Skip navigation
Duo Labs

Duolytics: Half of iPhones Running Most Secure Authentication Scheme

Recently, there’s been substantial coverage of Apple’s current dispute with the U.S. government. The argument is over whether or not the tech company should create an insecure version of iOS to bypass features on iPhones and iPads to enable data recovery and forensics for the government.

However, the average consumer doesn’t know if their phone could be opened by this ‘skeleton key,’ nor what they can do to maximize the security of their personal Apple devices. Fortunately, we have a large population of iPhones in Duo’s dataset, and we want to share a bit about how the average consumer would hold up against an attack.

Summary of Findings

  • Fewer than 0.01 percent of all iPhones in our dataset are jailbroken - that’s a good thing. Jailbreaking inherently bypasses or reduces the effectiveness of some built-in security features of iOS devices.
  • Nearly 50 percent of all iPhone users are using built-in security features and running the latest OS/hardware - that means, they’ve enabled Touch ID and passcodes. They’re also running up-to-date versions of iOS 9.2 or above and the latest hardware models that include a Secure Enclave.
  • Sixty-three percent of iOS devices are running iOS 8 or above, meaning Apple does not have the required information to decrypt data on those devices on demand.
  • Only 2.3 percent of devices in active use can no longer receive security updates, referring to devices that run old and orphaned versions of iOS. That percentage has decreased from 4 percent in fall 2015.

iPhone Security

By considering Apple’s public statements about their devices, we can quickly determine the desirable security properties of your iPhone. For example, Apple acknowledged that for phones that run iOS 8 and later, they no longer have the ability to decrypt iPhones upon request of the government.

Further, Apple has made substantial leaps in leveraging hardware to increase the security of more recent iPhones. Users directly interact with some of these security features, such as Touch ID, but there have been substantial improvements under the glass, too. The A7 and newer processors are built with “Secure Enclaves” which are, essentially, separate chips isolated from the rest of the iOS used solely for processing sensitive data.

It’s promising to see users broadly adopting these new security features, no doubt in part because Apple bootstraps their adoption by making passcode and Touch ID configuration part of the out-of-the-box experience for every iPhone. Indeed, our analysis shows that, 80 percent of iPhones with Touch ID hardware have it enabled.

We also found more than 90 percent of iPhones have at least a screen lock passcode, which is certainly better than nothing. Regardless of whether or not users fully understand the security implications of using features such as Touch ID, these features significantly improve their security posture.

We’re also encouraged to see that the percentage of iPhones that are obsolete and can no longer receive security updates continues to dwindle as users upgrade to newer, more secure versions. In September, we saw that roughly 4 percent of active phones were obsolete, while the number has decreased to a mere 2 percent. We’re looking forward to seeing this number decline even more as users move from insecure devices to more modern phones.

Many users who have adopted the most basic security features, such as passcodes on newer Apple iPhones with Secure Enclaves are protected against most attacks.

What Can iPhone Users Do to Protect Themselves?

The latest iPhone hardware, the iPhone 6 and 6S, allows users to take advantage of outstanding security features like Touch ID. Duo recommends that iPhone users take these steps to run in a secure configuration that, quite literally, requires a court order to break.

  1. Use the latest generation iPhone hardware. The iPhone 6 and iPhone 6S use advanced hardware features to protect against brute-forcing and ensure the integrity of the phone's operating system.
  2. Enable Touch ID and use a strong passcode. We recommend enabling Touch ID and using at least a 6-digit passcode.
  3. Always run the latest version of iOS. Each update to the iOS platform represents not just feature enhancements but also critical security fixes. Failure to run the latest updates put users and data accessed by these phones at risk.

Conclusion

Apple has significantly improved consumer security and privacy with recent hardware and software updates. Nearly half of all iPhone users have an excellent security posture - with up-to-date hardware and software, as well as passcodes and Touch ID enabled. With these basic security features, users are protected against most attacks.

We attribute these huge gains to easy-to-setup Touch ID and passcode enrollment processes during the first boot of the devices. It’s encouraging to see that most users adopt these best practices of enabling security features and running updates. For any that don’t, perhaps the potential consequences of this public fight will motivate them to take action and secure their devices.