How to protect your iPhone, Photos, & iCloud account

Updated
Cover image for: How to protect your iPhone, Photos, & iCloud account

Outsmart iCloud hackers and keep your data safe

Not too long ago the term "The Cloud" was a mysterious description for all of the data we didn't store on our own devices. Few people understood what it was. Things have changed now, but the average consumer still struggles to understand the intricacies of storing and sharing private content within cloud-based applications.

Today, over 782 million Apple users are comfortable using iCloud. They're also using other cloud-based apps that gather private user data, with or without informed consent.

As reliance on iCloud increases, cybersecurity and privacy risks become more and more complex, and users should be informed. After all, there's a lot of data in it. With this article, we're seeking to help you take the right actions to protect your privacy. Sometimes that involves shedding a little convenience, though not always. And it's worth it.

The security of your cloud data and phone is worth your full attention. We aim to make it easy, and have compiled a comprehensive list of actions you can take to increase the security of your iCloud account and iPhone.

Easy things you should do to stay safe 🔒

Let's start with the basics...

1. Don’t trust emails asking for iCloud authentication

Phishing emails fake legitimate security measures. They're the emails that appear in your inbox, appearing to be from Apple, Google or others, and which usually contain a message with some urgency: "click to ensure your account stays active", for example. These are all nonsense -- and dangerous to click on.

Phishing emails simulate legitimate attempts to validate a user’s recent activity and ask for user credentials. That's the first red flag. The message could be: "We've recently detected suspicious activity in your iCloud account. Use this form to reset your password".

Every time you see an email specifically asking for credentials, check the URL. If you see any other domain than iCloud.com, or if you notice an insecure certificate when browsing, it's most likely a phishing attempt. Here's Apple's icloud.com, and the secure certificate that you should see on it:

Apple's iCloud.com with a secure SSL certificate
Apple's iCloud.com with a secure SSL certificate

We recommend you to access your iCloud account directly without using any email link. Always use the official iCloud site to log in, change a password, or check for warning messages. If you don't see anything suspicious, the email is probably from a hacker trying to steal your iCloud credentials. You can get in touch with Apple’s security team and report them these attempts.

2. Don’t click on anything suspicious

Every now and then an exploit is discovered that can compromise your data simply through clicking a link.

Mike Murray, a security expert from Lookout, described the last issue like this as “the most sophisticated spyware package we have seen in the market”. It was linked with NSO Group, an Israeli company which makes security applications for governments. A few hours later, Apple launched an iOS update, which solved this vulnerability.

What can we take from this? Even though the problem was solved rapidly, other security holes could be discovered. If you receive any unusual message or email containing links, it’s best to ignore it.

Having a private email address is a good way to avoid targeted or random spyware attacks in this way. Here are three things you can do to ensure privacy:

  • Use a separate email address for purchases, social networks and promotional messages, and a private, rarely disclosed one for information you wish to keep secure. Share it only with trusted people.
  • Create filters for email accounts you trust -- and avoid opening messages that look like spam but got past your filters
  • Enable two-factor authentication for your email -- perhaps using a cell number to receive notifications for suspicious activity
  • Encrypt your email -- use a web-based email provider or set up your Outlook to use encrypted connections with GPG
  • Use an additional anti-spam app and make sure you filter any annoying messages

3. Use a strong password -- and change it regularly 🔑

If it's not too annoying to change your password every 6 months, go ahead and take 5 minutes now to update yours today.

One of the most basic methods to protect your iCloud is to use a strong password. We suggest using a long password containing numbers, letters and punctuation signs. Don’t forget to save the password in a very safe place.

Tools like 1Password (paid) or KeePass (free) generate random text which generally make very strong passwords, and help you store your passwords and confidential data safely.

Look, it's 1Password!
Look, it's 1Password!

Combine capital letters and numbers to form a secure password. Security company McAfee suggests avoiding password terms that include personal information, like your birthday, pet's name or a favourite colour, because they're easy for hackers to guess. Don’t choose any favourite band, your birthplace or any other relatable guess as your iCloud password. The Telegraph have written on the most commonly used passwords, and they're worth avoiding!

