I recently travelled to China for work. To my surprise our IT department confiscated my iPhone and iPad saying they could not secure the data or communications on my devices against prying eyes.
When I complained saying I would leave them in Airplane mode and remove the SIM cards they said that wouldn't be enough to secure my data on these devices. Instead they gave me a mobile phone for the duration of the trip that was not a smartphone. It had no data connection per se, a physical numeric keypad, no touch screen or apps.
I want to know why putting my devices in Airplane mode and removing the SIM cards is not enough to secure my data from prying eyes? The IT department wouldn't answer that question!
I also want to know what else I could have done to secure the data on my iPhone and iPad, or is there no way to properly secure data on these devices?
I go through phases of being rather paranoid, so that's the reason for wanting clarity on this. It's also one of the reasons I use Apple products, but this experience has got me spooked.
Both devices are running iOS 10.3.3.
Best Answer
It really depends on what you're protecting, and what you're protecting it against. If you're worried about some phone thief grabbing your family photos, securing the devices is really easy. If you're worried about protecting classified info from the Chinese government, securing them adequately is really really hard.
Turning on airplane mode and removing the SIMs will do a good job of securing them against network attack and/or snooping, but there's still the issue of someone getting physical and/or visual access to the device(s). There are some things you can do to harden them, mostly having to do with passcode security:
Set a secure (complex) passcode. Without a passcode, your devices are open to anyone with physical access to them. With a basic (4-digit) passcode, you have reasonable protection. A 6-digit passcode is better, and a custom (longer) passcode (numeric or alpha) is even better.
Set the devices up to require that passcode. In Settings > Touch ID & Passcode, set it to require passcode immediately, erase data after 10 failed attempts (you should make a backup, but leave it at home), then switch off Voice Dial and all of the Allow Access When Locked options.
I'd also turn off Touch ID. It avoids the possibility of someone spying on you entering your passcode, but if you're serious about security there's too many ways for someone to get & fake your fingerprint. Troy Hunt discusses some of the tradeoffs here.
Also, in Settings > Display & Brightness, turn on Auto-Lock after 1 minute.
Oh, and don't jailbreak your devices. If you've broken the iOS security model, don't expect it to remain intact against others.
So with the above (and turning off all network connections), your devices are pretty well locked down. But are they secure enough? As I said at the beginning, it really depends on the value of what you're protecting, the capabilities of whoever you're protecting it against, and how much they're willing to do to get your data. Can they compel to you to unlock the devices? Can they spy on you as you enter your passcode? Can they swap your devices for fakes that just capture the passcode you enter, and then use that to unlock the real devices? Can they confiscate the devices and then wait to see if a vulnerability is eventually discovered that'll let them unlock the devices? Is it possible they know of a non-public vulnerability? If the answer to any of those questions was "yes" (or even "maybe"), your devices aren't secure enough.
But there's another aspect to consider: from the point of view of your IT department, it may simply not be worth the trouble to work out the detailed risk & threat assessment, make sure they haven't forgotten any necessary steps to secure the devices (did I forget anything above? Maybe, maybe not), etc. From their point of view it's much easier and much safer to just say "no, don't take them".