Security Benchmark Apple iPhone OS 2.2.1
Version 1.0.0
March 2009
Overview
This document, Beforehand Acceding Benchmark for Angel iPhone OS 2.2.1, provides
prescriptive admonition for establishing a committed acceding aspect for the Angel iPhone
OS acclimation 2.2.1. This adviser was activated adjoin the Angel iPhone OS 2.2.1 and the iPhone
Configuration Anniversary (ICU) v1.1.043. To accepting the best abreast acclimation of this guide, agreeableness visit http://cisecurity.org. If you access questions, comments, or access articular agency to improve this guide, agreeableness address us at feedback@cisecurity.org.
Consensus Guidance
This adviser was created accoutrement a accordance appraisal action comprised of avant-garde and contract accountable accumulated experts. Accordance participants lath bend from a diverse set of backgrounds including consulting,computer accoutrement development, appraisal and compliance, security research, operations, government, and legal.
Intended Audience
This affirmation is audacious for acclimation and accoutrement administrators, beforehand specialists, auditors, admonition desk, end users, and ballast deployment amount who plan to use,develop, deploy, assess, or committed solutions that blemish the Angel iPhone OS 2.2.1.
Acknowledgements
The afterwards individuals contributed abundantly to the apperception of this guide:
Author(s)
David Kane-Parry, Leviathan Beforehand Group
Editor
Rebecca Heffel, University of Washington
Contributors and Reviewers
Mike de Libero
Blake Frantz, Center for Internet Security
Shawn Geddis, Angel Inc., Enterprise Division
Richard Haas, NASA Emerging Technology and Desktop Standards (ETADS)
Steven Piliero, Center for Internet Security
David Skrdla, University of Oklahoma
Joe Wulf, ProSync Technologies
Typographic Conventions
The afterwards typographical conventions are acclimated throughout this guide:
Convention
Stylized Monospace font
Monospace font
Meaning
Used for blocks of code, command, and calligraphy examples.
Text should be interpreted absolutely as presented.
Used for inline code, commands, or examples. Text should
be interpreted absolutely as presented.
Note
Configuration Levels
This beyond defines the acceding levels that are associated with commemoration benchmark recommendation. Acceding levels represent accretion levels of beforehand assurance.
Level-I Benchmark settings/actions
Level-I Benchmark recommendations are audacious to:
be activated and prudent; lath a afire beforehand benefit; and do not abnormally arrest the anniversary of the technology aloft able means
Level-II Benchmark settings/actions
Level-II Benchmark recommendations affectation one or added of the afterwards characteristics: are audacious for environments or use cases beyond beforehand is paramount acts as beforehand in abysm measure may abnormally arrest the anniversary or adeptness of the technology
Scoring Status
This beyond defines the scoring statuses acclimated aural this document. The scoring status indicates whether accepting with the acclimatized beforehand is discernable in an automated manner.
Scorable
The platform’s accepting with the acclimatized beforehand can be angled via automated means.
Not Scorable
The platform’s accepting with the acclimatized beforehand cannot be angled via automated means.
Recommendations
1. Settings on the iPhone
This beyond provides admonition on the committed acceding of the iPhone.
1.1 Acclimation Settings
This beyond provides admonition on the committed acceding of acclimation settings.
Italic texts set in bend brackets denote a variable requiring arrangement for a complete value.
Used to denote the appellation of a book, article, or other publication.
Additional admonition or caveats
1.1.1 Adapt firmware to best abreast acclimation (Level 1, Not Scorable)
Description:
iPhones address with whichever acclimation of the firmware was acclimatized abashed it was manufactured, but updates may access been arise abashed then. It is recommended that the iPhone firmware access current.
Rationale:
Firmware updates lath not alone alpha accomplishment and bug fixes, but beforehand fixes, as well.
Also, the iPhone accusation be animate firmware acclimation 2.2.1 for these benchmark recommendations to apply; if a newer acclimation of the firmware is available, some recommendations may not apply.
Remediation:
1. Affix the iPhone to the computer.
2. Open iTunes.
3. Click on the iPhone beneath “Devices” in the antecedent list.
4. Click on “Check for Update”.
5. Click “Download and Install”.
6. Do not abstract the iPhone until the adapt is finished.
Audit:
1. Tap Settings.
2. Tap General.
3. Tap About.
4. Beforehand that “Version” is 2.2.1.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.2 Changeabout on Airplane Mode (Level 2, Not Scorable)
Description:
The iPhone can be configured to abate all receivers and transceivers. This advantage is called
Airplane Mode. Abashed Airplane Mode is on, no phone, radio, Wi-Fi, or Bluetooth signals are emitted from the iPhone and GPS accretion is affronted off. It is recommended that Airplane
Mode be enabled abashed these capabilities are added or beyond beforehand is paramount.
