A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

iOS - Apple iPhone and iPad

Some topics below: Apple Spies on Customers, Clipboard, Safari, Batteries, iOS 17, iOS 16, iOS 15.2, iOS 15, AirTags, iOS 14.5, iOS 14, iOS 13, Death, Lock Apps, Lock Devices, System-wide ad and tracker blockers

• From Apple: iPhone User Guide
• March 26, 2024: A new attack on iPhones: Recent 'MFA Bombing' Attacks Targeting Apple Users by Brian Krebs. The victim is bombarded with Allow or Reject prompts about changing a password. Over and over and over again. Make a mistake and you get hacked. In part, this is Apple's fault as they do not limit the number of password reset prompts. Some attacks add another tactic: a phone call pretending to be from Apple. The bad guys spoof the CallerID so it really appears that the call is from Apple. Anyone with a telephone has to know that CallerID can not be trusted. And, another thing for Apple users to know is that Apple does not call customers out of the blue. They do call, but only call when a customer requests that they do.
• Pegasus spyware infecting iPhones is big news in September 2023. Costin Raiu tweeted some Defensive Computing advice saying "Start by disabling iMessage, FaceTime and then enable Lockdown mode. Reboot daily. This takes care of 90% of the things out there." (Sept 14, 2023)
• WATCH-AND-GRAB iPhone attacks: All iPhone users should watch this February 2023 video from the Wall Street Journal about bad guys stealing iPhones after watching the owner unlock the phone with a PIN code. The video is also available on YouTube: Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes. The video is based on this article: A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life by Joanna Stern and Nicole Nguyen (Feb 24, 2023). The story points out all the bad things that thieves can do with just the phone and the PIN code. This is a criticism of the Apple ecosystem that shows how easy it is to lose access to your Apple ID. Apple has made a number of design mistakes, perhaps the biggest is letting someone change the Apple ID password knowing just the PIN code for the phone. A safer design would require first entering the current password before being allowed to change anything. It also points up the danger to using the Apple password manager (iCloud Keychain). Apps that have the password automatically entered by the Apple password manager can be easily abused by the bad guys. One victim had $10,000 stolen from her. This strikes me as another design flaw, providing access to saved passwords without first requiring a password to kick off the password manager. Still another design flaw is the new hardware security keys that are intended to prevent access to an Apple account. With the phone and PIN code these security keys are bypassed and can even be removed from the Apple account. Big mistake by Apple. Still another design flaw is that the thief can add a recovery key to the Apple ID and that will forever prevent the victim from re-gaining access to their account. Heck, even if there was an existing Recovery Key, the thief can simply generate a new one. Apple has clearly not designed this well.
  The WSJ has a second article on defense: How to Protect Your iPhone Data From Thieves by Nicole Nguyen and Joanna Stern of the Wall Street Journal (Feb. 24, 2023).
  
  My personal gripe: Neither Apple or Google have designed their mobile systems to hide things from a bad guy (thief, abusive spouse) with the passcode. For example, neither supports two passcodes, one that unlocks everything and another that only makes selected apps visible to the phone user. In public places, we could use the restricted passcode and in private we could use the unrestricted passcode. Desktop operating systems have been doing this sort of thing for decades. It's time Android and iOS grew up.
  
  Suggestion to Apple: delay changes to an Apple ID password and the Recovery Key for a few hours or a few days to give a victim a fighting chance to report a theft or loss of their phone.
  
  WATCH-AND-GRAB PREVENTIVE STEPS
  To prevent a bad guy from having access to an unlocked iPhone:
  
  
  1. Use Face ID or Touch ID as much as possible. In addition to the obvious advantage of not having a passcode to spy on, these also do not unlock all the phone features. A passcode, in contrast, gives the user full access to everything on the phone. That said, Face ID is not a perfect defense from this attack. When it fails, for example, iOS asks for a passcode. Also, when an iPhone restarts, it wants the passcode.
  2. Anyone use Face ID should turn on the Attention Detection for Face ID option (Settings -> Face ID & Passcode) to prevent a victim who was drugged from being able to unlock the phone with their face.
  3. For Android Pixel phones, see this item from Google: Unlock your Pixel phone with your fingerprint
  4. Longer passcodes are harder to observe, so use the longest one you can tolerate. Psychology comes into play here. Anyone who uses Face ID or Touch ID frequently, can tolerate a longer passcode than someone who only uses a passcode. In iOS Settings look for Custom Numeric Code.
  5. Along the same line, use an alphanumeric passcode rather than the standard numeric-only code. Again, this should be harder to spy on (Settings -> Face ID & Passcode -> Change Passcode)
  6. When in public, cover the phone with one hand when entering the passcode. Treat it like an ATM PIN code.
  7. Maybe the thief missed one character or digit of the unlocking passcode. If so, they will have to guess a bit. You can set an iOS device to erase all data after 10 failed attempts to enter the passcode.
  8. How To Prevent Watch-And-Grab iPhone Theft a 7 minute video by Gary Rosenzweig of MacMost.com (March 1, 2023)
  
  WATCH-AND-GRAB DEFENSIVE STEPS
  If a thief or abusive spouse has an unlocked iPhone, these steps can limit the damage they can inflict:
  
  
  1. It is safer on an iPhone to use a password manager app, not from Apple, rather than iCloud Keychain.
     This, however, assumes that you can not remember the password for the apps that need the most protection (email and financial). One solution to that is using a formula to make passwords that can be easily remembered. I wrote a long blog on this.
  2. Set an Apple ID recovery key to prevent anyone else from doing so. There is more on Recovery Keys elsewhere on this page.
  3. You can prevent an Apple ID password change by first setting a Screen Time passcode, then enabling account restrictions. The click trail is the same on both iOS 16 and 17.
     Settings -> Screen Time -> Content & Privacy Restrictions -> turn on Content & Privacy Restrictions (at the top) -> Account Changes -> Don’t Allow
     While here, maybe disable Apple Advertising too.
     Note that Screen Time needs its own password (Apple uses the term "passcode") one that is not used for anything else. Also, be aware that Apple offers a get out of jail free card for recovering/changing the Screen Time password. If you provide your AppleID userid/password when saving or changing the thing, then your AppleID can recover a forgotten Screen Time password. But, if the whole idea is block a bad guy who has your iOS device and knows the unlock passcode/password, then do not do this. That is, do not provide your AppleID credentials when creating or changing the Screen Time password. Be an adult and save it off-line somewhere.
  4. To prevent full identity theft by someone who gains access to your Apple ID, do not store photos of your drivers license or passport in iCloud. One place to store secure copies of these photos is in a password manager.
  5. The Locked Notes feature of iOS can block a person with an unlocked phone from accessing the locked data which can include photos. This is described in more detail elsewhere on this page.
  6. Speaking of photos, a bad guy that gets access to your iCloud account can see your photos. Maybe do not keep pictures of your passport and drivers license in iCloud.
  7. Another place to store encrypted/protected copies of pictures is in a password manager.
  8. For your most important accounts, keep the password and password recovery off the phone. That means not storing the password in a password manager on the phone and not using text messages or email for either 2FA or for password recovery. This may be too high a hill to climb. If password recovery is based on email, then for your most important account(s) use a different email address, one that is not on the phone. For logons that use 2FA, instead of using text messages or an Authenticator (TOTP) app, see if the company can call a landline or another phone number (think VOIP) and speak the temporary code.
  9. If the stolen phone has a password manager, then look for a configuration option in the password manager where it locks itself down quickly. By lockdown, I mean that it requires the master password. This will be a pain to live with on an ongoing basis, but the hope is that the password manager is locked when the phone is used by the thief. Another defense, in case the password manager is unlocked when the thief is using the stolen phone, is to lie to the password manager software. More on that in my blog The worlds best password advice.
  10. APP RUN PASSWORD: Some apps let you set a password that is required before the app can run. I like to call this an app run password. The Wall Street Journal mentioned that Venmo, PayPal and Cash App have this ability. For more, see the Cash Apps page on this site. Other apps that can do this include ProtonMail, Proton Drive (both call it a PIN code), KeePassium (a password manager that calls it an AppLock passcode - you need this to run the app, before having to enter the password to open any one specific database), MySudo, Wire and Standard Notes. Sync.com, a secure file storage company, calls this feature a PIN Lock. Tutanota does not support this, neither does Signal. The NextDNS app has a "Require passcode option" that lets you chose a 4 digit app run passthingy. Obviously the app-run password needs to be different from the pass/pin code that unlocks the phone. This is where Fastmail falls down. Their iOS app (v4.0.5.2539) supports a "Touch ID" option (Settings -> Device settings). Despite the name, an iOS device using a passcode for unlocking will use the same passcode as the Fastmail app run password. The app does not let you configure your own custom app run password. What is not obvious about this concept is that all the app-run passwords can be the same. This makes the feature much easier to use, yet still provides security, as long as the character string used to unlock apps is not use anywhere else.
  11. Consider using Proton Drive for file storage. Not only is Proton the rare company that can not read your files, their Proton Drive app on both iOS and Android is lockable. There are three options to unlock the app: a PIN code, a fingerprint or facial authentication.
  12. Most apps do not support an app-run password, so consider which apps you really need on your phone. Maybe some apps belong on a tablet that remains at home most/all of the time. Personally, this is what I do. Apps for the financial institutions I use are on a stay-at-home tablet, not on my phone.
  13. If there is a TOTP authentication app on the phone, then you should have another copy of the same TOTP app on another device. I have heard good things about Authy in this respect as it can sync between multiple installed copies of the app.
  
