I suggested some reasons why to encrypt your iOS backups before, the main one being that your data is then protected. But this new software, called Phone Password Breaker Tool, is available to anyone wishing to pay a small fee for it. It’s being marketed as a tool to ‘recover’ password-protected devices, but it could also be used as a way for hackers to get access to your phone backups.

Able to get past the encryption on backups of both Apple’s iOS devices and BlackBerry devices, Phone Password Breaker will not only reveal the password set on the backup, but also extract passwords for mail accounts, websites and third-party applications — data that could be of great interest to malicious characters.

Luckily, the software requires the device to be physically connected to the computer in order to crack the encryption. That’s good news, since a hacker will need access to both the device and your computer — and if you’re sensible with your hardware, that isn’t likely to happen.

However, as Cult of Mac notes, it’s perfectly possible that a partner or other family member could grab your phone and take a sneaky look through your recent call history. If you have anything to hide (that call to the jewellers to arrange to pick up the engagement ring you bought, of course), make sure you keep an eye on where your phone is. To be really safe, remember not to store anything on the device that you wouldn’t potentially want a stranger reading.

Like I said, as long as you have your phone with you, there’s no need to worry, since physical access is required to use the tool.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A Media Tablet Forecast, 2011 – 2015
• The Future of Workplaces
• Report: A Mobile Video Market Overview

Although many of us may have Google Chat, AOL, or Jabber accounts, the only way to get an encrypted channel is for both parties to have MobileMe/.Mac accounts.  If you aren’t already using your MobileMe account in iChat, you’ll have to first add it.  Go to Preferences and then under Accounts click the + icon.  Put in the name and password for your MobileMe account and click “Done.”

Next you’ll be presented with a dialog box confirming you want to enable encryption.

By default it’s enabled so you’ll click continue.  If all goes well,  you’ll get a confirmation the encryption certificate was requested and within a few minutes you’ll be good to go.  I recommend quitting iChat and then opening it back up.  Check your account preferences and make sure that it says encryption is enabled.  If you use multiple accounts via iChat, make sure you begin your chat via your MobileMe account rather than one of the other services you use.  I log out of all other chat accounts just so I don’t accidentally respond to the wrong chat with private info.

If you already have your MobileMe account configured in iChat, simply be sure that you go to preferences and enable encryption.  If you haven’t used encryption in a while, it may take MobileMe’s servers a few minutes to enable it.

Once all set up, if you want to tell someone the secrets of the universe, just be sure to look for the lock during your conversation to make sure encryption is enabled.  If it’s not, Apple has some good troubleshooting tips, the obvious one being to make sure the person on the other end also has encryption enabled.

Some caveats with secure iChat is the fact that it only works with Leopard and above, and no encryption system is foolproof, but I’d certainly feel more comfortable giving confidential secure info via encrypted iChat than over any unsecured channel.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Structure 50: The Top 50 Cloud Innovators
• Connected Consumer Q1: The Over-the-Top vs. Pay TV Battle Heats Up
• Smart Grid Apps: Six Trends That Will Shape Grid Evolution

Set a Passcode

If a thief can’t unlock your device, they can’t access your data, so setting a passcode lock is a good idea. Once set, the passcode will need to be entered each time in order to unlock the device. To set one, tap Settings, General, then Passcode Lock. At the top is a button labeled Turn Passcode On.

Tap that, and you’ll be prompted to enter a four-digit passcode. Type the passcode in twice, and some additional settings will become available.

You can change how long the device has to be inactive before the passcode is required again. By default, this is set to require the code immediately, but you can set it to a range of durations such as after 1 minute, 5 minutes or 15 minutes. Shorter times are more secure, since it gives someone else less time to pick up your device before they’ll need to enter the passcode.

If you don’t think a four-digit code is secure enough, you can also use a more complex password with numbers, letters and symbols. To do so, turn off the setting called Simple Passcode. After turning that off, you’ll be asked to enter your current passcode, if you have one set, then your new password twice. Once you have done that, in order to unlock your device, the password you set will be required, which is more secure than a four-digit number.

One final security measure you can add is the option to erase all the data on the device if the passcode is entered incorrectly 10 times. This ensures someone can’t methodically try every number until they hit upon the correct code, since chances are the data will be wiped before they get there.

Be Sensible With Your Data

Obviously you can’t just rely on passcodes to keep information secure. You have to make sure you aren’t careless; leaving addresses or phone numbers in the Notes app means they’re available for anyone using your iPhone to see. Similarly, don’t store important information such as credit card numbers or pin numbers on the device at all, unless you are 100 percent sure the data is encrypted and secured using a password. The best way of storing extremely sensitive data like that is in your memory, rather than keeping it stored somewhere accessible.

