Can iPhones be hacked

Read about Security and your Apple ID - Apple Support

The weakest security aspect isn't the device itself, it tends to be the user. Make sure you use a strong password and use two factor authentication

Also consider using a 6-digit passcode

gilda162 wrote:

Can iPhones be hacked?

Yes. Of course. Anything built can be hacked, given enough time and money.

Hacking tools (very expensive tools) for this including Pegasus and Predator have been widely discussed.

And what can I do to prevent it from being hacked?

Erase, turn it off, shred it, slag it, and encase the slag in concrete.

Which is (usually) effective, but not very practical.

Security is never absolute.

Security is much like buying insurance. You need buy enough, but buying too much can be or is wasteful.

And increasing security makes devices less useful as the security is increased. Very secure systems are possible to build, they’re typically just exceedingly expensive, and not practical to use.

What to do? If you do not have two-factor authentication already enabled, gone to unique and preferably generated passwords, and have not reviewed and cleared password recommendations (Settings > Passwords > Security Recommendations), reviewed your known and trusted devices, configured your trusted devices and recovery fallback (possibly including an account recovery contact), and patched all your devices to current, you have a few tasks ahead of discussions of further hardening an iPhone.

The unfortunate problem here for these requests is that maintaining security is actual and consistent and on-going work, and there’s no panacea, no magic app, no simple fix. There’s work. And complicating this, there’s an ever-increasing number of vendors offering sketchy apps and tools, phishing, privacy-leaking apps, and related rubbish, such as some add-on security apps that have had features that can have surprised some of their users.

More info?

Here’s some (non-partisan!) reading: https://democrats.org/wp-content/uploads/Device-and-Account-Security-Checklist.pdf

Here’s some Apple reading: https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf

If you’re an investigative journalist, political dissident, someone with access to confidential or sensitive or classified information, access to lots of money, or have somehow to the interest and attention of some very rich and powerful or persistent folks, or similar reasons to be specifically targeted. your considerations and practices here will necessarily differ. Most of us are not targets.

I’m unclear how this got from device and account and password security to preserving what might be vulnerable or fraudulent or malicious apps (as that’s not usually part of keeping apps and software current), but actively hostile or profoundly vulnerable app store app can be removed remotely, as has happened on occasion.

Per Apple: In the rare cases in which a fraudulent or malicious app makes it onto the App Store, Apple can remove it once discovered and block any of its future variants, thereby stopping its spread to other users.

For folks who keep old versions of apps to avoid downgrades* (and don't wish to restore their device to factory settings):

Manually checking each app one by one for being removed from the App Store for security reasons or sharing location appears to be a necessary (and unwieldy for those with many apps) process.

*For example,

• I was forced to restore my device to factory settings and lost APPZILLA, a cool multifunction app I had paid for and had worked until I did the factory reset.
• Are we not all familiar with an app where an upgrade was actually a downgrade? Lastpass? YouTube? Google Voice? Facebook? Google Assistant? ...

(A step in two of the checklists (Step 5 or 6) is "conduct a review of apps you have installed on your device to see if any of them are sharing your location, and follow the relevant instructions to stop sharing." (Wording varies slightly.) This is similar to the check for a list of "If you notice an app has permission to access your data, and you don’t remember installing it or giving it permission to access your data, you may want to delete the app.")

The most common concern I get is that someone feels that someone who had physical access to their phone is now or may be invading their privacy, when I get the "Can iPhones be hacked" type questions.

What about all these apps? https://forums.macrumors.com/threads/what-you-need-to-know-about-ios-malware-xcodeghost.1918784/#post-21896151

For folks who keep old versions of apps to avoid downgrades, users need to check for these manually, don't they?

Disappointed I can't find a better answer to this question on these forums*. Securing your Apple ID is important, but it's far from a panacea. And just recommending that and if it's adequate is dangerous misinformation. IMNSHO. Apple runs a tight ship, but that's all the more reason to provide accurate information!

Sometimes users have share my location turned on for someone and never turn it off for YEARS.

I had a client and I noticed that their iPad was sharing their location with their ex-partner from MANY YEARS earlier. They had no idea.

