Don't depend on your iPhone passcode alone to secure your smartphone.
Recent iOS 6 passcode exploits allowed an attacker to glitch their way only into the Phone app, not the home screen. As such, they could place calls, see/edit your contacts and access your photos via the "assign new picture" option. So while it doesn't give someone total access to your phone, it's still enough to be concerned about.
The exploits affecting Samsung Galaxy phones worked a bit differently, flashing the home screen (or whatever was open before the phone locked) for no more than a second. While it doesn't seem all that nefarious, it's enough time to launch an app, and persistent attackers could use it repeatedly to download an app that would unlock your phone completely.
Both manufacturers are aware of these problems—Apple recently released iOS 6.1.3 to address its passcode issue, only to have it circumvented yet again. Samsung has also stated it's intent to do the same, although at the time that this is being written the only existing fix is a third party one.
It may seem like your phone's security has suddenly been compromised with all these passcode exploits, but really, passcodes have never been foolproof. In fact, they're no more secure than any other password or PIN: they can be cracked, and they really shouldn't be the only thing protecting your smartphone's data.
I reached out to security expert Brandon Gregg about the level of security a passcode affords. Here's what he had to say:
Passcodes do not mean encryption. Only if you specifically go to your Android settings can you encrypt your phone (and SD card) with a separate, strong password. Too many people believe their four digit Android or iOS passcodes protect their private information. First off, anyone can easily brute force your short 10,000 possibility password. Tools like XRY (which I use and was profiled on Gizmodo) can do the crack in milliseconds. Second, a passcode does not protect from direct forensic access by tools like XRY, MPE by Accessdata and the growing list of programs for Law Enforcement. Once inside the phone, all your data is up for grabs. The best thing you can do right now is full encryption. The above tools aren't designed for brute force at that level (yet) and the data will be useless.
Basically, your data is vulnerable on two levels. First, you have a lock screen passcode, which can be cracked, although using a strong alphanumeric password can make brute-forcing your phone take much longer to crack. However, your data is still sitting there on your phone's hard drive, and an attacker with the proper forensic equipment and enough patience can still get at your data—unless you have full disk encryption.
Android has had full disk encryption since Honeycomb (3.0), albeit with some limitations. iOS also has a Data Protection API that apps can use to encrypt and protect your data, but it's up to app developers to incorporate it (and it doesn't work with apps that use iCloud), so its a lot less useful. In both cases, however, the encryption key is the same as your passcode lock, and you'd have to use a strong passcode for the encryption to be effective. But who wants to enter in a long, alphanumeric password every time they need their phone? The point is to make it hard for hackers to get into your phone, not you.
Of course. There's no reason for you to make things easy for the thief who steals your phone. You could also be very fortunate and end up being robbed by someone who doesn't know the first thing about getting around lock screens. By all means, enable your passcode, and make sure it's a good one.
However, understand that your lock screen alone isn't going to truly protect your data, and encryption is far from perfect. To that end, we recommend setting up a service like Apple's Find My iPhone, or a third-party app like Prey. They can track your smartphone and wipe its data when you lose it (or it gets stolen). Hopefully, you'll never need to worry about this sort of thing, but you know what an ounce of prevention is worth.
http://lifehacker.com/5992740/how-secure-is-the-passcode-on-my-phone
Use TapTapPass to enable your iPhones passcode.
By default, it takes you at least 6 steps to enable your device’s Passcode from your Home screen. You have to launch the Settings app, navigate through a couple of screens to the Passcode Lock window, and set it up.
While this process is just fine for folks who keep their iOS devices Passcode-protected at all times, it’s fairly tedious for those that only enable the security feature every once in a while. Luckily, there’s TapTapPass…
TapTapPass is a jailbreak tweak that allows you to enable your device’s Passcode with a tap, gesture or any other Activator function. So if you don’t usually have it on, but need to for some reason, you can do so quickly.
The package doesn’t have a Springboard icon or a Settings pane. You configure everything from within the Activator app, which can be accessed either by its Home screen icon, or the Activator panel in your Settings app.
Once you’ve chosen an Activator function, you’re all set. Now anytime you perform that function—shake your device, double tap your Status bar, etc.—TapTapPass will activate the default iOS Passcode for your device.
Upon unlocking the device with the Passcode, the feature will be disabled. And you can either use the function to lock it again, or use the Sleep button to perform a standard, no-password lock. It’s as simple as it sounds.
I wish the tweak would allow you to use a Simple 4-digit Passcode, but other than that it’s pretty solid. I won’t be keeping it, but if you think you could benefit from something like this, I recommend checking it out.
TapTapPass is available in Cydia, in the ModMyi repo, for free.
http://www.idownloadblog.com/2013/03/26/taptappass-jailbreak-tweak/