Also be wary of using password managers designed for iOS. Some of them don’t encrypt your data at all, and only hide it behind an insecure passcode. Other services store your information on their own server rather than on your device, which means it’s susceptible to data theft if the service gets hacked, which is what just happened to LastPass, for example.

Wipe the Data Remotely

If your iOS device does happen to fall into the wrong hands, you can use Apple’s free Find My iPhone service to locate the device and wipe any data on it. Find My iPhone is available to all MobileMe subscribers, and is also available to non-subscribers with an iPhone 4 or an iPad. To set up Find My iPhone on your device, go to Settings > Mail, Contacts, Calendars and choose Add Account. Then enter either your MobileMe credentials or your Apple ID (the same one you use for the iTunes store) and choose to turn on Find My iPhone.

Now if your device gets lost or stolen, you can find where it is, and if necessary, wipe everything on it. To do so, open the MobileMe website, me.com, in your browser, log in and go to the Find My iPhone tab. You’ll see a list of the devices that you have set up with Find My iPhone, and you can click on a device’s name to show its location on a map.

You can then click the blue triangle icon next to the name on the map to see more options. To completely wipe the selected device, choose Wipe. Everything on the device will be erased, and it’ll be as if it were new — nothing is left behind. Don’t worry, if you then get your device back, you can restore from a backup using iTunes.

Got any other tips for securing data on your iOS devices? Share them in the comments.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A Media Tablet Forecast, 2011 – 2015
• The Future of Workplaces
• Report: A Mobile Video Market Overview

Why You Should Encrypt

Encrypting your backups means that you’re taking security of your personal information such as email account passwords or contact information one step further. It won’t be enough for someone to simply get hold of your computer and look through your iPhone or iPad backups, since they’ll need a password to use them.

Encrypting your backup also protects other people from accessing the location data which is stored on your iPhone. The log of location info is backed up along with everything else, so encrypting your backup is a way to stop anyone from looking at the data. Of course, the location data probably isn’t going to help anyone much, but if you’re worried about it, this will help.

There are other, non-security related reasons to encrypt your backups, too. If you restore a new iOS device from a backup of an old one, usually passwords such as mail account passwords aren’t stored, and you’ll have to enter them again on the new device. However, if your backup was encrypted, the passwords will be kept, making the transition to a new device that much easier.

How to Encrypt Your Backups

It’s incredibly simple to start encrypting your iOS backups. Connect your device to iTunes, then click its name in the sidebar. Navigate to the Summary tab and at the bottom find the section called Options.

The last checkbox in this section is labelled Encrypt iPhone (or iPad) Backup. Check that box, and a dialog will appear asking for a password for the backup. Enter a password and click Set Password. I don’t suggest ticking “Remember this password in my keychain”, since that defeats the purpose of setting a password in the first place. (Saving the password in the keychain means that it is saved on your Mac and will be entered automatically). Of course, you may wish to tick this anyway, since to access the keychain, you have to enter your computer’s password.

Now if you try to restore a device from the backup, iTunes will ask for the password, meaning only you can use the backup for anything useful. Plus, the data in the backup is encrypted too, meaning it won’t make any sense if someone somehow opens it without using iTunes.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A Media Tablet Forecast, 2011 – 2015
• Mobile Q1: All Eyes on Tablets, T-Mobile and AT&T
• A Global Mobile Handset Platform Forecast, 2011 – 2015

Despite being an avid OS X user, there are deficiencies in this great OS of ours and many of the ones I focus on center — unsurprisingly — around security.

In the plethora of accurate claims of superiority in Apple’s “I’m a Mac” ads, one counter-example is the ability within Windows to encrypt individual folders. While Microsoft’s EFS is no panacea of security and usability, it does work and there has been no practical parallel yet within OS X. Until now.

A Twitter post early Thursday morning from the legendary Matt Gemmell quietly announced Espionage from Tao Effect software (Greg Slepak & John Ashenden). This $14.95 utility (for OS X 10.5+) uses some interesting tricks to bring folder-level encryption and/or privacy to your workstation. Read on to see what’s going on under the covers and to find out if Espionage is the right solution for you.

Encryption Choices on OS X

Without bringing in additional tools, such as TrueCrypt into the mix, Apple offers two ways to secure your information. The first is with FileVault (which has some security and usability issues of it’s own) where you can choose to encrypt your entire home folder — but only your home folder — to keep prying eyes away.

The second is to use Disk Utility to create an encrypted disk image and then mount that whenever you need to store or retrieve data. This is a cumbersome, but effective, process and is ultimately what FileVault is doing under the covers to work it’s magic.

If only there was a way to associate these secure disk images with folders and have the mounting be handled automatically…

A Peek Behind the Curtain

Normally, the inner- and inter-workings of an application are either too-intricate (e.g. Photoshop) or too mundane (e.g. TextEdit) to cover during an app-review. However, when it comes to security, very few details are insignificant and one of the prime uses of Espionage is to secure your data and control the access to it.

