This idea comes from my friend Mr. Byron Foltz. He was sharing the thought of adding Safari shortcuts to your home screen on the Apple iPhone as a way to obscure web-only email activity.
Now, the idea of adding URL shortcuts from Safari to your Apple iPhone home screen isn’t a new idea but the use case for this is something to consider. So far this only works in my testing with Office 365 Outlook Mail. In testing with Gmail I get directed to Safari and then a new tab is opened. In OWA I access all the content in this “container”.
Think about this: you use Office 365 for work and Gmail for “non-work”. You’re using the web-only version of Outlook Web Access (https://portal.office.com) on your personal or company iPhone or iPad. You’re not using the built-in mail feature of iOS. You’re bopping along when wham! Some foreign police checkpoint is in front of you or you’re asked to “step aside” at border/customs. You literally have seconds to remove visual access to your company email. What do you do?
Delete the OWA Safari shortcut and delete your 2FA app. Gone. Done. Obvious incriminating access to your company email is history. Opening Safari reveals no history of your OWA visits using the OWA shortcut and opening https://portal.office.com prompts for your login and 2FA key (if you actually log in). Having deleted the 2FA app you’ll have to go through your support team, such as help desk, to get access back to your account. The good news: the bad guys aren’t easily getting into your company email this time.
How do we set it up?
- Open Safari and clear your browsing history. Everything. All of it. Start clean.
- Navigate to https://portal.office.com and sign in with your account.
- Enter your 2FA code (Not using 2FA? Shame on you! https://twofactorauth.org/)
- Navigate to Mail.
- Once in mail, hit the box with the up arrow at the bottom of the screen. This will open a menu. Scroll until you see “Add to Home Screen” and select that option.
- Give your link a name and click “Add” at the top.
- Go back to Safari and clear your history. Everything. All of it.
- Go to your home screen and open the “OWA” app (or whatever you called it).
BAM! There’s your mail on the home screen. No history in Safari = no problem. Delete the “OWA” shortcut and 2FA app and no obvious history remains.
Now, speaking “securely” how “secure” is this? This will certainly stop the casual onlooker that has access to your phone from getting access to your email. I have not had a chance to run this through CelleBrite UFED to see how much data can be forensically extracted (most likely what is happening “behind the scenes” when your phone is taken from you at customs or border control). If I get some downtime I will run a mobile device through the CelleBrite UFED that I have access to and look at the data from a forensic extraction.