Consider using phrases to protect the integrity of your account, which are easy for you to remember as an individual but difficult for existing software to rapidly generate. Ideal passwords are at least 14 characters long. Replace certain letters with numbers or symbols: beardak0tast@arhip, for example.

If you're not sure how strong your password is, there are a few free online tools to help you:

We'd not recommend putting your actual password into either of them, though.

4. Use strong security questions and answers 🔑🔑

More than a year ago, Colin Powell and George W. Bush lost their email data after their accounts was illegally accessed by a hacker. The hacker managed to gain access by guessing the answers to their security questions. Beware!

For example, a possible security question is: "Where are you born"? If someone knows the place where somebody is born, it could eventually answer this question and get access to its iCloud data.

To avoid this possibility, use more difficult questions and answers. For example, choose an alternate question like: “Which is your favourite movie?” or “Which is your favourite author?”. Ideally, make up the answers, and record your made-up answers in a secure password manager. By using more difficult security questions, you stand a better chance of safeguarding yourself.

5. Activate two-factor authentication (2FA) on your iCloud account 🔑🔑🔑

A few years ago Apple introduced an additional layer of iCloud security. This feature protects the iCloud account even where the password is known to somebody else. As long as the potential hacker doesn’t have access to your trusted devices, the iCloud account remains inaccessible.

Two-factor authentication is an account owner verification process that is triggered whenever a new login is attempted. Apple introduced 2FA in 2016, and Reincubate has been providing support for this feature ever since.

Two-factor authentication works like this. When you try to login to your iCloud account, you are sent a unique code. To complete the login process, you're required to enter both your password and the code received on your phone. Without code (randomly generated in real-time), anyone who wants to access the account won't manage to get in -- even if they have your username and password. So, the bad guys will get locked out and you'll get a pop-up or a text message alerting you if and when they're trying to get in.

This is what you would see on an Apple device with 2FA engaged when a login from a new location is attempted:

A 2FA prompt on a Mac
A 2FA prompt on a Mac

This is how you can enable two-factor authentication for iCloud (read more in Apple's own words:

On your iPhone, iPad, or iPod touch with iOS 9 or later:

  • Go to SettingsiCloud → tap your Apple ID
  • Tap Password & Security
  • Tap Turn on Two-Factor Authentication

On your Mac with OS X El Capitan or later:

  • Go to the Apple menu → System PreferencesiCloudAccount Details
  • Click Security
  • Click Turn on Two-Factor Authentication

We cover two-factor authentication and its history in more detail in our guide here.

6. Associate your iCloud with a secure email account

Yahoo!'s recent scandal revealed that email accounts are sometimes not as well protected as you might hope. With more than 500 million emails hacked, there's always the potential that hackers hack your email account, then try to send a password reset email to your email address using the iCloud login system.

If you have an iCloud account associated with a Yahoo! email address, it’s best to change your password as soon as possible. Actually no, it's better to switch mail provider. Sorry, Yahoo!. Gmail is robust.

7. Don’t use unsecured wireless networks

Free hotspots can be a convenient way to browse the web, particularly when you're on the move. But they're not secure.

Are they legit? Whoever operates a network has the capability of intercepting or recording traffic sent over it. If you don't know who is running the network -- and you don't trust them -- you shouldn't use it. If the network isn't secured properly, there's also the potential that other users of the network could attack your devices and potentially intercept your traffic or your device's data.

The best thing you can do is to avoid accessing the Internet using these hotspots. Secured public Wi-Fi connections are safer but you are still exposed to risks if you use them to access the iCloud.

Use a good data plan instead with your carrier and make sure your home WiFi network is secured.

If you do need Wi-Fi access on the go, invest in a Mi-Fi device, or consider using a VPN to protect your traffic. That won't protect your device from other users on the network, however.

8. Enable "Find My iPhone" on your device

Once activated, this option allows you to get in touch with your lost or stolen iPhone, or to remotely erase it. We’ve covered this in depth before.

The main idea is that you can use this feature to access your lost iPhone remotely, send messages to its display, find its position or entirely wipe its data unless you recover it. Access your iCloud account and activate “Lost mode” for that device and your iCloud account will be safe.

Another benefit of this feature is that it prevents anyone else using your iPhone if it's stolen. It can't easily be reactivated, so it's worth a lot less to a potential thief.