  PLAN AHEAD FOR THE LOSS OF PHONE
  Whether your phone is stolen, lost or just breaks, you can plan ahead for not having it:
  
  
  1. When a phone is lost/stolen time is of the essence, so have this information readily available. It is probably best to have it both with you on paper (in a wallet or purse) and stored at home:
     • For Apple, your AppleID and password. For Android, your Google password.
     • Phone make and model
     • IMEI and serial number of the phone. You can dial *#06# to see the IMEI number and other numbers too.
     • For your most important accounts (email, financial and ?) have the userid/password and whatever else is needed to change the password.
     • You will need to contact your cell provider, so keep the info needed to make that call: their phone number(s), your account number, your userid/password for their website and any other security info they use to identify you.
  2. Location services on your phone is the classic double edged sword. If the phone is lost, it can help you find it (assuming 4G/LTE/5G is also on). On the other hand, it lets Google, Apple and many apps spy on your location. You can try to control which apps can see your location but that is a bit like whack-a-mole. There is no one right answer here. Pick your priority.
  3. Cars have spare tires in the trunk. Along the same line, maybe keep an old phone to use as an immediate replacement. This lets you take your time buying a replacement phone.
  4. More here: How to Prepare for a Lost, Stolen or Broken Smartphone by J. D. Biersdorfer for the New York Times (Feb. 8, 2023). The article discusses buying insurance or extended warranty coverage, backing up files both to the cloud and to a computer of yours, dealing with water damage, using location services and more.
  5. On this page, in the section on iOS 17.3, see the description of a new iOS feature, Stolen Device Protection.
  AFTER THE LOSS OR THEFT OF A PHONE
  
  1. Call your wireless carrier
  2. If stolen, report the theft to the police
  3. Change the passwords to your most important accounts: email, financial and whatever else is important to you
• DON'T BELIEVE THE HYPE, APPLE SPIES ON THEIR CUSTOMERS  top
  
  
  • GET YOUR DATA
    You can get a copy of the data Apple keeps on you and you may want to look at it.
    1. Start at privacy.apple.com where you can request a copy of your data. Apple warns this may take up to 7 days. Be sure to ask for the Apple.com and Apple Store activity. While waiting, you can check the status of the request at privacy.apple.com/account.
    2. For more see: Get a copy of the data associated with your Apple ID account by Apple. Published August 22, 2023
    3. This tweet by Mysk says to browse to the file "App Store Click Activity.csv". There you will find a huge number of activities that the App Store app has collected about you. This massive data harvesting can not be disabled. It is probably not the only spying Apple does, after all they do not honor VPNs on iOS.
  • December 2, 2022: Why we can't trust Apple by Mark Hurst for Creative Good. Quoting: "Apple needs to find growth outside its usual business. And these days, that means: advertising. And online advertising requires: surveillance. And a surveillance-enabled ad business leads, inevitably, to deceiving customers ... in order to eke out a few more quarters of growth, Apple is beginning to take on the practices of Google and Meta/Facebook, the original surveillance capitalists ... As Apple continues its bid for 'growth at any cost,' we’re going to see the company look more and more like Facebook and Google, the very companies Apple claims to be opposing."
  • November 26, 2022: Apple's silence in regard to these November 2022 privacy stories makes the research that uncovered this, seem all the more legit. One possibility is that Apple was lying all along and they are as trustworthy as FTX. Another possibility is that they are incompetent at the task they set for themselves. Or, the researchers may be scammers looking for their 15 minutes of fame. I have not yet heard of collaborating research.
  • November 24, 2022: This article looks at the new Apple focus on advertising and how it corrupts them into spying on their customers. No defenses are offered. Apple is becoming an ad company despite privacy claims by Richie Koch of Proton. Apple's advertising operation follows the surveillance capitalism model of its rivals, Google and Meta. Apple monitors your every move in the App Store, News and Stocks apps and then uses that data to sell ads targeting you in those apps. Quoting: "This new emphasis on advertising undermines Apple's claims about privacy with its App Tracking Transparency (ATT) feature .... In fact, it appears ATT may have been more about blocking competitors than protecting user privacy." Interesting point: ATT does not prevent companies from monitoring your activity within an app, an app only needs to ask permission to collect data if it has trackers that follow you outside the app. How does Apple spy on customers while, at the same time, touting privacy? Apple has multiple privacy policies, one for its device, one for the App Store, and one for each Apple app. This is their legal loophole. Expect the ads to expand into the Maps, Podcast, and Books apps. The Setting to "Disable ad personalization" is a scam.
  • November 21, 2022: Security researchers Tommy Mysk and Talal Haj Bakry said they found that Apple's analytics service creates an identifier called the "dsId" (Directory Services Identifier) that is unique for each user and tied to their iCloud account. They warn that because of this, Apple can track and identify users as they navigate the web and link them to their real-world identities. Apple states on its privacy and legal page that no information from a device for analytics purposes can be traced back to any specific user. Seems that is not true. See iOS privacy concerns deepen as Apple’s promises on analytics anonymity appear to be false by Ben Lovejoy of 9to5mac (November 21, 2022) and Apple Says Your iPhone's Usage Data is Anonymous, but New Tests Say That's Not True by Thomas Germain (November 21, 2022).
  • From Cory Doctorow Even if you're paying for the product, you're still the product, November 14, 2022. Quoting: "Apple's commitment to privacy is best understood as instrumental. Apple thinks that protecting your privacy will attract your business, and they're right ... But while Apple can increase its revenues by telling you they'll protect your privacy, they can increase them even more by lying about it. That's just what they do. Earlier this month, a small security research firm called Mysk released a video revealing that when you tick the box on your Iphone that promises 'disable the sharing of Device Analytics altogether,' your Iphone continues to spy on you, and sends the data it collects to Apple. The data Iphones gather is extraordinarily fine-grained ..."
  • November 8, 2022: It seems that even when configured not to spy on you, that Apple's iPhone apps nonetheless do spy on you and send information back to Apple. An independent test suggests Apple collects data about you and your phone even when the settings promise to 'disable the sharing of Device Analytics altogether.' See Apple Is Tracking You Even When Its Own Privacy Settings Say It’s Not, New Research Says by Thomas Germain for Gizmodo. A few days after this came out, two lawsuits were filed. This is about one of them: Apple Hit With Class Action Over Tracking of Mobile App Activity by Christopher Brown for Bloomberg Law (Nov. 11, 2022). And, this: Apple getting sued over App Store user data collection by Mike Wuerthele for Apple Insider (Nov 12, 2022).
    Defense: If your router can do so, block access to xp.apple.com.
  • Defense: One small defense is offered by the Apple News and Stocks apps. Go to Settings, then click on each app. There is a toggle switch called "Reset Identifier" that resets the identifiers that are linked to you and reported to advertisers. Turn on the option and then run the app to actually reset the identifier. It is a one time reset, though I suppose you could do this daily or weekly. (as of iOS 16)
• ICLOUD LEAKING
  Apple can read anything that is backed up to iCloud. As of iOS 16.2 and the introduction of Advanced Data Protection, Apple can only read what is not encrypted.
  