Espionage has two basic features, enabling general encrypted folders (using the same “trick” as FileVault) and providing a way to “lock” folders and require a password to access them.

It performs the latter through a kernel extension named “iSpy” that is installed upon first run of the application and can be seen by dropping into the Terminal and issuing the following command:

$ kextfind -case-insensitive -bundle-id -substring 'com.taoeffect.' -print
/System/Library/Extensions/iSpy.kext

“Protected” folders show the typical “restricted access” icon when locked:

And prompt you for an access password (which you create when “securing” the folder):

Because it operates at such a low-level, this “protection” exists even when using command-line utilities to access files in the folder. That is, even attempting an “ls” from the Terminal will bring up the access prompt (provided you have not already unlocked the folder). This “protection” only works on the system the folder was “protected” on and requires the kernel extension to be running. If you disable/unload the extension or just boot in target disk mode, you will be able to access the data. The Tao Effect developers make no claims of security with this method of protection and even go out of their way to warn you.

But, What About Encrypted Folders?!

Ah, yes. The main reason you will want to use Espionage is to take advantage of the encrypted folders. As I have indicated, they use the same slight-of-hand that FileVault uses and create a hidden, encrypted sparse disk image that then is mounted and linked with the folder you specify. For existing folders, it creates this disk image, copies the files and folders from your target selection into the new disk image and sets up the linkage behind the scenes after deleting your old files. I should warn you that it did not do a secure delete of the “expenses” directory and I was able to find it and the contents therein in the “Trash”. This could easily be recovered and is a pretty serious oversight in an attempt to make your digital life more secure.

As part of the magic, you will see that there is a new folder in your “Volumes” directory (this is where all mounted disks get placed by default) where Espionage keeps mount points for all these sparse images.

And, you can also see just where Espionage stores these sparse disk images via the Terminal or through Disk Utility.

Since it is just a disk image “hack”, Espionage also provides a way to specify the default size and filesystem type:

So, What’s The Verdict?

Espionage does have some very interesting capabilities and I was impressed that the installer (which puts the kernel extension into place) includes full details as to what it is doing.

The application also includes other niceties such as support for Growl notifications and the ability to always enable or block application access to a particular folder under the watch of iSpy — and, you will need to make use this feature if you plan on utilizing any type of automated backup solution that will include that folder in the source path list.

However, due to the deficiencies with the way it initially creates encrypted folders and also some quirks during the operation – especially when performing multiple operations on the test “expenses” folder — I, personally, will have to continue to use my existing methods of securing data. As you saw from the FileVault screen capture, I do not use FileVault, but I do use secure disk images locally, on USB sticks, fileshares and when I am backing up sensitive data to my offsite provider. I also use TrueCrypt when I need to ensure my disks are fully protected.

I strongly suggest, however, that you do watch for future updates to Espionage as the developers will no doubt work the kinks out of this initial release and provide a very solid solution to fill the gap left by Apple. Since I am not aware of any features of Snow Leopard that will obsolete the functionality of Espionage, it should continue to fill this gap through the next release of Apple’s desktop operating system.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks

If you need/desire cross-platform compatibility, then TrueCrypt is a perfect choice. You can encrypt a virtual disk image onto a USB drive and take it from Windows to Linux to OS X and gain access to your all your secret data, something that is not possible with OS X secure disk images.

The other big “selling point” (difficult to use that term with a free & open source product) is the concept of plausible deniability. Until you go through the process of decrypting/mounting a volume, TrueCrypt file or disk volumes appear to consist of nothing more than random data (i.e. there is no “signature”). It is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. This is an important point since we’re going down a very slippery slope (at least in the United States) where folks are now being forced to give up their secrets with full legal backing. You can rename a TrueCrypt file to “Family Vacation.mov” and be able to claim that it’s just a corrupted transfer from your video camera with no way for the authorities to prove otherwise. Similarly, non-boot volumes (which is not an option for OS X yet) have no identifiable tags, making it look like an unformatted partition with random data.

Sadly, one of the coolest features – creating a hidden volume within an encrypted volume – is also not available on OS X yet. This option would allow you to give up your keys/passphrase to an outer-encrypted volume, but have another hidden, encrypted volume within it that uses a separate set of keys/passphrase. This lets you give up some of your secrets but not all of them.

My attempts at downloading and installing TrueCrypt were woefully unsuccessful with Safari under Leopard (the download file was corrupted). It worked fine in Firefox and is available for 10.4 and 10.5, Intel or PPC. I’ll be putting the software through some tests over the next few days, so drop a note in the comments or forums if you have any questions or want to share your experiences with the product.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks