How to keep your personal info and communications private.

Once the iPhone connects online through Wi-Fi or the mobile network, it has all of the same vulnerabilities as any networked device; unencrypted data could be intercepted by casual hackers or proactive identity thieves. At press time, the iPhone hadn’t received any large-scale attacks or viruses, but you should still protect your data as a precaution.

Many iPhone features and Internet services offer ways to encrypt your data, but you have to turn them on (or make sure they’re already on) to stay safe. We’ll explain how to protect email, passwords, and other sensitive details no matter where you connect.

Use Email Securely

Internet email began as a trusted service, with both sides of a conversation expecting the recipient to be who he or she claimed to be. Encryption came as an add-on, and while common now, certain mail hosts offer different ways of enabling the feature.

When your iPhone (or any other device) checks your email, it can encrypt your login information as well as messages sent and received to prevent any snoopers from reading your email or intercepting your password. Use encryption, which the iPhone calls SSL (secure sockets layer), as long as your email provider supports it. The iPhone switches this on by default.

Some providers call SSL by its current, formal name, TLS, which stands for “transport layer security.” Check with your email provider to be sure it uses this protection, whatever name it goes by.

Of the preset account types recognized by the iPhone—Microsoft Exchange, apple’s MobileMe, Gmail, Yahoo Mail, and AOL— almost all offer SSL support to varying degrees. Exchange servers require complete SSL; MobileMe supports SSL for receiving and requires it for sending; Gmail requires it for both; and AOL requires it for sending but makes it optional for receiving. SSL doesn’t yet work with Yahoo Mail on the iPhone. The only reason not to use SSL would be because your email provider doesn’t support it; otherwise, verify that it’s on. From the home screen, tap Settings > Mail Contacts, Calendars, then tap the name of the account you want to check. To make sure you are receiving email securely, scroll down and tap Advanced. Under Incoming Settings, make sure that Use SSL is switched on.

To make sure you’re sending email securely, tap the account name to return to the previous screen, then scroll down to the Outgoing Mail Server, and tap on the server name (in case there are more than one). Make sure that Use SSL is switched on.

You can’t miss that SSL slider. Leave it on unless your mail provider doesn’t support it.

Yahoo Mail uses a proprietary login method called XYMPKI. In July 2007, security researcher Dave Cridland discovered that part of that method involved sending login name and password without encrypting them, which could enable a hacker to access your email by “sniffing” (recording) the login sequence, then replaying it later. Until SSL is enabled on the iPhone, avoid checking 
Yahoo Mail on an open (that is, unencrypted) network until Apple and Yahoo announce an update.

Use Webmail to Retrieve Messages Securely

Look for the lock on the icon to verify security.

Occasionally, you might find that a Wi-Fi access point firewall won’t allow you to contact your mail server. Try using your email provider’s webmail interface in Safari, but keep the transmission secure with SSL. Two indicators that SSL is working in Safari are that the website’s URL begins with “https://” instead of “http://” and a lock icon appears to the right of the URL.

Not every webmail provider offers secure webmail. Of the main iPhone options—MobileMe, Gmail, Yahoo, and AOL—only Gmail offers a secure web connection at https://mail.google.com/mail/. (However, if you use Exchange or a different ISP, contact your administrator to see whether a secure webmail solution exists for you.)

Some websites, such as www.mail2web.com allow you to check another provider’s email with an SSL-encrypted connection. This can be secure as long as the website offering the service is also secure itself. Mail2web connects to all of the services we tried besides Yahoo, which doesn’t allow you to check your email with other programs unless you pay for to its Yahoo Mail Plus service ($19.99 a year, mailplus.mail.yahoo.com).

Encrypt Email

If you’re close enough to friends that you have a secret language, they can retrieve an encrypted mail by answering a question only they know.

Security experts like to say that sending email is like using a postcard. Anyone can read it in transit. However, using encryption on an email message is like putting a letter into an envelope. It’s not totally unbreakable (otherwise, how would your recipient read it?), but very strong encryption provides good enough security for people who prefer their communications to be private. With well-encrypted email, even if someone intercepts a message, it could take years to decrypt the contents,  if they’re successful at all. OpenPGP is the de facto standard for encrypted email, although most people call it PGP (Pretty Good Privacy for short).

Right now there’s no way to encrypt your email using PGP on the iPhone through the Mail program. Instead, consider using Hushmail, which supports PGP encryption. It’s a webmail service, so you can access it from Safari.

With PGP, a public key is used only to encrypt mail; it has no function for unlocking messages. Only the recipient’s private key can open the data. That way, anyone can protect a message sent to you, but only you can read it. Ordinarily, to send email to a PGP user, you tell your mail program about this person’s public key. Hushmail works a little differently, by keeping the encryption transparent to users.

Hushmail users can send encrypted messages to other Hushmail users or to people who have uploaded their public keys to Hushmail. A slightly less secure option hides encrypted messages on the Hushmail server and emails the recipient with instructions on how to retrieve the message by answering a security question correctly. After five incorrect guesses, access is denied.

There are some catches to using Hushmail on the iPhone’s version of Safari. Before starting, be sure to close all other open Safari pages. When composing a message, once you tap the Send button, you’re not done; tap the pages icon in the lower-right and switch to the main Hushmail page. If you don’t, the message won’t send.

Hushmail is free, but it also offers subscription services, enabling 250MB of storage, access to customer support, and assurance that your account won’t be deleted due to inactivity. Hushmail is also working on a mobile Web client, but nothing yet for the App Store.