  
  • To control what is sent to iCloud: Settings -> YourName -> iCloud where there is a huge list of apps. Disable those you don't want in iCloud.
  • Also: Settings -> Privacy -> "Analytics & Improvements" and turn off "Share iCloud Analytics".
  • You can disable iCloud completely and make local secure backups to a Mac or Windows PC and password protect the backup. For more on how, see How to back up your iPhone, iPad, and iPod touch from Apple and Did the FBI get Apple to kill iCloud backup encryption? by Rene Ritchie (Jan 2020).
  • How Apple Can Read Your Encrypted Messages by Jake Peterson of LifeHacker (Oct 2021). The security hole is in iCloud Backup, which can be disabled on your iOS device. However, you can not know if it is enabled on the device you communicate with.
  • Apple already scans iCloud Mail for CSAM, but not iCloud Photos by Ben Lovejoy for 9to5Mac (Aug. 2021). Quoting: "Apple has confirmed to me that it already scans iCloud Mail for CSAM, and has been doing so since 2019. It has not, however, been scanning iCloud Photos or iCloud backups."
• APPLE ACCOUNT RECOVERY
  
  
  1. RECOVERY KEY: The Recovery Key is a Get-Out-Of-Jail-Free card for when a bad guy has changed your Apple ID password and locked you out of your account. From: How to generate a recovery key by Apple (December 10, 2020). A recovery key is a randomly generated 28-character code that you can use to reset your Apple ID password. This is not required. Creating a recovery key turns off Account Recovery which is a process that helps you get back into your Apple account when you can not reset the password. You are responsible for not losing the Recovery Key. In iOS 16:
     Settings > [your name] > Password & Security -> Account recovery -> Recovery Key -> toggle it on. Write it down at this point and save a couple copies. Do not screen shot it as you don't want it stored in iCloud, in case a bad guy gets into your account. You have to enter the key to verify that you know it. It is not case sensitive. If you lose the Recovery Key you can create another one. Beware, however, Apple does not allow their customers to regain access to their account if a recovery key is enabled and they have lost it.
  2. Recovery Contact: From Help a friend or family member as their account recovery contact from Apple (December 13, 2022) A recovery contact can help a friend regain access to their Apple account if they forget their password. When someone is locked out, they can contact their Recovery person with instructions for generating and sharing a six-digit recovery code. This code, along with other information, allows the locked out user to reset their password. The Recovery Contact person does not have any access to their friend's account. All they can do is provide them with a code when requested. To be a Recovery Contact, you must have two-factor authentication turned on for your Apple ID.
  3. Apple ID Account Recovery Methods by Gary Rosenzweig (January 2022)
• SIM PIN
  If your phone is lost or stolen, bad guys in possession of the phone can remove the SIM card, put it in another phone and make calls with your phone number. A SIM PIN is designed to prevent this. It is, basically, a password to access the SIM card. The fist time a protected SIM card is put into a phone, you must enter the PIN to get access to the SIM card. The PIN code is also required when your phone reboots, perhaps after installing firmware updates. You can also PIN protect an eSIM. You may need to contact your cellular provider to set it up. When the card is locked, you will see "Locked SIM" in the status bar. See Use a SIM PIN for your iPhone or iPad from Apple (September 2021).
• WEBSITES vs APPS
  There are many reasons, shown below, to access a service, when possible, using its website rather than its mobile app.
  And, if you use a website often, you can make an icon for it that looks just like an app icon.
  
  
  1. As a rule, a website can not spy on you as much a mobile app. This is especially true when apps have their own in-app web browsers. Some apps, like Instagram and Facebook, use their in-app browser to inject JavaScript code into third party websites. This JavaScript comes with potential security and privacy risks. For more on this see iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser by Felix Krause (Aug 2022). The article describes how these apps bypass assorted privacy features. The defense is that whenever you open a link from Instagram, Facebook or Messenger, to click the dots in the top right corner to open the page in Safari. The spying happens when using the in-app web browser. See also a follow-up article: iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser also by Felix Krause (Aug 2022).
  2. In addition, there is a Private Mode in all web browsers that apps do not have. Private mode can insure that a website does not save anything locally on the phone/tablet. If you have a Chromebook, then there is also Guest Mode which is even more private than Private Mode in its guarantee that no data is saved locally. The downside of Private Mode is having to enter the userid/password every time.
  3. Websites do not take up any storage space, especially when using Private Mode.
  4. With apps, you never know if data is being encrypted or not, with a browser you do know. Apple was supposed to mandate that iOS apps only use encrypted communication. They call this mandate App Transport Security (ATS). But, as of June 2019, it's a scam. See iOS developers still failing to build end-to-end encryption into apps by by Alison DeNisco Rayome for Tech Republic.
  5. Apps can run constantly in the background a condition that can be hard/impossible to audit. With websites, when you close the tab/browser they are gone (some browsers have options about this).
  6. Some apps that might be best used as a website are TikTok, Facebook and Instagram.
• SECURITY IMPROVEMENTS coming early 2023
  There are three changes on the horizon. As of December 2022, I am still digesting this.
  See Apple's Press Release: Apple advances user security with powerful new data protections (Dec 7, 2022)
  