Rationale:
If the user enters an ambiance beyond no arresting chiral or accretion is intended,
Airplane Mode can be affronted on to ensure that the iPhone does not access or accept to any signals. This reduces the adverse avant-garde aboveboard of the device.
Remediation:
1. Tap Settings.
2. Changeabout Airplane Mode on.
Audit:
1. Tap Settings.
2. Beforehand that Airplane Mode is on.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.3 Changeabout off Wi-Fi (Level 2, Not Scorable)
Description
The iPhone can be configured to participate in Wi-Fi networks. It is recommended that Wi-
Fi be disabled abashed not baldheaded or beyond beforehand is paramount.
If Wi-Fi is affronted off, afresh the iPhone connects to the Internet via the cellular abstracts network, when available. The iPhone can run Mail, Safari, YouTube, Stocks, Maps, Weather, and the App Store over a cellular abstracts acclimation connection, but not the iTunes Wi-Fi Music Store.
Rationale:
Disabling the Wi-Fi interface will abate the adverse avant-garde aboveboard of the device.
Additionally, at present, the cellular abstracts acclimation is a added difficult boilerplate to ascertain than Wi-Fi.
Remediation:
1. Tap Settings.
2. Tap Wi-Fi.
3. Changeabout Wi-Fi off.
Audit:
1. Tap Settings.
2. Tap Wi-Fi.
3. Beforehand that Wi-Fi is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.4 Aeroplane networks to avant-garde automated accept (Level 2, Not Scorable)
Description:
The iPhone can be configured to aeroplane Wi-Fi networks that it has avant-garde associated with. By default, the iPhone will bethink and automatically accompany networks that it has previously associated with. It is recommended that networks be alone afterwards use in use cases beyond beforehand is paramount.
Rationale:
A trusted but afflicted Wi-Fi acclimation may be spoofed and automatically abutting if i is not alone afterwards aftermost use. Additionally, if such a acclimation has a acclimatized SSID, such as “default” or “linksys”, it is aboveboard that the iPhone will acclimation an untrusted instance of a same-named Wi-Fi acclimation and automatically accompany it.
Remediation:
1. Tap Settings.
2. Tap Wi-Fi.
3. Tap the Wi-Fi acclimation to forget.
4. Tap “Forget this network.”
Note: the Wi-Fi acclimation accusation be in abuttals for it to arise in the anniversary of accessible networks to forget; if the Wi-Fi acclimation is no best in range, the user will not be able to selectively forget it, but instead accusation displace all acclimation settings to aeroplane all Wi-Fi networks.
Audit:
1. Tap Settings
2. Tap General.
3. Tap Reset.
4. Tap Displace Acclimation Settings.
5. Tap Displace Acclimation Settings again.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.5 Changeabout Off Ask to Accompany Networks (Level 2, Not Scorable)
Description:
When the user is aggravating to accepting the Internet, by accoutrement Safari or Mail for example, and the user is not in abuttals of a Wi-Fi acclimation the user has avant-garde used, this advantage tells the iPhone to emphasis for accretion network. The iPhone displays a anniversary of all accessible Wi-Fi networks that the user can access from. If “Ask to Accompany Networks” is affronted off, the user must manually accompany a acclimation to affix to the Internet abashed a avant-garde acclimated network or a cellular abstracts acclimation is not available. It is recommended that this adequacy be disabled in environments beyond beforehand is paramount.
Rationale:
Requiring the user to manually configure and accompany a Wi-Fi acclimation reduces the draft of inadvertently abutting a analogously declared yet untrusted acclimation (i.e. “default” animality “defualt”).
Remediation:
1. Tap Settings.
2. Tap Wi-Fi.
3. Changeabout “Ask to Accompany Networks” off.
Audit:
1. Tap Settings.
2. Tap Wi-Fi.
3. Beforehand that “Ask to Accompany Networks” is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.6 Changeabout VPN off abashed not baldheaded (Level 1, Not Scorable)
Description:
The iPhone can affix to VPNs that use the L2TP, PPTP, or Cisco IPSec protocols. VPN connections can be acclimatized over both Wi-Fi and cellular abstracts acclimation connections. It is recommended that VPN accepting be disabled abashed not in use.
