Securing a travel iPhone

These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order.

I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and knobs. This list optimizes for security versus convenience.

Don't to use anything older than an iPhone 5S, it wouldn't have the TPM.

Needless to say, use long unique passwords everywhere.

  • Setup a new Apple ID, you don't want to reuse it anywhere
  • Enable Touch ID, it's TPM backed and resistant to shoulder surfing
  • Choose an alphanumeric passcode, make it long, you won't use it since you have Touch ID, and your encryption depends from it
  • Use passwords for the Apple ID security questions (but remember them, there is no way to reset them if you don't set a rescue email address, I got this wrong)
  • Turn off:
    • Siri, too many leaks and passcode bypasses
    • Bluetooth
    • Control Center on Lock Screen
    • Spotlight Siri Suggestions
    • Handoff and Suggested Apps
    • Voice Dial
    • Everything under "Allow Access When Locked"
    • Everything under "iCloud", especially iCloud Backup (or your end-to-end messages will end up backed up in plaintext), except Find My iPhone
    • Notifications > Mail > Show Previews
    • Notifications > Messages > Show Previews
    • Messages > Send as SMS
    • Safari > Advanced > Javascript
    • iTunes & App Stores > Automatic Downloads (including Updates)
  • Enable Erase Data after 10 failed passcode attempts
  • Make sure you have the latest iOS
  • iCloud > Apple ID > Password & Security > Setup Two-Factor Authentication
  • Carry a USB Condom or a battery pack for charging, or only use your own wall-plug charger (and mark it)
  • Use encrypted Notes (make Note in "On my iPhone", then tap the share button in top right corner, "Lock Note")
    • WARNING: the first line in the note is kept unencrypted as a title, put something like "---" there
  • Install as few apps as you can, and update and set them up before traveling
  • Use Brave as your Javascript-enabled browser, since it has HTTPS Everywhere and ad blocking

Turn the phone off before entering any situation that might lead to you being coerced to use your fingerprint to unlock the phone. ProTip: if you reboot the phone and not unlock it, it will still let you listen to music if you use the EarBuds remote.

Upon entering hostile networks, start refusing iOS, app and carrier updates. Use Airplane mode extensively. Turn off WiFi when you don't need it.

Avoid syncing or pairing the phone with a computer. To extract pictures, use Dropbox Camera Upload with a dedicated account and a shared folder going to your primary account. To save notes, message or email them to your main account. (Remember that email is unencrypted!)

Needless to say, keep the phone on your person at all times.

SIM cards and phone numbers

Keep the phone number you use for 2FA (and the Apple ID) secret. It's not much, but it's all you can do against a SS7 attack.

This means you'll have to use a different SIM for calling/texting/data and to activate any messaging app for which you'll give out the phone number like iMessage, WhatsApp and Signal.

If you are going to use mobile data, consider an international plan. For example a US SIM in China will get you around the Great Firewall.

On the 2FA SIM, enable the PIN (Settings > Phone > SIM PIN) so that it can't be just be popped into a phone by anyone. (You can also use the iPhone while the SIM is locked, but you don't want the 2FA SIM to be your day-to-day SIM anyway.)

Signal

Register with the public phone number (as opposed to the 2FA one).

  • Privacy > Enable Screen Security
  • Notifications > Show > Sender name only
  • Advanced > Disable Debug Log

Pre-warm conversations with the people you expect to communicate with during your trip.

Take a screenshot of your fingerprint QR (long tap on the name of a conversation), and send it to yourself (and verify the fingerprints between your two phones). You'll want to put that on your out-of-office email.

You can also check that the fingerprints of the people you talk to match the ones you see on your main phone.

WhatsApp

Like Signal, register with the public number and pre-warm.

  • Settings > Accounts > Security > Show Security Notifications
  • Settings > Notifications > Disable Show Preview
  • Settings > Chats > Disable Save Incoming Media
  • Make sure Chat Backup is off

Here fingerprints are more complex, if you tap on the contact and then on Encryption you'll see a numeric code. The first 6 blocks is the other party's fingerprint. The last six blocks is your own fingerprint. The QR is useless since it's per-conversation, but you can put your own fingerprint in the OoO email, and compare the other parties' with the main phone.

You can use WA to pass contacts from your main phone.

Email

Email is the gateway to all your identity. You don't want access to that. Set up a new webmail for example on Outlook.com, and configure it on the iPhone. Pick an address that looks real enough to be usable, but specify "Travel email" in the real name.

Forward the emails that you think you'll need, CC the new address when replying to threads you'll have to keep up, and set up an Out-of-office (see below).

If you really need to, setup very strict forwarding rules. You'll want to blacklist in particular anything matching "password", "reset", "recover" or "subject:login". (ProTip by @_gtank.)

Out of office

People will email you, that's what out-of-office (autoresponders) emails are for. Make one that specifies:

  • that you are traveling, with instructions not to send confidential information
  • your temporary email
  • your public phone number, the Signal QR and fingerprint, and the WhatsApp half fingerprint
  • the end date of your travel, with instructions not to use the contacts after that date

Remember to also set it for things like Slack and to post it on Facebook and similar.

Access

You intentionally won't have your password manager and your recovery email, so make sure to make a comprehensive list of things you might need access to, and change their passwords before and after traveling.

I use 1Password with Touch ID and no syncing. Consider that with Touch ID physical access to your phone can lead to full 1Password access. Make your tradeoff based on what passwords you are carrying.

That should be about it. For more paranoia, follow me on Twitter.