  
  1. iMessage Contact Key Verification. The interesting part of this is that it touches on a scam that has existed with iMessage forever. Apple has claimed that they can't read messages and the world is supposed to believe that means it is secure. No. Apple can have messages delivered in real-time to a spy agency, messages that even Apple can not read. This feature is designed to eliminate this hole in the iMessage design. If it is legit, I am not sure. The press release says that it shows alerts inside encrypted iMessage conversations when a new device is added to a customer's account. Of course, if the messages were really encrypted, Apple could not show an alert inside them.
  2. Security Keys for Apple ID. This is Apple catching up to the rest of the world. Best practices if you will. They should have offered this long ago. Security Keys are devices much like a USB flash drive. If an account is configured with Security Keys, there is no getting into the account without the hardware thingy plugged into the computing device you are using. If bad guys get a password, there is nothing they can do with it. No hardware thingy, no access to the account.
  3. Advanced Data Protection for iCloud changes much of what is in the iCloud section above. Use of this new feature will lock out Apple from reading your iCloud data. That said, there are well over 20 types of iCloud data and customers will be able to lock Apple out of most of them, but not all of them (23 types can be encrypted with this new feature). This puts much more responsibility on the iOS user/customer. Should they lose the password/key that is used to encrypt iCloud data, they lose the data too. This is the flip side of locking Apple out from reading your data/files. More: Advanced Data Protection for iCloud from Apple and Apple Platform Security from Apple.
• iOS users should hold off installing new versions of the operating system for a few weeks. By new version, I mean the major versions such as 13 and 14 and 15. iOS version 13, in particular, was a disaster with a flood of bugs fixes in the weeks just after it was released. iOS 15 had three updates in the first month after it was released. For updates such as 14.4 and 14.5 wait a few days before installing it. Minor updates, such as 14.5.1, should be installed immediately.
• Shopping: Apple announces their new toys in September, so Summer is a bad time to buy an iPhone. To save money, Joanna Stern writes (Aug 2022) that Apple typically drops the price on some of last-years hardware by around $100. And, she suggests looking into carrier trade-in deals, if you have an older phone in good condition. One exception, is the iPhone SE, released in March 2022, which is the last iPhone with a home button.
• iPhone apps no better for privacy than Android, Oxford study finds by Paul Wagenseil for Toms Guide (Oct 2021). Apps on iOS and Android track and profile you equally.
• New study reveals iPhones aren't as private as you think by Paul Wagenseil of Toms Guide (March 2021). The study looked at the operating system, not apps. Android phones collect more data by volume, but iPhones collect more types of data. Both systems transmit telemetry, despite your explicitly opting out. iOS transmitted device location, the local IP address and the Wi-Fi MAC address of other devices on the local network. Even when logged out of an Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple's analytics servers along with info about nearby devices on the same Wi-Fi network. When queried, Apple said nothing. iOS 13.6.1 was tested.
• You should know: When you 'Ask app not to track,' some iPhone apps keep snooping anyway from Washington Post (Sept 2021). Techies knew this all along, this article explains it to the general public. Interesting point is that when the paper reported bad apps to Apple, Apple did nothing. You can see the gory details for a few iOS apps at privacyreview.co. The article offers one lousy sentence on defense. See the section below on system-wide ad and tracker blockers.
• For people most at risk of being spied on: How to defend yourself against the powerful new NSO spyware attacks discovered around the world by the Security Team at The Intercept (July 2021). Long article, no summary would do it justice. Still, do not click on unknown links, practice device compartmentalization, use a VPN, use non-default web browsers. Scams often make it seem as if a response is needed immediately.
• These two articles, about the iVerify app from security firm Trail of Bits, have the exact same title. In This app will tell you if your iPhone has been hacked (Dec 2020) Adrian Kingsley-Hughes highly recommends the app. It costs $3 and includes how-to guides, tips, tricks and tweaks for improving privacy and reducing the chances of getting hacked. See also This App Will Tell You if Your iPhone Gets Hacked by Lorenzo Franceschi-Bicchierai for Vice (Nov 2019). iVerify requires iOS 12 or later, and is compatible with all iOS devices.
• Medical Emergency: First responders are trained to look at phones for emergency contacts and medical information. To configure: Health app -> your profile photo -> Medical ID -> Edit. Fill in anything an emergency responder should know. Make sure "Show when locked" is turned on, then Done. To see it, from the lock screen, tap on Emergency Call and then Medical Info. More here: Set up your Medical ID in the Health app on your iPhone by Apple (Jan 2022) and Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020).
• Emergency SOS: (aka Emergency Call) Use Emergency SOS on your iPhone from Apple (December 2021). It calls the local emergency number (911 in US) and you can also add emergency contacts who will be texted. And: Make emergency calls on iPhone from Apple. For iOS versions 15, 14, 13 and 12 as of Jan. 2022. More: Emergency SOS on iPhone: How to set it up and activate by Britta O'Boyle (May 2021) and How to Set an Emergency Contact on iPhone (and Why) by Tim Brookes (Nov 2021).
• TEXT SIZE: can be adjusted system-wide at Settings -> Display & Brightness -> Text Size
• CLIPBOARD  top
  1. All apps can read the clipboard, even when they are not running. This flew under the radar until June 2020 when beta versions of iOS 14 started reporting on it. Many apps were doing it. The camera app embeds your location in every photo. Copy a picture and apps can learn your location without having location access. There is no defense (that I know of) in iOS 13. In iOS 14 there is a warning, not yet (July 4, 2020) sure if there will be a defense.
  2. Anything copied to the iOS clipboard/pasteboard can be read by any app. If a picture is copied, then GPS location information, which is embedded in the image, is easily available to apps. Tested with iOS 13.3. Apple was told about this in Jan. 2020 and they will not change anything. The defense should be to deny the camera app access to location information, but iOS can not do that. From: Security demo reminds iOS users that any app (or widget) can read the clipboard silently by Benjamin Mayo (Feb 2020)
• iOS Defense: The page on this site about Reporting Bad Stuff has a section on reporting things to Apple.
• iOS Defenses: Both articles cover a lot of ground. iPhone privacy checklist (2021 edition) by Adrian Kingsley-Hughes for ZDNet (Jan 2021). How to stay as private as possible on Apple's iPad and iPhone by Jonny Evans at Computerworld (Feb. 2019).
• iOS Defense: Apple iOS privacy settings to change now by Heather Kelly for the Washington Post. Last Updated: December 2021.
• iOS Defense video: 13 Things You Should Be Doing To Protect Your iPhone by Gary Rosenzweig (April 2022, 12 minutes, iOS v15). Among the suggestions are setting a SIM PIN, turning on Find My iPhone, insuring that iCloud backup is enabled, turning OFF both the "ask to join networks" WiFi option and the USB Accessories option. Also, review the many "Allow access when locked" options.
• iOS Defense: Dealing with a stolen iPhone Sept. 2019 by Marc Rogers
• iOS Defense: Every now and then turn the iOS device off and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. It is not a perfect defense, but the NSA recommends rebooting/restarting a phone every week. Reboots to install bug fixes count. More: Turn off, turn on: Simple step can thwart top phone hackers by AP News (July 2021)
• iOS Defense: How Jamie Spears Spied on Britney Spears Through iCloud by Lorenzo Franceschi-Bicchierai (Oct 2021). Using iCloud to spy on someone's iPhone is an extremely common way abusers spy on their loved ones. All that is needed is the password for the Apple ID of the victim. The article describes detecting this and stopping it. In a browser, I suggest (not in the article) a Chromebook running in Guest Mode. Login to iCloud.com -> Account Settings -> My Devices.
• iOS Defense: Advice on AirDrop is in the Mobile Scanning section.
• Websites vs. Apps: As a rule, a website can not spy on you as much a mobile app. In addition, there is a Private Mode in all web browsers that apps do not have. This can insure the website does not save anything locally on the phone. Also, websites do not take up any storage space, especially when using Private Mode. With apps, you never know if data is being encrypted or not, with a browser you do know. Finally, apps can run constantly in the background a condition that you can not audit. With websites, when you close the tab/browser they are gone (some browsers have options about this). If you use a website often, you can make an icon for it that looks just like an app icon. A couple apps that might be best used as a website are Facebook and TikTok.
• With any cellphone, it is good to save the assorted identifying numbers which include: IMEI, IMEI SV, ICCID and EID.
• Background App Refresh: After you switch to a different app, some apps run for a short period of time before they are suspended. Suspended apps do not take up system resources. With Background App Refresh enabled, suspended apps can wake up and check for new content. Configure: Settings -> General -> Background App Refresh (as of Aug. 2022). Source: Switch apps on your iPhone, iPad, or iPod touch from Apple.
• iPhone 12: Why you should keep your bank cards away from an iPhone 12 The Star (Nov. 2020). Hint, the very strong magnets on the back side of the phone.
• Wi-Fi: Some Wi-Fi devices will re-join a network (SSID) they have seen before. To prevent this, after using a public Wi-Fi network, tell the operating system to Forget it. On iOS version 14, remembered networks are in Settings -> Wi-Fi -> My Networks. Click the blue I in the blue circle, then click "Forget This Network". Also in the Wi-Fi Settings of iOS 14, change "Auto-Join Hotspot" to Never and "Ask to Join Networks" should be either Notify or Ask.
• VPN bug: A bug in VPNs on iOS 13 and 14 was first made public by ProtonVPN in March 2020: VPN bypass vulnerability in Apple iOS. As of June 2022 and iOS version 15.5 the bug still exists. The problem is a VPN leak, some data leaves the device outside of the encrypted VPN tunnel. The ProtonVPN suggested work-arounds do not work. I blogged about this on my personal site in May 2022.
• TRACK THE LOCATION OF YOUR FAMILY: Family Sharing lets you share about 10 different types of data with a maximum of 6 people. Tracking their physical location can be quite useful. See Share locations with family members and locate their lost devices on iPhone which has instructions for multiple versions of iOS. Family members see your location in Find My. Family members an opt out at any time. Sharing a location requires that Location Services are turned on. You can also put an AirTag in a car and share ownership of the AirTag.
• CHILDREN: Set up Screen Time for a family member on iPhone from Apple, with instructions for multiple versions of iOS. Quoting: "With Screen Time, you can keep track of how family members (read children) are using their devices ... You can set up Screen Time for a family member on their device or, if you’ve set up Family Sharing, you can set up Screen Time for a family member through Family Sharing on your device. "
• BLUETOOTH
  1. August 2023: When you disable Bluetooth using the iOS Control Panel, it is not fully disabled, it is only half disabled. This leaves you vulnerable to assorted scams. This article is about a hack at the DefCon conference that illustrates the problem.
     Researcher says they were behind iPhone pop-ups at Def Con by Lorenzo Franceschi-Bicchierai for TechCrunch.
     Apple did not respond to a request for comment. To really disable Bluetooth, you need to use the Settings app.
  2. August 2023: This article shows that Bluetooth being only half disabled does not only leave you open to scams, it also leaks information.
     This $70 device can spoof an Apple device and trick you into sharing your password by Lorenzo Franceschi-Bicchierai for TechCrunch.
     The article mentions a 2019 academic paper that studied the Bluetooth low energy protocol on iOS devices and concluded that there are several flaws that leak device and behavioral data.
  3. By default, iOS 15 on an iPhone 11 and newer does not completely turn off. See How to Find Your Lost iPhone, Even If It's Turned Off from LifeHacker (Oct 2021). Even off, it will send out Bluetooth Low Energy beacons for the Find My feature. If your iPhone is stolen, this is good news as bad guys immediately turn them off. If you don't want the phone location to be public, then the big hammer is to disable the Find My feature. Or, when the phone is being shut down look for a new button "iPhone Findable After Power Off" and click it. I tested this on an iPad running iOS 15 and there was no new button at shutdown, so it seems to be iPhone only.
• SAFARI  top
  1. iOS 14 introduced a Privacy Report that shows which trackers attempted to follow you and which ones it blocked. To see it, tap the "aA" at the left side of the address bar -> Privacy Report.
  2. Tweaks are at Settings -> Safari
  3. Turn on Prevent Cross-Site Tracking. More: How to view website trackers in mobile Safari by Lance Whitney Oct 2020
  4. Turn off Privacy Preserving Ad Measurement
  5. Turn off the AutoFill options
  6. Turn off Quick Website Search and Preload Top Hit
  7. Turn off Search Engine Suggestions and Safari Suggestions because it sends some search queries to Apple
  8. Maybe change the Search Engine. Apple defaults to using Google because Google pays Apples billions of dollars every year. DuckDuckGo does not spy on you, but it uses Bing for search results. for more on this see the Search Engines topic
  9. In the settings for websites section: adjust zoom level (no one right answer), set Camera, Microphone and Location to Deny
  10. Ad blocking in the Content Blockers section. Installed blockers, such as Lockdown or 1Blocker need to be enabled here. AdGuard for iOS is a free content-blocking extension. See it here. For more: Best ad blockers for iPhone and iPad in 2021 by iMore.
  11. tip: Periodically (monthly?) erase Safari's memory (think the movie 2001). Advanced -> Website Data -> click the red "Remove All Website Data"
  12. tip: The Safari web browser is a prime target for hackers and there have been a number of vulnerabilities with it, such as this one (Jan. 2020), so you may be safer using a browser that is a lesser target, such as Firefox or Firefox Focus.
  13. tip: when you long-press on a link, you see a preview image of the target/destination website. To instead see the URL, look in the top right corner of the preview for a "Hide preview" link. Click it. More.
  14. FYI: to add a website icon to the iOS Home Screen/desktop, tap the Share button (square with an upward pointing arrow), then "Add to Home Screen"
  15. For extreme privacy settings see Apple iOS 15 Privacy Guide by Michael Bazzell (Sept 2021)
• BATTERIES  top

  This information was moved to the Batteries page in November 2023.