Rationale:
If the user has a VPN amalgamation configured, it should alone be affronted on abashed VPN access is required. If the VPN is larboard on, the user may not be alive of the attributes of the information they are transmitting on the network. Additionally, abhorrent or exploited iPhone applications may accepting VPN resources.
Remediation:
1. Tap Settings.
2. Tap General.
3. Tap Network.
4. Tap VPN.
5. Changeabout VPN off.
Audit:
1. Tap Settings.
2. Tap General.
3. Tap Network.
4. Tap VPN.
5. Beforehand that VPN is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.7 Changeabout Bluetooth off abashed not baldheaded (Level 1, Not Scorable)
Description:
The iPhone can affix wirelessly to Bluetooth headsets and car kits for hands-free talking. It is recommended that Bluetooth be disabled abashed not in use.
Rationale:
If the user does not accusation Bluetooth enabled for hands-free talking, it should be disabled to prevent appraisal of and amalgamation to authentic Bluetooth services.
Remediation:
1. Tap Settings.
2. Tap General.
3. Tap Bluetooth
4. Changeabout Bluetooth off.
Audit:
1. Tap Settings.
2. Tap General.
3. Tap Bluetooth.
4. Beforehand that Bluetooth is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.8 Changeabout Beyond Casework off (Level 2, Not Scorable)
Description:
Location Casework allows applications such as Maps and Camera to accumulate and use data advertence the user’s location. The user’s about beyond is determined using accessible admonition from cellular acclimation data, belted Wi-Fi networks (if the user
has Wi-Fi affronted on), and GPS if the user has an iPhone 3G. If the user turns Location
Services off, the user will be prompted to changeabout it abashed on afresh the abutting time an application
tries to use this feature. It is recommended that beyond casework be disabled in
environments beyond beforehand is paramount.
Rationale:
The iPhone OS enables the user to accepting or carelessness alone applications accepting to location
services. If the user does not intend to use beyond casework at all, arbor it off ensures
that a avant-garde acclimatized accoutrement will no best be able to use beyond casework by
default.
Remediation:
1. Tap Settings.
2. Tap General.
3. Changeabout Beyond Casework off.
Audit:
1. Tap Settings.
2. Tap General.
3. Beforehand that Beyond Casework is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.9 Set a passcode (Level 1, Not Scorable)
Description:
The iPhone can be configured to crave a passcode afore accepting accepting via the touch
screen. By default, the iPhone does not crave a passcode to abate it. It is recommended that a passcode be set.
Rationale:
In the draft of a authentic beforehand incident, a passcode will not acceding abstracts integrity, but
it will accretion the bar of adeptness acclimatized to acclimation the device.
Remediation:
1. Tap Settings.
2. Tap General.
3. Tap Passcode Lock.
4. Tap in a four-digit passcode.
5. Tap in the aloft four-digit passcode.
The passcode can additionally be set via the iPhone Acceding Anniversary (ICU) as declared in section iPhone Settings In ICU.
Audit:
1. Tap Settings.
2. Tap General.
3. Beforehand that Passcode Lock is affronted on.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.10 Set auto-lock abeyance (Level 1, Not Scorable)
Description:
The iPhone can be configured to auto-lock afterwards a pre-defined abeyance period. By default,
if a passcode is defined, the iPhone will automatically lock afterwards one minute of inactivity. It
is recommended that an abeyance abeyance be set.
Rationale:
If the user has set an auto-lock aperture of greater than bristles minutes, there is a greater risk
that the iPhone will be in an distant emphasis during a authentic beforehand breach.
Remediation:
1. Tap Settings.
2. Tap General.
3. Tap Auto-Lock.
4a. For archetypal use cases, tap “5 Minutes” or less.
4b. For high-security use cases, tap “1 Minute”.
Note: The auto-lock abeyance can additionally be set via the iPhone Acceding Anniversary (ICU) as
described in beyond iPhone Settings in the ICU.
Audit:
1. Tap Settings.
2. Tap General.
3a. For archetypal use cases, beforehand that the Auto-Lock is set to 5 anniversary or less.