Setting up "Find my iPhone"
Setting up "Find my iPhone"

9. Delete unwanted or sensitive content from Photo Stream or iCloud Photo library

If you have images which aren't so important to you, delete them. Similarly, if you have any particularly confidential content, perhaps it's best not to keep it on your smartphone. If you delete it, ensure you remove it from "Deleted items", too. Be aware of all the ways this data can be recovered.

Do your iPhone have content you could be blackmailed or extorted with? All the more reason to follow this list.

10. Encrypt your locally saved data

If you have sensitive data on your computer, it’s best to encrypt it. Windows has BitLocker built into it, and Macs have FileVault. These are both great -- and free. Turn them on.

If your computer is stolen and it has an encrypted disk, you can make an insurance claim and forget about it, assuming you had a strong password. It's nice not to worry about someone accessing your data. Don't risk it!

All recent versions of iOS automatically encrypted the contents of your iPhone and iPad. If that gets stolen, our next tip is important.

11. Enable "Erase Data" to delete data after 10 failed passcode attempts

This is one of the most simple methods to prevent your phone being attacked. If this option is enabled and somebody tries to guess your passcode, your iPhone will wipe itself after 10 failed attempts. Don't worry: this isn't something you're likely to do by accident. There's a long timeout between failed attempts. It'd take a serious attempt to have someone erase your phone.

To activate this feature, from Settings, tap Touch ID & Passcode and activate the Erase Data option. Once this is enabled, your iPhone and iCloud data will be safer.

Erase data after 10 failed attempts
Erase data after 10 failed attempts

12. Lock down your lock screen: be prudent with Siri's settings and message previews

We take a deeper dive into securing your lock screen settings. Do check it out, as it'll help you stop people reading messages on your lock screen, or asking Siri to read out your personal data. Oops!

13. Make an iPhone backup

Regular backups are so important, there’s even a dedicated World Backup Day for them. Despite greater awareness, better habits, and easier technology, many users are still not creating regular backups.

If you're getting "iPhone Backup Failed" or "iPhone Not Backed Up" messages, you really should fix them. It's not hard, doesn't cost anything, and we can show you how.

Rather than going into detail on creating a backup here, we've got a comprehensive guide on choosing between iTunes and iCloud backups, and how to make them work well for you.

14. Remove any unused or unrecognised devices that are connected to your iCloud account

To see this go to iCloud.com: Settings, and you'll see My Devices in the page showing all devices you are signed in.

Remove any you don't recognise. Devices authorise here have low-level access to your iCloud account and all of the data in it.

If you do this, you won't be able to use "Find my iPhone" with the devices. If you don't trust them, you should zap them. Too risky otherwise.

Check the devices associated with your iCloud account
Check the devices associated with your iCloud account

15. Sign out of any iCloud-authenticated browsers you're not using

If you have logged in to iCloud on the web on a computer that is not yours (like a work computer, a friend’s computer, or one in an internet cafe) and forget to log out, it’s recommended that you do it using this option.

  • Go to iCloud.com and log in with your username and pass
  • Select the Settings icon
  • At the bottom of the screen you’ll see a blue link that says "Sign Out Of All Browsers"
  • Click it and you'll be signed out of all browsers on any device anywhere in the world where you are signed into your iCloud account

Sign out other browsers
Sign out other browsers

16. Turn off access to sensitive data for apps that don’t need it

To keep your data private you could also restrict access to apps that don’t need it, for example access to your contacts, calendar, photos, etc. Of course, hopefully you didn't grant access in the first place.

On your iOS device, go to SettingsPrivacyContacts, etc.

Disabling access to your data...
Disabling access to your data...

Things you might want to do

Not everything you can do to secure your account and iPhone is convenient -- or will make a big difference day-to-day. Here are our assorted tips that didn't make the grade as "must-do". They're still worth reading and considering, however. 👍

1. Turn on "Limit ad tracking"

Ad tracking is used by advertising networks to target ads at you. If you limit this it restricts tracking of ads across apps. Well, apart from when Google bypass it.

On your iOS device, go to SettingsPrivacyAdvertising.