• iOS 17 (released September 2023)  top

  iOS17.4: Released March 6, 2024: improves the Stolen Device Protection. Initially the security delay only happened when the device was not near a familiar location. Now, you can force the security delay to happen all the time.

  iOS17.3: Released January 24, 2024: New feature for iPhone (not iPad): Stolen Device Protection. This is Apple's first attempt at fixing a huge hole in their security - that anyone who steals an iPhone and knows the unlock passcode can do anything and everything bad. Using this feature requires that either Face ID or Touch ID are enabled. It also requires that Location is enabled and not just when the phone is stolen, but beforehand too, so that Apple knows the places you usually go. The feature has more restrictions when the iPhone is not at a usual location, so the bad guy has to stay near a place where you often are, just for a few minutes, to do the worst stuff. I have no seen anything about how this works if Location is disabled.
  From Apple: Use Stolen Device Protection on iPhone
  How To Use iPhone Stolen Device Protection video by Gary Rosenzweig of MacMost.com. January 24, 2024. I think he underplays the danger of a bad guy having your phone and passcode.

  January 2, 2024: iOS 17 expanded the features that are locked down in Lockdown Mode. This includes new support for the Apple Watch and removing geolocation data from shared photos. It also blocks, by default, the iOS device from joining unsecured Wi-Fi networks and 2G cellular networks. From What It's Like to Use Apple's Lockdown Mode by Lily Hay Newman for Wired. As to usability, Newman found Lockdown Mode to be surprisingly usable. In my personal experience with Lockdown Mode:
  --I found that it prevents viewing of PDF files that are attached to email messages. Also PDFs in web browsers will not display.
  --I had a brutal problem with Wifi, an iPad running 17.2 would connect to wireless networks, but would not connect to the Internet. I tried all the usual suspects and some unusual tricks but the only thing that restored Wi-Fi access was to disable Lockdown Mode. Not sure what caused this as Lockdown Mode had been working fine on the iPad for a few weeks.

  December 12, 2023: iOS 17.3 Beta Adds New Stolen Device Protection Feature to iPhone by Joe Rossignol for Mac Rumors. Finally! Apple was shamed into this by reporting in the Wall Street Journal about the brutal damage that a bad guy can do with your stolen phone and the passcode to unlock it. The phone passcode bypassed all other security settings. All of them. Now a bad guy with the passcode is limited in the damage they can inflict. The most sensitive actions, such as changing the Apple ID password, require your face or finger. If a bad guy threatens you, unlocks your phone with your face, steals the phone and runs away, again, they need your face to take control of your Apple account.
  Part of this feature was my idea, a time delay. There is no reason that change to the Apple ID password has to be immediate. When this feature is on, Apple enforces a one hour delay. That is too short a delay, but a first step in the right direction.
  The new feature will be available on iPhones that are compatible with iOS 17. iOS 17.3 is expected to be released in January or February 2024. The feature is off by default which is another mistake by Apple. To turn it on:
  Settings -> Face ID & Passcode -> Stolen Device Protection

  December 14, 2023: Apple to Introduce Stolen Device Protection in the Upcoming iOS 17.3 by Adam Engst for Tidbits.

  October 23, 2023: Security firm Mysk tweeted this warning: "Apple is expected to release iOS 17.1 tomorrow (10/24). As we mentioned earlier, iOS 17 resets several privacy and iCloud settings for some users. Visit the settings that you care about before you start the upgrade and take screenshots. Revisit the settings after the upgrade and check if they were reset."

  September 15, 2023: If traveling by car and the car breaks down in a remote area without cell service, Apple has a system in the U.S. that lets you contact AAA by satellite. See How to use Roadside Assistance via satellite on iPhone 14 and iPhone 15 by Zac Hall for 9to5 Mac. The feature is called Roadside Assistance and it requires an iPhone 14 or later. It also requires iOS version 17 (or later?). For now, the service is free. Here is the official Apple writeup: Use Roadside Assistance via satellite on your iPhone.

• iOS 16.3 (released January 2023)  top

  iOS 16.3 introduced the use of a FIDO-certified hardware security key to log into an Apple account. Finally. Apple had been one of the few big tech companies that did not support hardware security keys. For more see About Security Keys for Apple ID from Apple (January 24, 2023) and Apple advances user security with powerful new data protections from Apple (December 7, 2022) which covers Security Keys and iMessage Contact Key Verification and Advanced Data Protection.

  A Security Key is very secure, probably too secure for most people most of the time. To get the highest level of security requires that the key be required to login. If the use of the key is just one option, bad guys can still abuse the other logon options. If the key is the only logon option, then you must have two because one will eventually be lost or stolen or just fail. To use this feature, Apple requires at least two FIDO Certified security keys. And, if a bad guy steals your phone and knows the passcode to unlock it, they can disable and remove any configured Security Keys. For more, see the WATCH-AND-GRAB topic on this page.

  Advanced Data Protection (ADP)

  1. The good news with ADP is that Apple can not read the iCloud data that it using it (which is some data, not all data). The bad news is that it requires you to never lose the password to this data. If you do, Apple can not help you. They suggest/require that you have a recovery contact and/or a recovery key. Another option is an iPhone unlock passcode which means that if someone steals your iPhone and can unlock it, ADP does not block the thief from seeing your encrypted iCloud data.
  2. When Advanced Data Protection is enabled, web access to data at iCloud.com is turned off. Even without ADP, you can turn off web access to iCloud data. More from Apple: Manage web access to your iCloud data December 2022.
  3. From Apple: iCloud data security overview January 2023
  4. Problem: All your devices have to support ADP to use it. If you have an old iOS device that can not run version 16.3, you are out of luck.
  5. In the trenches, using ADP is hard according to this: Troubleshooting Apple’s iCloud Advanced Data Protection by Tarah Wheeler (January 27, 2023). Quoting: "If you try to enable ADP without having both a Recovery Key and Recovery Contact set, you may see a completely unhelpful message that said 'Something went wrong. There was a problem turning on Advanced Data Protection. Try again later.' ... The legendarily good Apple user experience has fallen completely over on this one. It is as if the rollout of this was tested only by people deeply experienced with Apple devices and logic .... "
  6. From Apple: How to turn on Advanced Data Protection for iCloud Jan. 2023.
• iOS 16 (released September 2022)  top

  The new Safety Check feature shows who has access to the data on the iOS device and lets you quickly revoke that access. It is at Settings -> Privacy & Security -> Safety Check. This is great defense for someone in an abusive relationship. One option is to stop all sharing immediately. Less drastically, you can stop sharing things like albums, your location, the Home app and notes. The most drastic option is the Emergency Reset which stops all sharing, changes your Apple ID passwords, and reviews your emergency contacts.

  The oldest phone that version 16 runs on is the iPhone 8, which was released in 2017. It also runs on the iPhone SE, 2nd generation or later.

  New feature, Lockdown Mode. To enable it: Settings -> Privacy and Security -> Lockdown Mode. For some people, a good thing, for others an annoyance, which is typical of increased security.

  Probably turn on the new option for software updates called "Security Responses & System Files". Miserable name. These are bug fixes that are sent automatically and silently installed. However, they may not be totally silent as they may force a re-boot of the iOS device. And, even with this option off, Apple may still update part of the OS whenever it feels like doing so. It is at Settings -> General -> Software Updates -> Automatic Updates

  There is new clipboard security: when an app accesses the clipboard, you get to allow it or not. This decision is not permanent, it has to be done for every clipboard access.

  New feature: biometric locks on hidden and deleted photo albums. You can create a folder that requires authentication (fingerprint/face) to see the contents. But beware that these photos are backed up to the cloud, so not very secure. Settings -> Photos -> Hidden and Deleted albums -> Use Face (or Touch) ID. To add photos to the hidden album, tap a photo, tap the three-dot icon, and then tap Hide. For more see: How to Lock Down Sensitive Photos on iPhone and Android by Thorin Klosowski of Wirecutter. Nov 2022

  All the New Privacy and Security Features in iOS 16 by Thorin Klosowski (Sept 2022)

  Passkeys are new in this release. In my opinion, they can be ignored because they won't catch on.