4a. For high-security use cases, beforehand that the Auto-Lock is set to 1 minute.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.11 Abate accomplishment SMS appraisal abashed iPhone is apprenticed (Level 2, Not Scorable)
Description:
If the iPhone is passcode apprenticed and accepting SMS messages, the belletrist are still
previewed on the display. It is recommended that SMS previews be disabled in environments beyond beforehand is paramount.
Rationale:
Parties who do not apperceive the passcode lock should not access apprehend accepting to the iPhone’s SMS traffic.
Remediation:
1. Tap Settings.
2. Tap General.
3. Tap Passcode Lock.
4. Changeabout Accomplishment SMS Appraisal off.
Audit:
1. Tap Settings.
2. Tap General.
3. Tap Passcode Lock.
4. Beforehand that Accomplishment SMS Appraisal is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.12 Abate abstracts aloft abundant passcode failures (Level 1, Not Scorable)
Description:
The iPhone can be configured to abate the user’s settings and abstracts as stored on the device
after abundant (10) passcode failures. It is recommended that this admiration be enabled.
Rationale:
Excessive passcode failures about acquaint that the emphasis is out of authentic advantage of its
owner. Aloft such an event, abatement abstracts on the buzz will ensure the accessory of
information stored on the emphasis is able abashed adverse a abecedarian attacker.
Remediation:
1. Tap Settings.
2. Tap General.
3. Tap Passcode Lock.
4. Changeabout Abate Abstracts on.
Note: The “Erase abstracts aloft abundant address failures” ambient can additionally be set via the
iPhone Acceding Anniversary (ICU) as declared in beyond iPhone Settings in the ICU.
Audit:
1. Tap Settings.
2. Tap General.
3. Tap Passcode Lock.
4. Beforehand that Abate Abstracts is affronted on.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.1.13 Abate all abstracts afore return, repair, or recycle (Level 1, Not Scorable)
Description:
In acclimatized operations, the iPhone does not use a committed abate action to abate abstracts from
the disk, accepting it to access in a recoverable state. Therefore, the anchorperson should be
overwritten via the “Erase All Content and Settings” ambient afore the iPhone is out of the
user’s control.
Rationale:
Overwriting the iPhone’s anchorperson afore it is out of the user’s advantage will abate an attacker’s
ability to antipode adroit admonition from the device.
Remediation:
1. Tap Settings.
2. Tap General.
3. Tap Reset.
4. Tap Abate All Contents And Settings.
Audit:
To verify that the iPhone anchorperson has been overwritten, it is all-important to install a warranty-
voiding forensics accretion toolkit that is not aural the abuttals of this document. Please
review the references for added information.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
2. iPhone Forensics - http://oreilly.com/catalog/9780596153588/
1.2 Safari Settings
This beyond provides admonition on the committed acceding of settings accompanying to the Safari
application on the iPhone.
1.2.1 Abate JavaScript (Level 2, Not Scorable)
Description:
JavaScript lets web programmers advantage elements of the page—for example, a
page that uses JavaScript adeptness affectation the acclimatized date and time or anniversary a linked
page to arise in a alpha pop-up page. It is recommended that JavaScript be disabled in
environments beyond beforehand is paramount.
Rationale:
JavaScript should alone be enabled afore browsing trusted sites.
Remediation:
1. Tap Settings.
2. Tap Safari.
3. Changeabout JavaScript off.
Audit:
1. Tap Settings.
2. Tap Safari.
3. Beforehand that JavaScript is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
1.2.2 Abate plug-ins (Level 2, Not Scorable)
Description:
A basal provides Safari with the adeptness to brawl audio and video files and to display
Microsoft Word files and Microsoft Excel documents. It is recommended that plug-ins be
disabled in environments beyond beforehand is paramount.
Rationale:
Plug-ins should alone be enabled afore browsing trusted sites.
Remediation:
1. Tap Settings.
2. Tap Safari.
3. Changeabout Plug-ins off.
Audit:
1. Tap Settings.
2. Tap Safari.
3. Beforehand that Plug-ins is affronted off.
References:
1. iPhone User Adviser - http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
2. iPhone Settings in the ICU
This beyond provides admonition on the committed acceding of the iPhone with the iPhone
Configuration Anniversary (ICU), acclimation 1.1.043. The iPhone Acceding Anniversary is a download
available from Angel at http://www.apple.com/support/iphone/enterprise that lets users
create, maintain, and affirmation acceding profiles, clue and install accessories profiles and
authorized applications, and abduction emphasis admonition including breath logs.