*or elsewhere - not saying what I linked is a complete answer - just seems to be an essential portion of one.

That list is over 6 years old. Have you read the posts above it? Apple did ultimately inform users that downloaded XcodeGhost apps, and also published a list of the top 25 most popular apps that were compromised. Apple removed all of the infected apps from the ‌App Store‌, and provided information to developers to help them validate Xcode going forward. An article that old, especially in the technology world, should be re-investigated before its content can be deemed reliable.

And yet the concern raised by the question I asked - is not addressed - and not answered:

For folks who keep old versions of apps to avoid downgrades, users need to check for these manually, don't they?

Did you read all of my post, including "Securing your Apple ID is important, but it's far from a panacea. And just recommending that and if it's adequate is dangerous misinformation. IMNSHO. "?

[Edited by Moderator]

Thank you - that is very helpful!

It sounds like you concur that "Securing your Apple ID is important, but it's far from a panacea. And just recommending that and if it's adequate is dangerous misinformation. IMNSHO. Apple runs a tight ship, but that's all the more reason to provide accurate information". AND I concur you're right about those pre-further-hardening steps you mention.

Clarifying what I said earlier: In particular, I'm pretty sure that a dangerous app being removed from the App Store does little for folks who keep old versions of apps to avoid feature downgrades. Maybe I'm ignorant, but these users need to check for [an updated list of such apps - which I'd link to if I could find one] manually. I presume such users could even still have one from this ancient article installed from before this article came out. XProtect is cool, but I don't think XProtect is part of iOS or iPadOS - just macOS)

And @ Revianmac - Maybe you just didn't make the connection I felt I had set out. Sorry I misread you.

And thanks, mods!

When I get asked the question the OP asks - Can iPhones be hacked? - , the most common concern by far is worry about someone who had physical access to their phone. Someone who is now or may be invading their privacy,.

The 'Apple recommended' answer only addresses the account security aspect of this problem. Yours is thorough and appropriate.

APPZILLA, a cool multifunction app I had paid for and had worked until I did the factory reset is not a fraudulent or malicious app.

As I said, In particular, I'm pretty sure that a dangerous app being removed from the App Store does little for folks who keep old versions of apps to avoid feature downgrades. And your quote from Apple does nothing to lower the certainty or concern I have about that.

Even if will replaced can in the sentence you quote, then "being removed from the App Store for security reasons or" could not be removed from

Manually checking each app one by one for being removed from the App Store for security reasons or sharing location appears to be a necessary (and unwieldy for those with many apps) process.

MrElvey wrote:

…Manually checking each app one by one for being removed from the App Store for security reasons or sharing location appears to be a necessary (and unwieldy for those with many apps) process.

If you’re particularly concerned about security, minimize what’s installed, and keep what is installed current.

If you’re a target—and your statements here can be inferred to indicate you believe you are—then requirements differ.

Oddly for your device-focused approach, it’s far less often the devices and apps, and more commonly ourselves that get hacked.

Security will always be flawed, as perfect security is unusable. Particularly when there are people involved. We get hacked.

Which means the goal is “good enough”, and to preferably dissuade those interested, and to reduce our own opportunities to make mistakes.

MrElvey wrote:

Manually checking each app one by one for being removed from the App Store for security reasons or sharing location appears to be a necessary (and unwieldy for those with many apps) process.

Apple COULD make it easy to identify such apps. (They DO for Location - I was confused because they weren't listed under "Share My Location" - I didn't see that they were on the parent screen.)

Yup.

Everyone is a target - when speaking of malware that manages to get distributed by an App Store. If I have such malware on my phone, it's likely it is there at least in part because of social engineering, but that is a form of hacking, isn't it?

Anyone who is a sysadmin or support tech likely has 'access to confidential or sensitive or classified information' - which is most of the regulars here.

I don't think this should be mandatory, but I'm realizing it pretty much is:

If you’re particularly concerned about security, minimize what’s installed, and keep what is installed current.

practically speaking.

Though the "Apple recommended" answer REALLY needs changing, doesn't it?