  See whats new in iOS 16 from Apple

• iOS 15.2: (released December 2021)  top

  The new App Privacy Report strikes me a as a big deal. It opens the black box of what apps do. You can see how often apps access Contacts, Camera, Location, Photos and the Microphone. It also shows network activity which is great for anyone able to block domains in their router. Off by default. Turn it on: Settings -> Privacy -> App Privacy Report. One flaw: network activity is not seen in the report when using a VPN. Another bug: calls an IP address a domain. More here (Nov 2021) and here (Jan 2022).

  The new Legacy Contact feature allows you to specify who can access your Apple account when you die. More on this in the Death sub-section.

• iOS 15: (released September 2021)  top
  1. The oldest phone that version 15 runs on is the iPhone 6S, which was released in 2015
  2. How to get weather alerts on iPhone by KEREM GÜLEN for Ghacks. August 21, 2023. Quoting: "Within the enhanced Weather app of iOS 15, users can now register for imminent precipitation alerts. These notifications will inform the user about impending rain, snow, or hail events within the upcoming hour based on their present location or any other location set in the Weather app.".
  3. The new App Privacy Report will show how many times an app has accessed these already-restricted things: location, photos, camera, microphone, and contacts. Eh. What is new and important is that it will report on the domains the app phones home to, and, how often. We will finally be able to see the apps reporting on us to ad/tracker companies. However, there is no blocking of the spy domains. For that see the section below on system-wide ad and tracker blockers. To enable it: Settings -> Privacy -> Record App Activity
  4. How to Set Up a Recovery Contact on iPhone, iPad, and Mac by Samir Makwana for How To Geek (Dec 2021). For when you forget your Apple ID password or device passcode.
  5. The new Hide My Email feature will create random alias email addresses. For more see the topic of Multiple Email Addresses in the email topic.
  6. The new Private Relay feature is very limited. It will hide your public IP address, but only while using Safari. This means Apple sees all your web browsing. Only available if you pay for iCloud. It is not clear if it adds any layers of encryption. A VPN is a better way to hide your public IP address.
  7. New "Shared with Me" feature. Settings -> Messages -> Shared with You. Maybe disable sharing in some apps
  8. By default, iOS 15 on an iPhone 11 and newer does not completely turn off. See How to Find Your Lost iPhone, Even If It's Turned Off from LifeHacker (Oct 2021). Even off, it will send out Bluetooth Low Energy beacons for the Find My feature. If your iPhone is stolen, this is good news as bad guys immediately turn them off. If you don't want the phone location to be public, then the big hammer is to disable the Find My feature. Or, when the phone is being shut down look for a new button "iPhone Findable After Power Off" and click it. I tested this on an iPad running iOS 15 and there was no new button at shutdown, so it seems to be iPhone only.
  9. Settings -> Passwords. Turn off the AutoFill Passwords option. Also look at any Security Recommendations
  10. The new Focus feature is an improved version of Do Not Disturb that lets you set up different Focus modes for different tasks like work, reading, sleeping, etc. Each Focus allows you to choose which apps and which people can send you notifications. Configure this at Settings -> Focus. The plus icon creates a new Focus.
  11. You can change the default browser or email client in Settings. For a browser, click on any installed browser, then "Default browser app"
  12. You can change the size of the font on an app-by-app basis. First, you have to add the Text Size option to the Control Center. Do this at Settings -> Control Center -> click the green circle with a white plus sign next to Text Size. In the Control Center the icon is two As, one big, one small. Then run an app that you want to change, open Control Center and indicate that the change is only for the one app.
  13. Email tracking: to block tracking pixels and your public IP address: Settings -> Mail -> Privacy Protection -> Protect Mail Activity. Only applies to the iOS Mail app. More
• AirTags (new in iOS 14.5)  top
  1. Beware poisoned Apple AirTags that exploit unpatched "Lost Mode" flaw by Graham Cluley (Sept 2021). Apple has known of this bug for four months and not fixed it. AirTags can be put in Lost Mode. If someone finds the tag, they can scan it with NFC and be taken to a unique page for the tag at found.apple.com which has the owner's phone number. But bad guys can put scripts in the phone number field that manipulate the apple website to trick a Good Samaritan. Details from Bobby Rauch.
  2. If you are moving, an AirTag can track your stuff. See Army wife uses AirTag hack to track her movers while PCSing (Jan. 2022)
  3. Apple's AirTag trackers made it frighteningly easy to 'stalk' me in a test by Geoffrey Fowler for the Washington Post (May 2021). The article is behind a paywall. A big point in the article is that Apple does not do enough to prevent AirTags being used for domestic abuse. In a test in San Francisco, the AirTag updated its location every few minutes. When moving, the location was accurate to half a block. When stationary, it was precise.
  4. Video from the above article Apple's AirTags could be used by stalkers. Here's how to protect yourself
  5. What to do if you find an AirTag or get an alert that an AirTag is with you from Apple (April 2021). How to learn the serial number of an AirTag. It requires NFC and will work on Android too. Note that making a detected AirTag play a sound often failed in Fowler's tests (above).
  6. AirTag stalking defense: Use a Bluetooth scanner to locate the Bluetooth devices near you. An Apple Air Tag will show as being made by Apple. Once you find the AirTag, you can take ownership of it if you have an iPhone (or destroy it with a hammer). The LightBlue® scanner by Punch Through Design is available on iOS and Android. On Android, Location must be on system-wide for the app to work. From the Privacy, Security, & OSINT Show - Episode 219 by Michael Bazzell (June 2021) and How to Scan for Nearby AirTags Using an Android Phone by Chris Hoffman (May 2021)
  7. AirTag stalking no defense: AirTags are supposed to beep after 3 days (later changed to 1?) to warn people of their presence. But, the speaker in an AirTag can be physically removed.
  8. Android users can detect AirTags with the free AirGuard app from Secure Mobile Networking. Note that there is another app with the same name.
• iOS 14.5: (released April 2021)  top
  1. You can disable some system apps such as Safari, FaceTime, AirDrop, Siri and more with Settings -> Screen Time -> turn on Content & Privacy Restrictions -> Allowed Apps.
  2. You can disable Apple Advertising in the same section: Settings -> Screen Time -> Content & Privacy Restrictions -> Apple Advertising
  3. Settings -> Privacy -> Tracking and chose if apps should ask for permission to track you or if tracking should be banned system-wide. Note that this is a scam, apps still track you regardless of this setting.
  4. There is a new App Privacy section for iOS apps. Review it before installing any new app. Maybe review it for existing apps too.
• iOS 14:  top
  1. Some defensive improvements introduced in v14: realtime notice when any app uses the microphone or camera. Lists apps that recently accessed each. Realtime notice when an app accesses the clipboard. An app can be given access to one picture only. LAN access controls. Only allow an app access to your approximate location. Warns of hacked passwords in the Keychain. Somewhat randomized MAC addresses.
  2. Relevant articles: 8 Privacy Features iOS 14 Users Need to Know by Lance Whitney (Oct 2020) and iOS 14 Privacy Features: Approximate Location, Clipboard Access Warnings, Limited Photos Access and More by Juli Clover (Oct 2020).
  3. Settings -> Privacy -> "Analytics & Improvements": turn off all three options (Share iPad Analytics, Improve Siri & Dictation and Share iClouid Analytics). Note: on an iPhone the setting is "Share iPhone Analytics"
  4. Settings -> Privacy -> "Apple Advertising": disable "Personalized Ads". While there, click on "View Ad Targeting Information" It might be interesting.
  5. Settings -> Privacy -> Tracking -> turn off "Allow Apps to Request to Track". While there, you can also deny tracking permission from any apps that were granted it in the past. If you ever see a prompt: "Allow xxx to track your activity across other companies' apps and websites?" (where xxx is the name of an app), the correct answer is "Ask App Not to Track"
  6. Settings -> Privacy -> Location Services: If Location Services is enabled, then for each app that is allowed to use location data, turn off "Precise Location" except for a mapping app. At the bottom of the list of apps is "System Services". In this section, turn off the options under "PRODUCT IMPROVEMENT" (iPad or iPhone Analytics, Popular Near Me, Routing & Traffic, Improve Maps). If Location Services are off, turn it on to make these changes, then disable it again.
  7. Review everything else in Settings -> Privacy
  8. Most people (not everyone) want apps to be automatically be updated. This is controlled at Settings -> App Store -> App Updates
  9. Settings -> Siri & Search. Siri is like the Borg. To disable Siri use either "Press Home for Siri" or "Press Side Button for Siri". Maybe disable Listen for Hey Siri. Maybe delete Siri & Dictation History. Maybe delete some or all of the four types of Siri Suggestions. Then it gets ugly. Siri wants to spy on every installed app to learn how you use the app and include data from the app in Siri searches. For every app, you have to configure it to block Siri assimilating the app. Ugh. If nothing else, block Siri from financial apps. Probably a good idea to block web browsers too.
  10. A new Private Address option was added to the definition of each Wi-Fi network. This creates a MAC address that is used only on that specific Wi-Fi network. Previously the same MAC address was used on every Wi-Fi network. Good news: it is on by default.
