Why tips like ‘turn off your iPhone for five minutes’ don’t actually help users

Last week, Australia’s prime minister offered some security advice for iPhone users, suggesting that everyone should turn off their iPhone for five minutes every night. On the surface, this may seem like harmless advice for iPhone users, but the reality is quite a bit more nuanced.

In fact, such broad and generalized statements like this one can do a disservice to most people. Here’s why.

Australia’s prime minister, Anthony Albanese, made the comment last week while highlighting the need for the country to “thwart cyber risks” proactively. “We all have a responsibility. Simple things, turn your phone off every night for five minutes. For people watching this, do that every 24 hours, do it while you’re brushing your teeth or whatever you’re doing,” Albanese explained.

Albanese’s advice isn’t necessarily bad advice. In fact, it’s based on similar guidance that the US National Security Agency (NSA) issued in August 2020. But the advice from the NSA was far more specific and nuanced than what Albanese outlined during his speech last week.

In its breakdown of “Mobile Device Best Practices,” the NSA says that rebooting your iPhone once every week can “sometimes prevent” things like spear phishing and zero-click exploits. These types of threats, however, are highly targeted and generally target specific individuals or groups of individuals.

Other tips offered by the NSA include things like disabling Bluetooth, Wi-Fi, and cellular when not in use, using a “mic-drowning case and cover camera,” and more. This sort of advice, as pointed out by security expert Troy Hunt on Twitter, is meant for the “intelligence community, not the general masses.”

Spear phishing is a more extreme version of phishing that aims to collect information from targeted individuals and companies. It often involves months of research and reconnaissance before being deployed against the targeted individual or organization. It can be used to steal data and personal information, or to install malware on the targeted person’s device.

Zero-click exploits are dangerous because they can compromise a device without the user doing anything at all. The vast majority of zero-click exploits, however, don’t target everyday iPhone users. Instead, they are state-sponsored attacks from governments with poor human rights records, developed to spy on political opponents, journalists, lawyers, and human rights activists.

Apple’s Lockdown Mode

Last July, Apple unveiled something it calls Lockdown Mode. This feature was announced as part of the company’s continued commitment to protecting users from this type of highly-targeted mercenary spyware. Lockdown Mode is built-in to every iPhone running iOS 16 and newer, and it includes extreme protections to limit exposure to zero-click exploits.

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

“Lockdown Mode is an extreme, optional protection that should be used only if you believe you may be personally targeted by a highly sophisticated cyberattack,” Apple explains. “Most people are never targeted by attacks of this nature.”

Apple says that “very few users” should have Lockdown Mode enabled on their iPhone. This primarily includes people who “may be personally targeted by some of the most sophisticated digital threats” because of who they are or what they do.

9to5Mac’s Take

The advice from Australia’s prime minister isn’t necessarily wrong, but it misses key pieces of nuance.

While true that rebooting an iPhone on a weekly or daily basis may ever-so-slightly help reduce the threat presented by spear phishing and zero-click exploits, those aren’t threats that most users need to worry about. In fact, for most users who do need to worry about those threats, Apple’s Lockdown Mode exists as a much more robust solution.

Essentially what Albanese did was cherry-pick a piece of advice meant for the security community, remove the nuance, and pass it off as generalized advice for all iPhone users.

For the average and reasonable iPhone user, however, Albanese’s could do more harm than good. Any reasonable iPhone user might read the quote from Albanese and walk away with the impression that all they have to do to protect themselves and their devices is to reboot their phone once a day. If you’re reading 9to5Mac, chances are you know that’s not actually true.

Apple has a robust set of features built right into iOS that can help everyday iPhone users protect themselves and their data. Taking advantage of these features – many of which are on by default – is the best way for iPhone users to safeguard their data. This ranges from things like Face ID to protections in Safari, location sharing, App Store rules, two-factor authentication, and much more. iMessage, for instance, offers incredibly robust protection for users thanks to its use of end-to-end encryption.

• iOS 14.5 adds App Tracking Transparency, requiring apps to ask permission from users before tracking them
• How to check which iPhone apps have camera and mic access
• Five important iOS 17 security features coming to your iPhone this year
• Apple announces physical Security Key support for Apple ID two-factor, new iMessage verification technology
• iOS 17 automatically removes tracking parameters from links you click on
• iOS 14 lets users grant approximate location access for apps that don’t require exact GPS tracking
• Apple says 95% of iCloud users already have 2FA enabled ahead of Passkeys launch
• Here’s how iOS 16 and macOS 13 enable passwordless sign-in with ‘passkeys’
• 8 important ways to check passwords and improve security, do you know them all?
• Here’s how to use the native iPhone 2FA code generator and autofill
• How to use the new password manager and 2FA features in macOS Monterey
• How to turn on end-to-end encryption for iMessage, iCloud, iPhone backups

My take is this: iPhone users can ignore the “advice” offered by Australia’s prime minister. Instead, spend some time reviewing Apple’s built-in tools for privacy and security. One of the most crucial things in my opinion is using a strong and unique password for every website, app, and service you log into. Better yet, if that website offers passkey support, use that instead.

Another key is to make sure you’re always running the latest version of iOS on your iPhone. Apple regularly releases new versions of iOS with important security fixes and other improvements. This is true even for older iPhones that are still running iOS 15, for which Apple just recently released iOS 15.7.7 with security fixes.

For those keeping track at home, iOS 15 is supported all the way back to the iPhone 6S, which was released in 2015. That’s an impressive eight years of firmware updates and security fixes.

Finally, as Troy Hunt puts succinctly out on Twitter: “The nastiest stuff the masses are likely to experience is apps requesting excessive permissions. Turning your phone off while you brush your teeth doesn’t fix that. Being selective of apps you install and the permissions you allow is the fix.”

Follow Chance: Twitter, Instagram, and Mastodon

FTC: We use income earning auto affiliate links. More.