What’s on your phone? I’ve been asked that by hacker tech types and non-infosec “normals” - the latter particularly seem to think what we nerds do is some type of technical voodoo, even with our phones. Spoiler alert, no voodoo involved. Just a series of downloads of (mostly free) apps.

I’m only going to talk about my iPhone X, since that is the main one I use. Yes, I am one of those people that still has nearly every cell phone I’ve ever owned, and I have plenty of Android-based phones. But for my main phone, the one that is in my pocket every day, it has been an iPhone for a number of years now. I use the iPhone for several reasons, but the primary reason is its security model. I wanted something that was fairly locked down, and the fact that the government has had trouble getting past the security features means I think Apple is on the right track. Sure, there are some issues with this model because I personally cannot get to all parts of the phone either - unless I jailbreak it. While I have done that in the past, I keep it pretty much stock for right now. As of this writing I have the iPhone X and I try to use the phone keeping security in mind at all times - strong password, Apple ID two-factor authentication, no lock screen notifications, no auto-joining of Wi-Fi networks, and so on. The only exception is Bluetooth which is on constantly for my Apple Watch. I'll get to the Apple Watch in a minute as to why I made this exception.

Outside of the stock apps that come with iOS, I have loaded on a modest amount of additional apps. Far fewer than most of my friends. Part of my thinking is less apps means a smaller attack surface, but also I don’t like clutter on the phone, and I’d rather save the limited space for apps and data I actual use and care about. I do have a few de-facto standards such as social media apps and a few for travel and transportation (most notably TripIt Pro, a great app for those of us that travel regularly). But I do have a few with security in mind. I divide these into two main categories - personal security tools and information tools. The personal security tools include authentication, secure communications, and wireless exploration. Informational tools are either tools specifically designed for offline information storage or have the option to download data that could come in handy if I am offline.

Like most infosec people, everywhere I can use two-factor authentication, I do. Even if all a company or website offers is SMS messages for that second factor, I use that instead of just nothing. For my home servers I use Duo Security’s multi-factor solution, so I have the Duo Mobile app on my phone. I also use it for third party TOTP accounts.

For encrypted communications, I use Signal. There are numerous apps out there for encrypting communications, but the most common one among my friends is Signal. I do know a number of people have multiple communication apps loaded up such as What's App or Wickr, and I've tried most of them that are available, but if there is one that is the most common in my circles it is Signal.

I have a few Bluetooth tools from Nordic Semiconductor (mainly nRF Connect for Mobile) as well as PunchThrough's LightBlue Explorer, which come in handy for some simple scanning and poking. They are not full-fledged hacking tools - if I need those, I get out the laptop to do it properly. The same for Wi-Fi - I use Network Analyzer Pro, but if there is something more I want out of my Wi-Fi exploring, the laptop is the way to go. This is especially true since starting with iOS 11 Apple cut off access to the arp table, but there you have it.

In the event of an offline situation, such as no access to Internet due to lack of local Wi-Fi or even a power outage, I have a few apps just so I can download data for those exact situations. This is why I have Google Maps - solely for the fact that I can download a city map for offline navigation. I’ve downloaded local area maps along with cities I frequent regularly. Normally I use Waze for most navigation needs when I am online (due to realtime updates for traffic, speedtraps, and the like), but having the maps available offline are nice.

I also use Kiwix and keep a local copy of Wikipedia on my phone. I’ve used this while writing up documents on an airplane with no Wi-Fi but I needed to look something up - this way I can keep going. Obviously if the zombie apocalypse has occurred and a group of survivors were arguing during a game of trivia, you can be that annoying person who knows all of those useless trivial facts even though the Internet is no longer a thing.

A lot of the iPhone apps have an app that I can use on my Apple Watch. I still have a Series 1. Instead of using a dedicated fitness device like a FitBit, the Apple Watch does a halfway decent job of at least tracking steps and whatnot, but that is not the main reason I use it. I did a fair bit of research into the Apple Watch and the implementation of Bluetooth that they put in place, and it is excellent. Without writing a completely separate blog post, I can assure you if there was a choice between good, better, or best as far as a security feature was concerned, Apple always picked “best” for the entire Bluetooth pairing and communications implementation. I cover this in a bit more detail in my LASCON 2017 presentation on IoT, where I go over several Bluetooth implementations, including the Apple Watch.

But the real reason I use the Apple Watch is because of Apple Pay. I can pay from my wrist at numerous locations, including many restaurants, coffee shops, pharmacies, gas stations and the like. I do not have to go into my pocket for my wallet with Apple Pay. Every time I go into my pocket there is a danger that something in that pocket including my wallet itself might get dislodged and fall out, and it tips off potential pickpockets as to the exact location of my wallet as I don’t keep it in my rear pocket.

A final note on security-related apps - I avoid those apps used by security conferences. Just because it is a security conference, it doesn’t mean the conference app is secure! There have been problems with the RSA Conference app more than once (a prime example of issues with outsourcing), and the Black Hat USA conference app in 2017 allowed for physical tracking of fellow attendees via Bluetooth, which many people found a little creepy. I’d rather visit the conference website, or even better download a PDF of the schedule and not use the app, as for me it is not worth the potential headache.

So that’s mainly it - some of the apps I use and why. What do you use? Did I miss something? Is there a great security app for iOS I should be using? I’d love to expand what I use, a few of the apps I currently have loaded are directly the result of recommendations by others. Let me know in the comments below, send me a email, or message me on social media with your thoughts.

Update: A number of people mentioned apps they use, and while I haven’t tried everything, I thought the suggestion by Mattrix of Wire was worth passing on.