  11. Settings -> Notifications > Show Previews. Opt for either "When Unlocked" or "Never" to prevent notifications from leaking information you don't want strangers to see. Or, in the same section configure notifications for individual apps.
  12. If you use the Apple Mail app: Settings -> Mail -> Privacy Protection and turn on "Protect Mail Activity"
  13. iMessage: chose how long to keep old messages at Settings -> Messages > Keep Messages
• iOS 13:  top
  1. The Silence unknown callers feature sounds great (I do not use an iPhone). If someone who is not in your Address Book calls, the phone will not ring, the call will go to voicemail. The call does show up in Recent Calls list. Enable it: Settings -> Phone -> Silence Unknown Callers. See Detect and block spam phone calls from Apple (May 2021) and this 2019 article from Mac Rumors.
     NOTE: In July 2022, Susan Bradley suggested another feature that does the same thing. See Got a cell phone? Are you getting more spam calls? She suggests Settings -> Focus -> Do Not Disturb -> toggle it ON -> tap on the People tab -> tap on Calls From -> select All Contacts
  2. Review everything in Settings -> Privacy. This includes the "Analytics & Improvements" section where I would turn off all three options. In the Advertising section, turn on "Limit Ad Tracking" and reset the Advertising Identifier periodically. In the Location Services section, click on System Services and then turn off the three options under "PRODUCT IMPROVEMENT"
  3. For the iPhone 11 only. Settings -> Privacy -> Location Services -> System Services -> Networking and Wireless has a new Location toggle for the ultra-wideband service. This was a bug fix because the U1 chip was broadcasting your location even with the normal location settings turned off.
  4. Parental Controls: Guided Access can limit iOS to a single app. More below.
  5. Parental Controls: Screen Time can set all sorts of limits. Enable it with: Settings -> Screen Time. Prevent kids from using certain apps, installing new apps, disable in-app purchases, block access to certain websites and control who kids are are able to contact. It also does assorted usage auditing. More from Apple (Dec 2019) and Macrumors (Dec 2019).
  6. As of June 6, 2019 it is early on this. Sign up for a website or app with your Apple ID and there is a new option to hide your email address. Do so, and Apple will create a new email address specifically for the one website or app. When the site or app sends you email, Apple forwards it to your real email address. Good thing? The downside to this is that Apple has access to your email and knows what apps and websites you use. See the Extra Credit section for better options.
• You can set an iOS device to erase all data after too many failed attempts to enter the PIN/passcode. In Settings, go to "Touch ID & Passcode" or "Face ID & Passcode". Then, enable "Erase Data". Seems like the only choice in both iOS 13 and 14 is 10 bad passcodes.
• The Jumbo privacy assistant is an iOS app to increase your privacy on Facebook, Twitter, Amazon, Google and Alexa. It was released in April 2019. It adjusts the 30-odd Facebook privacy settings, deletes old tweets, erases Google Search history and deletes the voice recordings stored by Alexa. More. Geoffrey Fowler, of the Washington Post, who focuses on Privacy, said it was his favorite app of 2019: "In clear language and colorful illustrations, it explains the real choices we have and makes recommendations like you'd get from a really clued-in friend." They also go by withjumbo.com
• One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. I don't know if this is possible on an iPhone.
• Deleting Photos: Deleted photos are not really deleted, they are kept in a Recently Deleted folder (under Utilities) in the Photos app (last reviewed in iOS 15.5). See Delete photos on your iPhone, iPad, and iPod touch from Apple.
• CREATE PASSWORD PROTECTED PHOTOS
  • In the iOS 16 topic above, see the feature on biometric locks on hidden and deleted photo albums.
  • Locked Notes: the Lock Note feature of the Notes app can password protect Notes. Each Note can contain one or more photos. There is one password for all protected Notes. In iOS 15: First do Settings -> Notes. Disable "Save to Photos" so that photos inside a note do not appear in the camera roll. In the Password section, verify that it says "Require a password to view locked notes". Then, open the Notes app, create a new note, tap the camera icon -> Take Photo or Video. To password protect the Note, click the three dots in a circle (don't blame me), then Lock, then enter the password. The first time you lock a note, you can also enter a password hint. In Settings, there is also an "on My iPad account" but its not clear to me what this does. If you have existing photos, then see How to Password Protect Photos on iPhone and iPad by Benj Edwards (Oct. 2020). Cheatsheet: create a note, insert photos into the note, then lock the note with a password ... then go to the Photos app and delete the images you just password-protected ... then, go to the "Recently Deleted" folder in the Photos app and delete them there too. Locked notes are stored encrypted.
  • From W-2s to nudes, here’s how to hide sensitive photos by Tatum Hunter for the Washington Post. August 2022. Discusses the hidden album feature. Fails to point out that pictures in a hidden album are backed up to iCloud. Written by a reporter, there is nothing in the article about Locked Notes. It mentions two apps that hide files: Secret Photo Vault from Keepsafe and Private Photo Vault from Legendary Software Labs.
• LOCATION TRACKING
  • If you do not want the Find My Network or for an iPad to be part of Find My iPad be aware that these settings get turned back on without you being notified. I ran into this on an iPad running iOS 15.6.1 in September 2022. After turning off both Find My settings, I turned the iPad off (all the way off). The next time it powered back on, Find My was running. In another case, I logged out of my Apple account and then back in. After logging back in, Find My was enabled again.
  • When using the Apple Find My system to share your location with friends/family, your precise location is end-to-end encrypted when both your device and the friend’s device are running iOS 15 or newer. Apple can not see the data. Not sure, however, about non-precise location.
  • All the Ways Your Location Can Be Tracked on an iPhone July 24, 2020. How-To Geek. Covers Find My iPhone, Sharing Locations With People, Apps You’ve Given Location Access To, Photos With Location Data, Bluetooth Tracking Beacons and Cell Towers. Fails to mention Wi-Fi which can also be used to learn the location of an iPhone.
  • Block the camera from having access to location information: Settings -> Privacy tab -> Location Services -> Camera -> select Never. To check if a photo includes location info: swipe up while viewing the picture in the photos app. If it does have location info there will be a map. To share the photo without location info, click the share button, click Options near the top of the screen, then switch off the toggle for Location.
    Update June 18, 2020: On iOS 13.5.1 (tested on an iPad) it seems that that it is no longer possible to block the camera from storing location information
• To blur your home in Apple maps either send email to mapsimagecollection at apple.com with your home address and an explanation of why or, in iOS, tap the Info button (blue letter "i"i in a white circle with a blue border) in the upper-right corner, then tap on Report an Issue.
• Express Transit is an Apple Pay feature that makes it easy to pay for transit rides in a handful of cities. Maybe too easy. In Jan. 2020, some NYC subway riders were double charged. See How to Set Up Express Transit With Apple Pay.
• Beware of data hogs. Some apps consume mass quantities of storage without ever releasing/deleting it. You can see this easily. In iOS 17: Settings -> General -> iPad (or iPhone) Storage. Apps are listed there with those using the most storage at the top. Maybe delete and app and re-install it. Maybe "offload" an app. I am not sure exactly what offloading does.
• Beware of file conversion apps. Some 23 iOS file-conversion apps used by 3M people fail to encrypt documents by Ben Lovejoy (Feb 2020)
• BACKUP
  • Back up iPhone by Apple. Applies to four different versions of iOS. From their iPhone User Guide.
  • Backup your phone: The Basics of Smartphone Backups by J. D. Biersdorfer for the New York Times. April 17, 2024.
• FYI: There is an online iPhone User Guide from Apple
• What to do before you sell, give away, or trade in your iPhone, iPad, or iPod touch from Apple. October 2021.
• HARDWARE REPAIR
  • November 12, 2023: Read this before having an iPhone repaired You Paid $1,000 for an iPhone, but Apple Still Controls It in the New York Times. "Since 2017 iPhone repairs have been a minefield. New batteries can trigger warning messages, replacement screens can disable a phone’s brightness settings, and substitute selfie cameras can malfunction. The breakdowns are an outgrowth of Apple’s practice of writing software that gives it control over iPhones even after someone has bought one ... new iPhones are coded to recognize the serial numbers for original components and may malfunction if the parts are changed."
  • October 2022: If your phone needs fixing, make sure your secrets are safe first by Chris Velazco in the Washington Post. To maintain control of your phone number, remove the SIM card and put in another phone. If the phone has and embedded SIM, call your wireless carrier to discuss the options. As for a repair person having access to your files, the only one way to be sure to block this is to delete all the files before you hand your phone over.
• DEATH:  top

  You can save your loved ones grief, if you share with them your iPhone passcode and/or your iCloud credentials. Apple has a complicated system, called Digital Legacy, for allowing your survivors access to most, but not all, of your data.