Limit ad tracking in Safari
Limit ad tracking in Safari

2. If you're a macOS user, consider pair-locking your iPhone

Pair-locking requires a little technical knowledge and isn't for everyone, so we've covered it in more detail in another article. In short, it prevents your iPhone from ever exchanging data with another computer. Cool.

3. Turn off Safari’s AutoFill

If you're using iCloud Keychain, your saved data in Safari can be shared between browsers. This means your passwords and pre-filled password data from your desktop Mac can be accessed on your iPhone, and vice versa. To avoid this, disable the feature.

For this, access Safari’s settings, go to AutoFill and disable it.

Deactivating autofill
Deactivating autofill

Conclusion

We've covered off the most important security features to restrict unauthorised iPhone or iCloud access. As new tools are developed by hackers and forensics companies the risks increase, and perfect security is impossible.

As a company, data privacy and security are in our DNA. iPhone Backup Extractor is built to ensure compatibility with all of Apple's security measures, and we're committed to ensuring our product is used by legitimate, ethical users. Stay safe!

How to completely secure your lock screen and protect your iPhone

Contrary to popular belief, Touch ID -- introduced with the iPhone 5s -- does not make your iPhone completely unhackable. Bypassing Touch ID and the passocde is not an easy job, but it can be done. Last year, SilliconAngle covered a security flaw in iOS 9 that made access to Photos possible on anybody’s phone, without knowing the passcode or using Touch ID.

This year, we’re covering security opportunities associated with your iPhone's lockscreen, no matter which iOS version you’re on.

Lockscreen vulnerabilities

If a fingerprint is not read correctly -- or, if you double tap the home button -- you’re prompted to enter a pincode. If your device is protected with a simple four-digit passcode, the iPhone can be easily unlocked. With only 9,999 possible combinations this code can be cracked. Besides, the most common combinations are available online, making brute-force attacks easier than they might otherwise be.

Research suggests that about 15% of all iPhone users have common four-digit passcodes. Passwords like 1234, 0000, birthdays and anniversaries are more frequent than you think. Although in iOS 10 and iOS 9 a six-digit code is selected by default, people still looking for articles on how to switch back to the less secure 4-digit combination.

To bypass the 4-digit passcode security layer, hackers usually go for 5 methods:

  1. Brute force attack (a few tries until the iPhone is completely disabled)
  2. Using a sequence of commands with Siri
  3. Passcode hacking applications
  4. A fake server
  5. Resetting the phone using iTunes

Increase your lock screen's security

Lockscreen attacks aren't very common, but they’re the easiest to attempt and most likely to succeed if your device is not configured correctly.

Over the past years, various security breaches have occurred, targeting high profile people. The particular nature of a lock screen attack is that it requires direct contact with the iPhone, meaning your device would be either stolen or misused by people.

For your security and peace of mind, let's help you set up your iPhone to reduce the likelihood of a successful lock screen hacking attempt.

1. Replace the four-digit passcode with a six-digit password

The first step is to use a six-digit pin code. A four-digit passcode means 9,999 passcode combinations. For a six-digit passcode, a hacker will need about 999,999 attempts to hack the phone. Of course, this can’t happen as long as you have activated a phone wipe after too many failed passcode attempts.

To replace the four-digit passcode with a six-digit password go to Settings, select Touch ID and password and choose Select Passcode. Select 6-Digit Numeric Code then add your password.

6-digit numeric code
6-digit numeric code

2. Replace your password with a longer passcode

By using this method, you can rest assured you'll make the hacker's job much more difficult. For every additional digit used in the passcode structure, the number of necessary attempts is increasing ten times. If for six-digit passcode there are necessary about 999,999 combinations, for a seven-digit passcode the number of combinations increases at 9,999,999.

To activate this option, go to Touch ID & password, click on Select passcode then choose Custom Numeric Code. You will be allowed to use additional numbers to lock your iPhone’s screen.

Custom numeric code
Custom numeric code

Remember that you need to have at least iOS 9 on your iPhone if you want to activate this feature on your device.

If your smartphone is running iOS 8 and you still need to increase your iPhone protection, use an alphanumeric code instead. This option allows you to protect your iPhone with a passcode using number and letters.

By using this option and more than eight letters and numbers, you can be sure that the passcode cannot be hacked or guessed -- so long you don’t use an obvious combination. To activate it, go to Select Passcode, choose Custom Alphanumeric Code and add your new credentials. Make sure you remember your passcode to prevent losing your data!

Custom alphanumeric code
Custom alphanumeric code

3. Deactivate Control Center access

If you lose your smartphone and you have "Find my iPhone" active your data is still at risk. As long as the potential pickpocket can switch your iPhone’s settings to Airplane Mode, you run the risk of losing control of your remotely controlled device.

The best protection is to ensure Control Center can’t be accessed from the lock screen. To deactivate access from the lock screen, go to Control Center then use the switch to deactivate Lock Screen access.

Disabling Control Center access from the lock screen
Disabling Control Center access from the lock screen

4. Disable Siri’s access to lock screen features

Siri is one of the most appreciated features in iOS, and is expected to grow into a more intuitive AI assistant, with Apple’s recent decision to hire its first director of AI. Currently, in terms of security, the assistant has weak points. Discovered in iOS 9, this simple exploit could make your iPhone accessible even if a hacker doesn’t know the passcode. By using Siri, he could eventually gain access to sensitive data.

To prevent bypassing the passcode you need to make sure that Siri’s settings don’t allow access to your private data. Go to Settings then select Touch ID & Passcode. Choose Allow Access When Locked and turn off Siri, Notifications View, Wallet, Today and Reply with iMessages. This is similar to disabling access to Control Center from your lock screen.

Disabling Siri access when locked
Disabling Siri access when locked

5. Decrease the time until the iPhone locks itself

iPhones get snatched on the street every now and then. When that happens, the iPhone is usually unlocked, and the thief will have access to everything.

To prevent this, use a shorter time interval for automatic iPhone locking. To decrease the number of seconds until the phone lock screen is activated you need to change the Auto-Lock timer’s settings.

To do this go on Settings, choose General then Auto lock. At this point, you can adjust the time available until the iPhone is blocked. The shortest interval of time is 30 seconds (Immediately). Activate this option and confirm the action. Then go to the Passcode & Touch ID settings and decrease the time interval until the passcode is required.

Time iPhone locked
Time iPhone locked

6. Remove notifications from iPhone’s screen

Even locked, an iPhone still shows various notifications, accessible to anyone else, as long as they have access to your device. Email and iMessages are displayed on the screen even if the passcode is active and the phone is locked. You can prevent people from seeing your data by hiding notifications from the lock screen.

Repeat these steps for each application installed. Access your iPhone’s Settings, go to Notifications and select the app from you need to hide notifications for. Once selected, deactivate both Show on Lock Screen and Show Previews then confirm the action. Go to all your sensitive apps and repeat the same steps. Alternately, just disable Show Previews to hide message content.

Disable notifications
Disable notifications

Conclusion

By changing your iPhone lock screen's default settings, you can increase the security of your device. Even so, these methods are not infallible and there are ways to improve the security and data protection of the iPhone. For your peace of mind, we strongly recommend you activate 2FA on your iCloud account and make sure that you have iCloud Backups enabled.

About the author

Alexandra Petruș served as Reincubate's VP of Product for a number of years and remains a friend of the company. She's recognised as a Google Developer Expert for Product Strategy, and is a co-founder of Bucharest AI.

Reincubate's CEO at Buckingham Palace

Pictured above are members of Reincubate’s team meeting HM Queen Elizabeth Ⅱ at Buckingham Palace, after being awarded the UK’s highest business award for our work with Apple technology. Read our position on privacy, safety and security.

How can we help?

Our support team are here to help!

Our office hours are Monday to Friday, 9 AM to 5 PM GMT. The time is currently 9:55 PM GMT.

We aim to reply to all messages within one working day.

Go to support section › Contact support ›
Our awesome support team

Can we improve this article?

We love hearing from users: why not drop us an email, leave a comment, or tweet @reincubate?

© 2008 - 2019 Reincubate Ltd. All rights reserved. Registered in England and Wales #5189175, VAT GB151788978. Reincubate® is a registered trademark. Privacy & terms. We recommend 2FA. Built with in London.