Can your iPhone be hacked? What to know about iOS security

Let’s be clear: if your iPhone or iPad is connected to the internet, there’s a risk it might get hacked. Sure, statistics seem to support the idea that your iOS device is pretty safe (and Apple keeps adding new safety features), but your security largely hinges on how you actually use the device.

In this article, we’ll look at some of the most common ways for malware to compromise iPhones, some warning signs your own phone may have been hacked, and how to ‘fight back’.

How can an iPhone be hacked?

Sideloaded apps

One of the biggest complaints about iOS is how slow the operating system is in adopting features that have long been present on Android devices. So to overcome this, some users resort to an option that goes against Apple’s Terms and Conditions: they jailbreak their phone.

This bypasses the built-in limitations to content from Apple’s App Store, allowing users to sideload apps and widgets from third-party stores. Sideloading – the act of getting an app from an unofficial store – can also be done by downloading it directly through a website on Safari or any other browser.

While allowing, or not, access to content from third-party stores can be debatable, as of now, only the applications on the App Store have been officially reviewed for safety. Meanwhile, the risks are clear: when installing a non-verified app, you are giving it unrestricted access to your device.

Fake apps in the App Store

Apple’s official store on your iOS device is generally known for providing safe content. Any application made available on the App Store has gone through a process that checked for bugs, privacy policy concerns, identification of third-party ad providers, and licensing requirements.

But sometimes a bad app(le) slips through the safety net. And a simple calendar event spam, a malicious link shared via messaging apps, or an aggressive advertisement displayed while browsing a website can open the App Store and suggest that you to install one of these inaccurately reviewed apps.

And because they are on the official store, there’s no reason to doubt their authenticity, right? Wrong. Such a dodgy app will try to cash in by, for example, selling you something you don’t need (and that doesn’t work) using Apple’s own in-app purchase system.

Fake Antivirus found on Apple’s App Store charges €134,99 per 3 months for removing non existing viruses.
Delivered via scareware ads, results in subscription scam.
More about the research: https://t.co/oqL80J3BNR https://t.co/IfwBD1KAdd

— Lukas Stefanko (@LukasStefanko) August 5, 2021

Calendar invites

Your iPhone’s Calendar app might seem like the safest place on your device, but it is actually one of the most common ways to distribute malware on iOS. Just like anyone you’ve just met can send you a Calendar invitation for a coffee later that week, hackers can do the same!

These unwanted invites can come from leaked email addresses or from you after unintentionally subscribed to calendar events on dodgy websites. Remember that scams are designed for people to fall for them. So in case you do, unsubscribe from the calendar and never tap on individual events you don’t know and trust as they will lead you to more spam.

Figure 1. Scam website requests a user to subscribe to calendar events on iOS

Configuration profiles

Back in 2010, Apple made it possible to add configuration profiles to its iOS devices. This way, companies could manage on their iPhones a series of specific settings and functions as well as install apps used internally that do not need to be publicly available on the App Store.

While this is a useful tool for the legitimate use of companies and schools, hackers learned to take advantage of this feature. As usual, through phishing attacks and social engineering traps, hackers can lead their victims into tapping a link that will install a malicious configuration profile, granting them access to your Wi-Fi, VPN settings, app management, or internet traffic.

More than just the privacy and safety risks posed by this kind of threat, most users are not aware of profile management options, giving hackers the time needed to explore and exploit user’s password, steal banking information, or even install spyware.

Figure 2. Malicious cryptocurrency wallet app installed via a configuration profile

The risks are real

If getting spam on your calendar sounds like a minor risk, having someone tracking you might sound much worse. But the most vicious thing about this type of hacking is that they are all interconnected. What was initially a small spam event invitation can easily escalate to installing a sideloaded app or a malicious configuration profile.

Bear in mind that your phone can also fall in the wrong hands without you noticing. This can be particularly sensitive in the context of abusive relationships. Stalkerware  – a tool used to access your devices remotely – can be installed on your phone without your consent. Attackers can then target your personal information on iCloud, track your location, or access your photos and notes.

How can I tell if my iPhone has been hacked?

If you suspect or fear your iPhone has been hacked, there’s a few things you can check to start with:

• Battery levels: Batteries naturally wear down over time. However, if your device is just a few months old, battery draining too fast might be a sign of unexpected background activity. Check what apps are using battery and your battery health to discard this option.
• Data: If you’re not a heavy user of your mobile data plan, but you still reach its limits very fast, there’s a chance your iPhone has been hacked. Hidden software on your device might be using your data to pass on information. Keep in mind, however, the most likely is that you’re giving permission for some app to work on the background.
• Strange “things”: Is there an app on your iPhone that you don’t remember downloading? Or maybe an app that seems duplicated? These might be clears signs your device has been hacked. Attackers may attempt to install this content on your phone through a sideloaded app and even if are tech-savvy, you can be vulnerable to these ploys.

Figure 3. One of the two apps is an imposter (source: ESET research)

 How do I remove a hacker from my iPhone?

1. Check whether your device is jailbroken. Whether you’ve been hacked or you’re being stalked, you might not be aware that your phone has been jailbroken by someone else. As Apple now allows for apps to be removed from the Home Screen, use the search function to find jailbreaking apps like Cydia or Sileo. If you find them, fully restore your device to factory settings.
2. Delete unnecessary apps and configuration profiles. If you have apps you’re not using, like wallpaper or weather apps, delete them. Even if they are safe, they might be tracking and selling your data to third parties. Also remove any configuration profiles that have not been installed by your organization or school.
3. Check your apps’ settings. Take the time to use the Settings app to go through all your installed apps and check the permissions you give them. Know which apps you’ve given permission to use your location, and remove that consent from apps that don’t need it.
4. Erase your iPhone or iPad content and settings. Make sure you have a backup of your photos and documents before fully restoring your device. Once you turn it back on, it will be clean from any malware and you can simply log in with your Apple ID to make it your own once again. 

Figure 4. Giving an iPhone a fresh start

 Can I prevent being hacked?

Everybody can fall victim to a cyberattack, but you can minimize your risks by following a few simple steps.

1. Do not jailbreak your iPhone. Resist the temptation. There might be a lot of cool features out there, but the dangers are not worth it. Plus, jailbreaking voids your device’s warranty!
2. Do not install third-party apps. There are thousands of apps on the official store. If you choose an iPhone, try to stick to what is safe for you and your device.
3. Be on the lookout for phishing scams. Don’t trick yourself into thinking that you won’t fall for scams; we all do. So beware of scam emails that request personal information and might steal account credentials.
4. Do not open links from people you don’t know and recognize. This is simple advice but it will help you avoid a lot of headache.
5. Use multi-factor authentication. If hackers take over your phone, prevent them from attacking your other accounts successfully. Add extra steps to protect your credentials.
6. Use a VPN. It will bolster your privacy and data protection, particularly if you are using a public Wi-Fi network.
7. Always keep your phone up to date. Make sure you are using the latest iOS update. Apple regularly adds new versions with new functionalities and, more importantly, safety patches to secure your devices.

 In the end, no matter how likely you are to get hacked, it’s important to understand the risks and implement a few simple precautions. Avoiding to jailbreak your device, refraining from tapping on unfamiliar links. and using multi-factor authentication wherever it’s available will go a long way towards protecting your device and your data.