  1. How to access iPhone content when someone passes away by Joseph Keller and Adam oram (June 2022). Without the passcode Apple won't (and often can't) unlock an iPhone. If you don't know your loved one's iCloud password but you do have access to their iCloud email address/userid, you could use that email to reset the password for the iCloud account.
  2. Apple Digital Legacy was introduced in iOS 15.2 and macOS Monterey 12.1. On iOS its at: Settings -> Your name -> Password & Security -> Legacy Contact. Your Legacy Contact(s) can be anyone, they do not need an Apple ID or an Apple device. There can be up to five contacts. Apple creates an "Access Key" which the surviving person needs to store, and not lose. To get your data, the survivor has to contact Apple, provide a death certificate and hope that Apple approves it. The survivor does not get iCloud Keychain, payment information, subscriptions, and licensed media. It strikes me as ridiculous to assume that this system will still be in place, unchanged, in 10, 20 or 30 years. Probably better to just share passwords.
  3. Set it up: How to add a Legacy Contact for your Apple ID from Apple. How to set up a Legacy Contact on iPhone and iPad by Adam Oram (May 2022) has many screen shots of the process.
  4. Limitations: Data that a Legacy Contact can access from Apple. Published May 2022.
  5. Using it: How to request access to a deceased family member's Apple account from Apple (April 2022)
  6. The iPhone Feature to Turn On Before You Die by Joanna Stern in WSJ (Dec 2021)
• LOCK APPS:  top
  The ability to password protect an app is not part of iOS. However, there are a number of fudges. I prefer to call this an app run password.
  
  
  1. Since iOS version 12 (introduced Sept. 2019) there was a crude hack available using Screen Time. See How to Passcode Lock an App on iPhone by Juli Clover (Feb. 2022). The best it can do is limit access to 1 minute. Also, after an app is unlocked, there is no way to re-lock it.
  2. This March 2022 article, 6 Ways to Lock an App on iPhone and iPad in 2022 by Sahil covers: Create an automation, Replace the app with a password protected shortcut, Lock apps that have an in-built feature to do so, Lock Apple apps by restricting content and Lock any app by limiting its daily screen time. I tested the option of creating a password protected shortcut on iOS 15.5. It works, but there are many steps involved. Note that passwords are case sensitive. It is not clear, to me, if a knowledgeable user can get around the shortcut.
  3. See also How to Lock Apps on iPhone and iPad by Rosa Reyes (Nov. 2019) which covers five different techniques that work with iOS 13, iOS 12, iOS 11 and earlier: Screen Time, Restrictions (aka Parental Controls), Guided Access, Touch ID / Face ID and, on jailbroken phones, third-party apps.
• APPLE PRIVATE RELAY
  First released for iOS 15 and macOS Monterey. I have not used it and don't claim to be an expert. Still, it does not seem as good as a VPN.
  1. It is limited to Apple hardware only, a VPN is not
  2. Private Relay only encrypts certain data: When you use a VPN, it encrypts all the data (except for this)
  3. Both hide your public IP address
  4. A VPN lets you chose a physical location to connect to. Private Relay assigns you an IP address, there is no choice
  5. Private Relay is under US jurisdiction, and US data privacy laws are not good
  6. It only covers Safari, DNS and a few other apps. Which apps? It seems like a marketing ploy to push Safari
  7. It is only available to paying customers of iCloud+ which starts at $1/month
  8. See About iCloud Private Relay from Apple
  9. The design of Private Relay is new. Its always best to avoid new things for a while to see if there are any flaws.
• LOCK DEVICES:  top
  To lock an iOS device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
  
  
  • How to Temporarily Disable Face ID or Touch ID, and Require a Passcode to Unlock Your iPhone or iPad by John Gruber (June 2022). From the article: If you use Face ID or Touch ID, what happens if someone physically forces you to unlock it biometrically? There is a hard lock state where only a passcode will unlock the device. With recent iPhones/iPads, you hard lock by pressing and holding the power button and either of the volume buttons for about two seconds. This takes you to the screen where you see a slider to power down the device. At this point, its hard locked. An iPhone can be hard locked while remaining in your pocket. Do this every time you are separated from your phone, such as at a security checkpoint.
  • A different type of locking to lend a device to someone but limit them to only run one app. See How to Safely Lend Someone Else Your Phone by David Nield for Wired (July 2022). This uses Guided Access which is off by default.
• SYSTEM-WIDE AD AND TRACKER BLOCKERS:  top
  
  
  1. The Guardian Firewall +VPN app from Sudo Security blocks trackers, phishing, malware and page hijackers. It does not claim to block block ads. The app is free to install and see what it will block if you pay for the app. You can pay by the day, month ($10), quarter or year ($100). The paid app is a real VPN. Blocking is done at the VPN server, not on the iOS device. From a trustworthy source. See About the Guardian iOS Firewall App by me (Aug 2019). Website: guardianapp.com
  2. The Lockdown app (by Confirmed, Inc) blocks both ads and trackers. It is open source and blocking is free. Blocking is done on the iOS device, nonetheless, it installs as a VPN and can not run alongside a real VPN. When it is active, you do not see a VPN indicator. In my testing I found that the app said it was on even when it was off. It has a blacklist but no white list. There is a paid upgrade to a VPN but the website (lockdownhq.com) says nothing about who created the app and for that reason I can not recommend the paid VPN. As of Feb. 2020, the list of blocked domains had not been updated for 7 months. As of Sept 2021, the list on Github had not been changed since July 2019. They seem to have another website, no idea why.
  3. Both apps log what they block, and you can see the log on the iOS device, but neither pinpoints the app being blocked. Neither logs what they they did not block. Both claim to be a firewall, but they are not, at least, not in the traditional sense. They are domain blockers. iOS does not have a firewall.
  4. Disconnect has a number of privacy oriented products. Their Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS. No ad blocking. Great feature is that you can block whatever domains you want to block. It can not be used in conjunction with a VPN.
  5. The nextdns.io app competes more with Lockdown than Guardian. I prefer it over Lockdown because it is more functional and more customizable. To begin with, it logs all DNS activity, not just blocked domains, which helps you create your own black list. It also does white listing. It can apply to one device, multiple devices or an entire LAN. Logging is both customizable and optional. The app itself can be password protected. NextDNS also does encrypted DNS with DoT and DoH. Like Lockdown, it installs as a VPN but you do see an active VPN indicator on the status bar when it is running. One drawback is that the logs are not visible in the app, you have to use the nextdns.io website to see them.
  6. In Sept. 2021, I tested v5.14 of Blokada on iOS 14.8 and it did not work at all. I ran some apps and their DNS activity did not show up in the Activity section. Forget blocking. The log showed many errors. The software is free and it blocks nothing by default (poor UI) you have enable assorted blocking lists. How do you chose among the lists? It installs as a VPN but it is not a VPN.
     In June 2022, I took another look. Blokada offers many products and the differences between and among them were very confusing. One product is free, the VPN certainly is not. Then too there is their Cloud and a Plus products, it is not clear what they are. The cloud product does have an allow list and a block list.
• Block spam texts: The almost-secret hidden iPhone switch that blocks spam text messages and notifications by David Gewirtz (Jan 2020). Settings -> Messages -> turn on "Filter Unknown Messages". The texts arrive, but you are only notified if sender is in your Contacts. Article comments note that this may not work.
• Periodically review the list of Wi-Fi networks your mobile device has previously connected to and remove those you no longer need.
• When it comes time to dispose of an iOS device: How to factory reset your iPhone, iPad, or iPod touch from Apple. (Feb. 2022)
• Also see the Bluetooth topic to change the default public Bluetooth device name
• Also see the Mobile Scanning and Sharing topic
• Also see the Mobile OS Spying section.
• Also see the Location Tracking section.
• Also see the Voice Assistant section for info on SIRI.
• Also see the Stalkerware topic
• Also see the Apple topic
• FYI: The Settings That Make Smartphones Easier for Everyone to Use by J. D. Biersdorfer (September 2022). The accessibility features Apple and Google include in their mobile software can help people of all abilities get more from their devices.
• FYI: iOS network security has a hole and nothing can be done about it. For one thing, TCP/IP ports are closed rather than stealth (see nmap scan). iOS 13, 14, 15 and earlier versions, seem to have a backdoor. TCP port 62078 is open and can not be closed - there is no firewall in iOS. The port is not listed in TCP and UDP ports used by Apple software products. This open port has been known about at least since 2013 (here and here and here). I tested multiple VPNs (OpenVPN, Windscribe, ProtonVPN, Lockdown firewall and the Guardian firewall) and none blocked access to the port.
• FYI: Apple is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Just like Android, iOS lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.

Copyright 2019 - 2024