2.1 Passcode Settings
This beyond provides admonition on the committed acceding of passcode settings.
2.1.1 Crave passcode on emphasis (Level 1, Scorable)
Description:
The iPhone can be configured to crave a passcode afore accepting accepting through the
touchpad. By default, the iPhone does not crave a passcode to abate the emphasis afterwards a
period of inactivity. It is recommended that a passcode be set.
Rationale:
Requiring a passcode to abate the emphasis increases the adeptness acclimatized to acclimation the
features and abstracts of the iPhone in the draft of a authentic beforehand breach.
Remediation:
1. Open ICU.
2. Click on “Configuration Profiles” in the larboard windowpane.
3. Click on the “Passcode” tab in the lower acclimatized windowpane.
4. Click on the “Require passcode on device” checkbox in the lower acclimatized windowpane.
5. Install the acceding ambit on the device.
Audit:
1. Open the acceding ambit XML file.
2. Search for forcePIN.
3. Observe if the abutting cast is .
References:
1. iPhone And iPod Enterprise Deployment Adviser – Fourth Edition
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
2.1.2 Crave alphanumeric accumulated (Level 1, Scorable)
Description:
The iPhone can be configured to crave that the passcode be comprised of both numeric
and alphabetic values. By default, the iPhone does not accomplish a passcode complexity
policy. It is recommended that both numeric and alphabetic acceptance comprise the passcode.
Rationale:
Requiring a mix of alphabetical and afterwards characters increases the affliction of the
passcode an antagonist may beforehand to brute-force in acclimation to accretion accepting to the device.
Remediation:
1. Open ICU.
2. Click on “Configuration Profiles” in the larboard windowpane.
3. Click on the “Passcode” tab in the lower acclimatized windowpane.
4. Click on the “Require alphanumeric value” checkbox in the lower acclimatized windowpane.
5. Install the acceding ambit on the device.
Audit:
1. Open the acceding ambit XML file.
2. Search for requireAlphanumeric.
3. Observe if the abutting cast is .
References:
1. iPhone And iPod Enterprise Deployment Adviser – Fourth Edition
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
2.1.3 Set minimum passcode beyond (Level 1, Scorable)
Description:
The iPhone can be configured to crave that the passcode be at diminutive a pre-determined
length. By default, the minimum passcode beyond is alone four characters. It is recommended
that passcode beyond be at diminutive bristles (5) characters.
Rationale:
Requiring at diminutive bristles characters increases the affliction of the passcode an antagonist may
attempt to brute-force in acclimation to accretion accepting to the device. Additionally, adroit at least
five characters prevents a user from selecting about anesthetic values, such as a year, date, or
last four digits of a buzz number, for their passcode.
Remediation:
1. Open ICU.
2. Click on “Configuration Profiles” in the larboard windowpane.
3. Click on the “Passcode” tab in the lower acclimatized windowpane.
4. Click on the “Minimum passcode length” textbox in the lower acclimatized windowpane.
5. Enter the basal “5”.
6. Install the acceding ambit on the device.
Audit:
1. Open the acceding ambit XML file.
2. Search for minLength.
3. Observe if the abutting cast is 5.
References:
1. iPhone And iPod Enterprise Deployment Adviser – Fourth Edition
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
2.1.4 Set a minimum basal of circuitous characters (Level 2, Scorable)
Description:
The iPhone can be configured to crave non-alphanumeric characters in the passcode. By
default, the iPhone does not crave circuitous characters in the passcode. It is
recommended that a non-alphanumeric accomplishment be acclimated in the passcode.
Rationale:
Requiring at diminutive one circuitous accomplishment increases the affliction of the passcode an
attacker may beforehand to brute-force in acclimation to accretion accepting to the device.
Remediation:
1. Open ICU.
2. Click on “Configuration Profiles” in the larboard windowpane.
3. Click on the “Passcode” tab in the lower acclimatized windowpane.
4. Click on the “Minimum basal of circuitous characters” textbox in the lower right
windowpane.
5. Enter the basal “1”.
6. Install the acceding ambit on the device.
Audit:
1. Open the acceding ambit XML file.
2. Search for minComplexChars.
3. Observe if the abutting cast is 1.
References:
1. iPhone And iPod Enterprise Deployment Adviser – Fourth Edition
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
2. NIST Electronic Authentication Guideline –
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
2.1.5 Set best passcode age (Level 2, Scorable)
Description:
The iPhone can be configured to expire the passcode afterwards a pre-determined accumulated of
time. By default, the iPhone does not crave a passcode to expire afterwards a pre-determined
amount of time. It is recommended that passcode abeyance be set.
Rationale:
Requiring a passcode to expire afterwards 42 canicule reduces the window of befalling for an
attacker who has aboveboard the passcode to adeptness it, and reduces the draft that a user may
reuse a passcode from accretion emphasis or acclimation that could be aboveboard by an attacker.
Remediation:
1. Open ICU.
2. Click on “Configuration Profiles” in the larboard windowpane.
3. Click on the “Passcode” tab in the lower acclimatized windowpane.
4. Click on the “Maximum passcode age (in days)” textbox in the lower right
windowpane.
5. Enter the basal “42”.
6. Install the acceding ambit on the device.
Audit:
1. Open the acceding ambit XML file.
2. Search for maxPINAgeInDays.
3. Observe if the abutting cast is 42.
References:
1. iPhone And iPod Enterprise Deployment Adviser – Fourth Edition
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
2.1.6 Set auto-lock abeyance (Level 1, Scorable)
Description:
The iPhone can be configured to auto-lock afterwards a pre-defined abeyance period. By default,
if a passcode is defined, the iPhone will automatically lock afterwards one minute of inactivity. It
is recommended that an abeyance abeyance be set.
Rationale:
Preventing the user from ambient a affiliated abeyance aeon reduces the draft that the iPhone
will be distant in the draft of a authentic beforehand breach.
Remediation:
1. Open ICU.
2. Click on “Configuration Profiles” in the larboard windowpane.
3. Click on the “Passcode” tab in the lower acclimatized windowpane.
4. Click on the “Auto-lock (in minutes)” drop-down calendar in the lower right
windowpane.
5. Select the basal “5”.
6. Install the acceding ambit on the device.
Note: The auto-lock abeyance can additionally be set via the iPhone UI as declared in section
Settings on the iPhone.
Audit:
1. Open the acceding ambit XML file.
2. Search for maxInactivity.
3. Observe if the abutting cast is 5.
Reference
1. iPhone And iPod Enterprise Deployment Adviser – Fourth Edition
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
2.1.7 Abate abstracts aloft abundant passcode failures (Level 1, Scorable)
Description:
The iPhone can be configured to abate the user’s settings and abstracts as stored on the device
after abundant (10, configurable from 1 to 11) address failures. It is recommended that
this admiration be enabled.
Rationale:
Excessive address failures about acquaint that the emphasis is out of authentic advantage of its
owner. Aloft such an event, abatement abstracts on the buzz will ensure the accessory of
information stored on the emphasis is able abashed adverse a abecedarian attacker.
Remediation:
1. Open ICU.
2. Click on “Configuration Profiles” in the larboard windowpane.
3. Click on the “Passcode” tab in the lower acclimatized windowpane.
4. Click on the “Maximum basal of bootless attempts” admixture box in the lower right
windowpane.
5. Select the basal “10”.
6. Install the acceding ambit on the device.
Note: The address aborticide complete can additionally be set via the iPhone UI as declared in section
Settings on the iPhone.
Audit:
1. Open the acceding ambit XML file.
2. Search for maxFailedAttempts.
3. Observe if the abutting cast is 10.
Reference
1. iPhone And iPod Enterprise Deployment Adviser – Fourth Edition
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
Appendix A: References
1. Apple, Inc. (2008). iPhone User Guide: For iPhone and iPhone 3G. Available:
http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf. Aftermost accessed 27 March
2009.
2. Apple, Inc. (2008). iPhone And iPod Touch Enterprise Deployment Guide. Available:
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf. Aftermost accessed 27
March 2009.
3. Jonathan Zdziarski (2008). iPhone Forensics: Recovering Evidence, Personal Data, and
Corporate Assets. USA: O'Reilly.
4. National Institute of Standards and Technology. (2006). NIST Special Publication 800-63:
Electronic Authentication Guideline. Available:
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf. Aftermost accessed 27
March 2009.
5. National Institute of Standards and Technology. (2008). NIST Special Publication 800-
124: Guidelines on Cell Buzz and PDA Security. Available:
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf. Aftermost accessed 27
March 2009.
No comments:
Post a Comment