The danger to tourists in China and Russia is not someone hacking the device remotely (which cannot be done on an iOS device), but hacking your online sites and personal information. That is, the risk is people stealing information over unsecured wifi connections primarily - literally intercepting user id and password strings from the airwaves over unsecured wifi.
So, don't login to remote sites over open, unsecured public wifi nodes, and don't type passwords and things at the keyboard in public where someone may observe your keystrokes.
As far as securing your device, my suggestion is to use fingerprint ID and set a strong passcode (NOT a simple 4 or 6 digit passcode, but an 8-12 alphanumeric one with at least one special character thrown in). Also be sure to enable find my iPhone so you've enabled activation lock and can at least remote wipe it if lost or stolen. Better yet, enable automatic wiping after 10 failed passcode attempts so if anyone gets it and tries to guess your passcode, they'll just wipe the device clear (and activation lock will ensure they cannot do anything with if after that as well).