should enforce the need for complex passwords to be set and ensure that any user password that does not adhere to the requirements is not permitted.

When users authenticate to the device, the password will unlock a key which enables encryption of certificates and other credentials. This process allows control of access to corporate services, preventing unauthorised access for users unless they know the strong password set. This should be enabled by default.

Application Whitelisting

Application whitelisting is a native control in Apple iOS 7 devices and should be enabled by default. The organisation should utilise the enterprise application catalogue to define what applications are permitted. All other applications will be denied by default. This control will enable the organisation to prevent unauthorised, potentially malicious, applications from executing on the device. This control can be enforced by Mobile Device Management (MDM) controls. MDM can also be utilised to monitor user devices to ensure that only permitted applications have been installed.

Application white listing has been identified as a critical security control

Application white listing has been identified as a critical security control by Governments.

Security Policies

Security policies can be enforced by the Mobile Device Management (MDM). This will allow a central security policy to be defined and enforced for all devices within the estate. MDM should be set up appropriately and utilised to send out security policies and monitor devices for misuse.

MDM also allows organisations the ability to remotely configure and wipe devices in the case of a lost or stolen device. This is an absolute necessity for organisations and should be enforced by default.

Further information on MDM can be found on <a href=””>Apple online.</a>


The use of Apple iOS 7 devices brings a wealth of functionality and usability for businesses. However, it also opens up a number of vulnerabilities that can be easily exploited if appropriate controls are not implemented. The controls listed here are a start, however, an effective risk management approach needs to be taken to identify vulnerabilities and apply controls effectively. It should be noted that technical controls are just part of the overall management of mobile devices and personnel, procedural and policy factors should also be considered.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *