A Defensive Computing Checklist    by Michael Horowitz

NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022

HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

iOS - Apple iPhone and iPad

Some topics below: Clipboard, Safari, Batteries, iOS 16, iOS 15.2, iOS 15, AirTags, iOS 14.5, iOS 14, iOS 13, Death, Lock Apps, Lock Devices, System-wide ad and tracker blockers

• DON'T BELIEVE THE HYPE, APPLE SPIES ON THEIR CUSTOMERS
  
  • November 26, 2022: Apple's silence in regard to these November 2022 privacy stories makes the research that uncovered this, seem all the more legit. One possibility is that Apple was lying all along and they are as trustworthy as FTX. Another possibility is that they are incompetent at the task they set for themselves. Or, the researchers may be scammers looking for their 15 minutes of fame. I have not yet heard of collaborating research.
  • November 24, 2022: This article looks at the new Apple focus on advertising and how it corrupts them into spying on their customers. No defenses are offered. Apple is becoming an ad company despite privacy claims by Richie Koch of Proton. Apple's advertising operation follows the surveillance capitalism model of its rivals, Google and Meta. Apple monitors your every move in the App Store, News and Stocks apps and then uses that data to sell ads targeting you in those apps. Quoting: "This new emphasis on advertising undermines Apple's claims about privacy with its App Tracking Transparency (ATT) feature .... In fact, it appears ATT may have been more about blocking competitors than protecting user privacy." Interesting point: ATT does not prevent companies from monitoring your activity within an app, an app only needs to ask permission to collect data if it has trackers that follow you outside the app. How does Apple spy on customers while, at the same time, touting privacy? Apple has multiple privacy policies, one for its device, one for the App Store, and one for each Apple app. This is their legal loophole. Expect the ads to expand into the Maps, Podcast, and Books apps. The Setting to "Disable ad personalization" is a scam.

  • November 21, 2022: Security researchers Tommy Mysk and Talal Haj Bakry said they found that Apple's analytics service creates an identifier called the "dsId" (Directory Services Identifier) that is unique for each user and tied to their iCloud account. They warn that because of this, Apple can track and identify users as they navigate the web and link them to their real-world identities. Apple states on its privacy and legal page that no information from a device for analytics purposes can be traced back to any specific user. Seems that is not true. See iOS privacy concerns deepen as Apple’s promises on analytics anonymity appear to be false by Ben Lovejoy of 9to5mac (November 21, 2022) and Apple Says Your iPhone's Usage Data is Anonymous, but New Tests Say That's Not True by Thomas Germain (November 21, 2022).
  • From Cory Doctorow Even if you're paying for the product, you're still the product, November 14, 2022. Quoting: "Apple's commitment to privacy is best understood as instrumental. Apple thinks that protecting your privacy will attract your business, and they're right ... But while Apple can increase its revenues by telling you they'll protect your privacy, they can increase them even more by lying about it. That's just what they do. Earlier this month, a small security research firm called Mysk released a video revealing that when you tick the box on your Iphone that promises 'disable the sharing of Device Analytics altogether,' your Iphone continues to spy on you, and sends the data it collects to Apple. The data Iphones gather is extraordinarily fine-grained ..."
  • November 8, 2022: It seems that even when configured not to spy on you, that Apple's iPhone apps nonetheless do spy on you and send information back to Apple. An independent test suggests Apple collects data about you and your phone even when the settings promise to 'disable the sharing of Device Analytics altogether.' See Apple Is Tracking You Even When Its Own Privacy Settings Say It’s Not, New Research Says by Thomas Germain for Gizmodo. A few days after this came out, two lawsuits were filed. This is about one of them: Apple Hit With Class Action Over Tracking of Mobile App Activity by Christopher Brown for Bloomberg Law (Nov. 11, 2022). And, this: Apple getting sued over App Store user data collection by Mike Wuerthele for Apple Insider (Nov 12, 2022).
    Defense: If your router can do so, block access to xp.apple.com.
  • Apple can read anything that is backed up to iCloud. To control what is sent to iCloud: Settings -> YourName -> iCloud where there is a huge list of apps. Disable those you don't want in iCloud. Also: Settings -> Privacy -> "Analytics & Improvements" and turn off "Share iCloud Analytics". You can disable iCloud completely and make local secure backups to a Mac or Windows PC and password protect the backup. For more on how, see How to back up your iPhone, iPad, and iPod touch from Apple and Did the FBI get Apple to kill iCloud backup encryption? by Rene Ritchie (Jan 2020).
  • How Apple Can Read Your Encrypted Messages by Jake Peterson of LifeHacker (Oct 2021). The security hole is in iCloud Backup, which can be disabled on your iOS device. However, you can not know if it is enabled on the device you communicate with.
• WEBSITES vs APPS
  There are many reasons, shown below, to access a service, when possible, using its website rather than its mobile app.
  And, if you use a website often, you can make an icon for it that looks just like an app icon.
  
  
  1. As a rule, a website can not spy on you as much a mobile app. This is especially true when apps have their own in-app web browsers. Some apps, like Instagram and Facebook, use their in-app browser to inject JavaScript code into third party websites. This JavaScript comes with potential security and privacy risks. For more on this see iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser by Felix Krause (Aug 2022). The article describes how these apps bypass assorted privacy features. The defense is that whenever you open a link from Instagram, Facebook or Messenger, to click the dots in the top right corner to open the page in Safari. The spying happens when using the in-app web browser. See also a follow-up article: iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser also by Felix Krause (Aug 2022).
  2. In addition, there is a Private Mode in all web browsers that apps do not have. Private mode can insure that a website does not save anything locally on the phone/tablet. If you have a Chromebook, then there is also Guest Mode which is even more private than Private Mode in its guarantee that no data is saved locally. The downside of Private Mode is having to enter the userid/password every time.
  3. Websites do not take up any storage space, especially when using Private Mode.
  4. With apps, you never know if data is being encrypted or not, with a browser you do know. Apple was supposed to mandate that iOS apps only use encrypted communication. They call this mandate App Transport Security (ATS). But, as of June 2019, it's a scam. See iOS developers still failing to build end-to-end encryption into apps by by Alison DeNisco Rayome for Tech Republic.
  5. Apps can run constantly in the background a condition that can be hard/impossible to audit. With websites, when you close the tab/browser they are gone (some browsers have options about this).
  6. Some apps that might be best used as a website are TikTok, Facebook and Instagram.
• iOS users should hold off installing new versions of the operating system for a few weeks. By new version, I mean the major versions such as 13 and 14 and 15. iOS version 13, in particular, was a disaster with a flood of bugs fixes in the weeks just after it was released. iOS 15 had three updates in the first month after it was released. For updates such as 14.4 and 14.5 wait a few days before installing it. Minor updates, such as 14.5.1, should be installed immediately.
• Shopping: Apple announces their new toys in September, so Summer is a bad time to buy an iPhone. To save money, Joanna Stern writes (Aug 2022) that Apple typically drops the price on some of last-years hardware by around $100. And, she suggests looking into carrier trade-in deals, if you have an older phone in good condition. One exception, is the iPhone SE, released in March 2022, which is the last iPhone with a home button.
• iPhone apps no better for privacy than Android, Oxford study finds by Paul Wagenseil for Toms Guide (Oct 2021). Apps on iOS and Android track and profile you equally.
• New study reveals iPhones aren't as private as you think by Paul Wagenseil of Toms Guide (March 2021). The study looked at the operating system, not apps. Android phones collect more data by volume, but iPhones collect more types of data. Both systems transmit telemetry, despite your explicitly opting out. iOS transmitted device location, the local IP address and the Wi-Fi MAC address of other devices on the local network. Even when logged out of an Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple's analytics servers along with info about nearby devices on the same Wi-Fi network. When queried, Apple said nothing. iOS 13.6.1 was tested.
• You should know: When you 'Ask app not to track,' some iPhone apps keep snooping anyway from Washington Post (Sept 2021). Techies knew this all along, this article explains it to the general public. Interesting point is that when the paper reported bad apps to Apple, Apple did nothing. You can see the gory details for a few iOS apps at privacyreview.co. The article offers one lousy sentence on defense. See the section below on system-wide ad and tracker blockers.
• For people most at risk of being spied on: How to defend yourself against the powerful new NSO spyware attacks discovered around the world by the Security Team at The Intercept (July 2021). Long article, no summary would do it justice. Still, do not click on unknown links, practice device compartmentalization, use a VPN, use non-default web browsers. Scams often make it seem as if a response is needed immediately.
• These two articles, about the iVerify app from security firm Trail of Bits, have the exact same title. In This app will tell you if your iPhone has been hacked (Dec 2020) Adrian Kingsley-Hughes highly recommends the app. It costs $3 and includes how-to guides, tips, tricks and tweaks for improving privacy and reducing the chances of getting hacked. See also This App Will Tell You if Your iPhone Gets Hacked by Lorenzo Franceschi-Bicchierai for Vice (Nov 2019). iVerify requires iOS 12 or later, and is compatible with all iOS devices.
• Medical Emergency: First responders are trained to look at phones for emergency contacts and medical information. To configure: Health app -> your profile photo -> Medical ID -> Edit. Fill in anything an emergency responder should know. Make sure "Show when locked" is turned on, then Done. To see it, from the lock screen, tap on Emergency Call and then Medical Info. More here: Set up your Medical ID in the Health app on your iPhone by Apple (Jan 2022) and Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020).
• Emergency SOS: (aka Emergency Call) Use Emergency SOS on your iPhone from Apple (December 2021). It calls the local emergency number (911 in US) and you can also add emergency contacts who will be texted. And: Make emergency calls on iPhone from Apple. For iOS versions 15, 14, 13 and 12 as of Jan. 2022. More: Emergency SOS on iPhone: How to set it up and activate by Britta O'Boyle (May 2021) and How to Set an Emergency Contact on iPhone (and Why) by Tim Brookes (Nov 2021).
• TEXT SIZE: can be adjusted system-wide at Settings -> Display & Brightness -> Text Size
• CLIPBOARD  top
  1. All apps can read the clipboard, even when they are not running. This flew under the radar until June 2020 when beta versions of iOS 14 started reporting on it. Many apps were doing it. The camera app embeds your location in every photo. Copy a picture and apps can learn your location without having location access. There is no defense (that I know of) in iOS 13. In iOS 14 there is a warning, not yet (July 4, 2020) sure if there will be a defense.
  2. Anything copied to the iOS clipboard/pasteboard can be read by any app. If a picture is copied, then GPS location information, which is embedded in the image, is easily available to apps. Tested with iOS 13.3. Apple was told about this in Jan. 2020 and they will not change anything. The defense should be to deny the camera app access to location information, but iOS can not do that. From: Security demo reminds iOS users that any app (or widget) can read the clipboard silently by Benjamin Mayo (Feb 2020)
• iOS Defenses: Both articles cover a lot of ground. iPhone privacy checklist (2021 edition) by Adrian Kingsley-Hughes for ZDNet (Jan 2021). How to stay as private as possible on Apple's iPad and iPhone by Jonny Evans at Computerworld (Feb. 2019).
• iOS Defense: Apple iOS privacy settings to change now by Heather Kelly for the Washington Post. Last Updated: December 2021.
• iOS Defense video: 13 Things You Should Be Doing To Protect Your iPhone by Gary Rosenzweig (April 2022, 12 minutes, iOS v15). Among the suggestions are setting a SIM PIN, turning on Find My iPhone, insuring that iCloud backup is enabled, turning OFF both the "ask to join networks" WiFi option and the USB Accessories option. Also, review the many "Allow access when locked" options.
• iOS Defense: Dealing with a stolen iPhone Sept. 2019 by Marc Rogers
• iOS Defense: Every now and then turn the iOS device off and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. It is not a perfect defense, but the NSA recommends rebooting/restarting a phone every week. Reboots to install bug fixes count. More: Turn off, turn on: Simple step can thwart top phone hackers by AP News (July 2021)
• iOS Defense: How Jamie Spears Spied on Britney Spears Through iCloud by Lorenzo Franceschi-Bicchierai (Oct 2021). Using iCloud to spy on someone's iPhone is an extremely common way abusers spy on their loved ones. All that is needed is the password for the Apple ID of the victim. The article describes detecting this and stopping it. In a browser, I suggest (not in the article) a Chromebook running in Guest Mode. Login to iCloud.com -> Account Settings -> My Devices.
• iOS Defense: Advice on AirDrop is in the Mobile Scanning section.
• Websites vs. Apps: As a rule, a website can not spy on you as much a mobile app. In addition, there is a Private Mode in all web browsers that apps do not have. This can insure the website does not save anything locally on the phone. Also, websites do not take up any storage space, especially when using Private Mode. With apps, you never know if data is being encrypted or not, with a browser you do know. Finally, apps can run constantly in the background a condition that you can not audit. With websites, when you close the tab/browser they are gone (some browsers have options about this). If you use a website often, you can make an icon for it that looks just like an app icon. A couple apps that might be best used as a website are Facebook and TikTok.
• With any cellphone, it is good to save the assorted identifying numbers which include: IMEI, IMEI SV, ICCID and EID.
• Background App Refresh: After you switch to a different app, some apps run for a short period of time before they are suspended. Suspended apps do not take up system resources. With Background App Refresh enabled, suspended apps can wake up and check for new content. Configure: Settings -> General -> Background App Refresh (as of Aug. 2022). Source: Switch apps on your iPhone, iPad, or iPod touch from Apple.
• iPhone 12: Why you should keep your bank cards away from an iPhone 12 The Star (Nov. 2020). Hint, the very strong magnets on the back side of the phone.
• Wi-Fi: Some Wi-Fi devices will re-join a network (SSID) they have seen before. To prevent this, after using a public Wi-Fi network, tell the operating system to Forget it. On iOS version 14, remembered networks are in Settings -> Wi-Fi -> My Networks. Click the blue I in the blue circle, then click "Forget This Network". Also in the Wi-Fi Settings of iOS 14, change "Auto-Join Hotspot" to Never and "Ask to Join Networks" should be either Notify or Ask.
• VPN bug: A bug in VPNs on iOS 13 and 14 was first made public by ProtonVPN in March 2020: VPN bypass vulnerability in Apple iOS. As of June 2022 and iOS version 15.5 the bug still exists. The problem is a VPN leak, some data leaves the device outside of the encrypted VPN tunnel. The ProtonVPN suggested work-arounds do not work. I blogged about this on my personal site in May 2022.
• SAFARI  top
  1. iOS 14 introduced a Privacy Report that shows which trackers attempted to follow you and which ones it blocked. To see it, tap the "aA" at the left side of the address bar -> Privacy Report.
  2. Tweaks are at Settings -> Safari
  3. Turn on Prevent Cross-Site Tracking. More: How to view website trackers in mobile Safari by Lance Whitney Oct 2020
  4. Turn off Privacy Preserving Ad Measurement
  5. Turn off the AutoFill options
  6. Turn off Quick Website Search and Preload Top Hit
  7. Turn off Search Engine Suggestions and Safari Suggestions because it sends some search queries to Apple
  8. Maybe change the Search Engine. DuckDuckGo does not spy on you, but it uses Bing for search results
  9. In the settings for websites section: adjust zoom level (no one right answer), set Camera, Microphone and Location to Deny
  10. Ad blocking in the Content Blockers section. Installed blockers, such as Lockdown or 1Blocker need to be enabled here. AdGuard for iOS is a free content-blocking extension. See it here. For more: Best ad blockers for iPhone and iPad in 2021 by iMore.
  11. tip: Periodically (monthly?) erase Safari's memory (think the movie 2001). Advanced -> Website Data -> click the red "Remove All Website Data"
  12. tip: The Safari web browser is a prime target for hackers and there have been a number of vulnerabilities with it, such as this one (Jan. 2020), so you may be safer using a browser that is a lesser target, such as Firefox or Firefox Focus.
  13. tip: when you long-press on a link, you see a preview image of the target/destination website. To instead see the URL, look in the top right corner of the preview for a "Hide preview" link. Click it. More.
  14. FYI: to add a website icon to the iOS Home Screen/desktop, tap the Share button (square with an upward pointing arrow), then "Add to Home Screen"
  15. For extreme privacy settings see Apple iOS 15 Privacy Guide by Michael Bazzell (Sept 2021)
• BATTERIES  top
  
  
  • Repeatedly charging a Lithium Ion battery to 100 percent reduces the life span of the battery.
  • The battery health information Apple provides in the iOS Settings (Battery -> Battery Health) is meaningless according to Adrian Kingsley-Hughes of ZDNet: Confirmed: Your iPhone is lying to you (Jan 2022).
  • iOS 15 has an option to optimize the charging of the battery with the intention of extending the life span of the battery. See About Optimized Battery Charging on your iPhone from Apple (January 2022). It strikes me as overly complicated, if not useless. With some laptops you can easily say not to charge the battery above 80 percent (for example). Nothing is easy here. For one thing, a number of Location settings are required for this option to do anything. Spying on you is just assumed in the Apple world. The option is at Settings -> Battery -> Battery Health -> Optimized Battery Charging. It must be an iPhone only thing, there is no Battery Health section on an iPad running iOS 15.6.
  • Check the iPhone battery health and usage from Apple for iOS 15.
  • iOS 13.2 tips: Bad iPhone battery life? Here's how to diagnose and fix battery drain issues by Adrian Kingsley-Hughes (November 2019)
• iOS 16 (released September 2022)  top

  The new Safety Check feature shows who has access to the data on the iOS device and lets you quickly revoke that access. It is at Settings -> Privacy & Security -> Safety Check. This is great defense for someone in an abusive relationship. One option is to stop all sharing immediately. Less drastically, you can stop sharing things like albums, your location, the Home app and notes. The most drastic option is the Emergency Reset which stops all sharing, changes your Apple ID passwords, and reviews your emergency contacts.

  The oldest phone that version 16 runs on is the iPhone 8, which was released in 2017. It also runs on the iPhone SE, 2nd generation or later.

  Lockdown Mode: Settings -> Privacy and Security -> Lockdown Mode. Probably a good thing.

  Probably turn on the new option for software updates called "Security Responses & System Files". Miserable name. These are bug fixes that are sent automatically and silently installed. However, they may not be totally silent as they may force a re-boot of the iOS device. And, even with this option off, Apple may still update part of the OS whenever it feels like doing so. It is at Settings -> General -> Software Updates -> Automatic Updates

  There is new clipboard security: when an app accesses the clipboard, you get to allow it or not. This decision is not permanent, it has to be done for every clipboard access.

  New feature: biometric locks on hidden and deleted photo albums. You can create a folder that requires authentication (fingerprint/face) to see the contents. But beware that these photos are backed up to the cloud, so not very secure. Settings -> Photos -> Hidden and Deleted albums -> Use Face (or Touch) ID. To add photos to the hidden album, tap a photo, tap the three-dot icon, and then tap Hide. For more see: How to Lock Down Sensitive Photos on iPhone and Android by Thorin Klosowski of Wirecutter. Nov 2022

  All the New Privacy and Security Features in iOS 16 by Thorin Klosowski (Sept 2022)

  Passkeys are new in this release. In my opinion, they can be ignored because they won't catch on.

  See whats new in iOS 16 from Apple

• iOS 15.2: (released December 2021)  top

  The new App Privacy Report strikes me a as a big deal. It opens the black box of what apps do. You can see how often apps access Contacts, Camera, Location, Photos and the Microphone. It also shows network activity which is great for anyone able to block domains in their router. Off by default. Turn it on: Settings -> Privacy -> App Privacy Report. One flaw: network activity is not seen in the report when using a VPN. Another bug: calls an IP address a domain. More here (Nov 2021) and here (Jan 2022).

  The new Legacy Contact feature allows you to specify who can access your Apple account when you die. More on this in the Death sub-section.

• iOS 15: (released September 2021)  top
  1. The oldest phone that version 15 runs on is the iPhone 6S, which was released in 2015
  2. The new App Privacy Report will show how many times an app has accessed these already-restricted things: location, photos, camera, microphone, and contacts. Eh. What is new and important is that it will report on the domains the app phones home to, and, how often. We will finally be able to see the apps reporting on us to ad/tracker companies. However, there is no blocking of the spy domains. For that see the section below on system-wide ad and tracker blockers. To enable it: Settings -> Privacy -> Record App Activity
  3. How to Set Up a Recovery Contact on iPhone, iPad, and Mac by Samir Makwana for How To Geek (Dec 2021). For when you forget your Apple ID password or device passcode.
  4. The new Hide My Email feature will create random alias email addresses. For more see the topic of Multiple Email Addresses in the email section.
  5. The new Private Relay feature is very limited. It will hide your public IP address, but only while using Safari. This means Apple sees all your web browsing. Only available if you pay for iCloud. It is not clear if it adds any layers of encryption. A VPN is a better way to hide your public IP address.
  6. New "Shared with Me" feature. Settings -> Messages -> Shared with You. Maybe disable sharing in some apps
  7. By default, iOS 15 on an iPhone 11 and newer does not completely turn off. See How to Find Your Lost iPhone, Even If It's Turned Off from LifeHacker (Oct 2021). Even off, it will send out Bluetooth Low Energy beacons for the Find My feature. If your iPhone is stolen, this is good news as bad guys immediately turn them off. If you don't want the phone location to be public, then the big hammer is to disable the Find My feature. Or, when the phone is being shut down look for a new button "iPhone Findable After Power Off" and click it. I tested this on an iPad running iOS 15 and there was no new button at shutdown, so it seems to be iPhone only.
  8. Settings -> Passwords. Turn off the AutoFill Passwords option. Also look at any Security Recommendations
  9. The new Focus feature is an improved version of Do Not Disturb that lets you set up different Focus modes for different tasks like work, reading, sleeping, etc. Each Focus allows you to choose which apps and which people can send you notifications. Configure this at Settings -> Focus. The plus icon creates a new Focus.
  10. You can change the default browser or email client in Settings. For a browser, click on any installed browser, then "Default browser app"
  11. You can change the size of the font on an app-by-app basis. First, you have to add the Text Size option to the Control Center. Do this at Settings -> Control Center -> click the green circle with a white plus sign next to Text Size. In the Control Center the icon is two As, one big, one small. Then run an app that you want to change, open Control Center and indicate that the change is only for the one app.
  12. Email tracking: to block tracking pixels and your public IP address: Settings -> Mail -> Privacy Protection -> Protect Mail Activity. Only applies to the iOS Mail app. More
• AirTags (new in iOS 14.5)  top
  1. Beware poisoned Apple AirTags that exploit unpatched "Lost Mode" flaw by Graham Cluley (Sept 2021). Apple has known of this bug for four months and not fixed it. AirTags can be put in Lost Mode. If someone finds the tag, they can scan it with NFC and be taken to a unique page for the tag at found.apple.com which has the owner's phone number. But bad guys can put scripts in the phone number field that manipulate the apple website to trick a Good Samaritan. Details from Bobby Rauch.
  2. If you are moving, an AirTag can track your stuff. See Army wife uses AirTag hack to track her movers while PCSing (Jan. 2022)
  3. Apple's AirTag trackers made it frighteningly easy to 'stalk' me in a test by Geoffrey Fowler for the Washington Post (May 2021). The article is behind a paywall. A big point in the article is that Apple does not do enough to prevent AirTags being used for domestic abuse. In a test in San Francisco, the AirTag updated its location every few minutes. When moving, the location was accurate to half a block. When stationary, it was precise.
  4. Video from the above article Apple's AirTags could be used by stalkers. Here's how to protect yourself
  5. What to do if you find an AirTag or get an alert that an AirTag is with you from Apple (April 2021). How to learn the serial number of an AirTag. It requires NFC and will work on Android too. Note that making a detected AirTag play a sound often failed in Fowler's tests (above).
  6. AirTag stalking defense: Use a Bluetooth scanner to locate the Bluetooth devices near you. An Apple Air Tag will show as being made by Apple. Once you find the AirTag, you can take ownership of it if you have an iPhone (or destroy it with a hammer). The LightBlue® scanner by Punch Through Design is available on iOS and Android. On Android, Location must be on system-wide for the app to work. From the Privacy, Security, & OSINT Show - Episode 219 by Michael Bazzell (June 2021) and How to Scan for Nearby AirTags Using an Android Phone by Chris Hoffman (May 2021)
  7. AirTag stalking no defense: AirTags are supposed to beep after 3 days (later changed to 1?) to warn people of their presence. But, the speaker in an AirTag can be physically removed.
  8. Android users can detect AirTags with the free AirGuard app from Secure Mobile Networking. Note that there is another app with the same name.
• iOS 14.5: (released April 2021)  top
  1. You can disable some system apps such as Safari, FaceTime, AirDrop, Siri and more with Settings -> Screen Time -> turn on Content & Privacy Restrictions -> Allowed Apps.
  2. You can disable Apple Advertising in the same section: Settings -> Screen Time -> Content & Privacy Restrictions -> Apple Advertising
  3. Settings -> Privacy -> Tracking and chose if apps should ask for permission to track you or if tracking should be banned system-wide. Note that this is a scam, apps still track you regardless of this setting.
  4. There is a new App Privacy section for iOS apps. Review it before installing any new app. Maybe review it for existing apps too.
• iOS 14:  top
  1. Some defensive improvements introduced in v14: realtime notice when any app uses the microphone or camera. Lists apps that recently accessed each. Realtime notice when an app accesses the clipboard. An app can be given access to one picture only. LAN access controls. Only allow an app access to your approximate location. Warns of hacked passwords in the Keychain. Somewhat randomized MAC addresses.
  2. Relevant articles: 8 Privacy Features iOS 14 Users Need to Know by Lance Whitney (Oct 2020) and iOS 14 Privacy Features: Approximate Location, Clipboard Access Warnings, Limited Photos Access and More by Juli Clover (Oct 2020).
  3. Settings -> Privacy -> "Analytics & Improvements": turn off all three options (Share iPad Analytics, Improve Siri & Dictation and Share iClouid Analytics). Note: on an iPhone the setting is "Share iPhone Analytics"
  4. Settings -> Privacy -> "Apple Advertising": disable "Personalized Ads". While there, click on "View Ad Targeting Information" It might be interesting.
  5. Settings -> Privacy -> Tracking -> turn off "Allow Apps to Request to Track". While there, you can also deny tracking permission from any apps that were granted it in the past. If you ever see a prompt: "Allow xxx to track your activity across other companies' apps and websites?" (where xxx is the name of an app), the correct answer is "Ask App Not to Track"
  6. Settings -> Privacy -> Location Services: If Location Services is enabled, then for each app that is allowed to use location data, turn off "Precise Location" except for a mapping app. At the bottom of the list of apps is "System Services". In this section, turn off the options under "PRODUCT IMPROVEMENT" (iPad or iPhone Analytics, Popular Near Me, Routing & Traffic, Improve Maps). If Location Services are off, turn it on to make these changes, then disable it again.
  7. Review everything else in Settings -> Privacy
  8. Most people (not everyone) want apps to be automatically be updated. This is controlled at Settings -> App Store -> App Updates
  9. Settings -> Siri & Search. Siri is like the Borg. To disable Siri use either "Press Home for Siri" or "Press Side Button for Siri". Maybe disable Listen for Hey Siri. Maybe delete Siri & Dictation History. Maybe delete some or all of the four types of Siri Suggestions. Then it gets ugly. Siri wants to spy on every installed app to learn how you use the app and include data from the app in Siri searches. For every app, you have to configure it to block Siri assimilating the app. Ugh. If nothing else, block Siri from financial apps. Probably a good idea to block web browsers too.
  10. A new Private Address option was added to the definition of each Wi-Fi network. This creates a MAC address that is used only on that specific Wi-Fi network. Previously the same MAC address was used on every Wi-Fi network. Good news: it is on by default.
  11. Settings -> Notifications > Show Previews. Opt for either "When Unlocked" or "Never" to prevent notifications from leaking information you don't want strangers to see. Or, in the same section configure notifications for individual apps.
  12. If you use the Apple Mail app: Settings -> Mail -> Privacy Protection and turn on "Protect Mail Activity"
  13. iMessage: chose how long to keep old messages at Settings -> Messages > Keep Messages
• iOS 13:  top
  1. The Silence unknown callers feature sounds great (I do not use an iPhone). If someone who is not in your Address Book calls, the phone will not ring, the call will go to voicemail. The call does show up in Recent Calls list. Enable it: Settings -> Phone -> Silence Unknown Callers. See Detect and block spam phone calls from Apple (May 2021) and this 2019 article from Mac Rumors.
     NOTE: In July 2022, Susan Bradley suggested another feature that does the same thing. See Got a cell phone? Are you getting more spam calls? She suggests Settings -> Focus -> Do Not Disturb -> toggle it ON -> tap on the People tab -> tap on Calls From -> select All Contacts
  2. Review everything in Settings -> Privacy. This includes the "Analytics & Improvements" section where I would turn off all three options. In the Advertising section, turn on "Limit Ad Tracking" and reset the Advertising Identifier periodically. In the Location Services section, click on System Services and then turn off the three options under "PRODUCT IMPROVEMENT"
  3. For the iPhone 11 only. Settings -> Privacy -> Location Services -> System Services -> Networking and Wireless has a new Location toggle for the ultra-wideband service. This was a bug fix because the U1 chip was broadcasting your location even with the normal location settings turned off.
  4. Parental Controls: Guided Access can limit iOS to a single app. More below.
  5. Parental Controls: Screen Time can set all sorts of limits. Enable it with: Settings -> Screen Time. Prevent kids from using certain apps, installing new apps, disable in-app purchases, block access to certain websites and control who kids are are able to contact. It also does assorted usage auditing. More from Apple (Dec 2019) and Macrumors (Dec 2019).
  6. As of June 6, 2019 it is early on this. Sign up for a website or app with your Apple ID and there is a new option to hide your email address. Do so, and Apple will create a new email address specifically for the one website or app. When the site or app sends you email, Apple forwards it to your real email address. Good thing? The downside to this is that Apple has access to your email and knows what apps and websites you use. See the Extra Credit section for better options.
• You can set an iOS device to erase all data after too many failed attempts to enter the PIN/passcode. In Settings, go to "Touch ID & Passcode" or "Face ID & Passcode". Then, enable "Erase Data". Seems like the only choice in both iOS 13 and 14 is 10 bad passcodes.
• The Jumbo privacy assistant is an iOS app to increase your privacy on Facebook, Twitter, Amazon, Google and Alexa. It was released in April 2019. It adjusts the 30-odd Facebook privacy settings, deletes old tweets, erases Google Search history and deletes the voice recordings stored by Alexa. More. Geoffrey Fowler, of the Washington Post, who focuses on Privacy, said it was his favorite app of 2019: "In clear language and colorful illustrations, it explains the real choices we have and makes recommendations like you'd get from a really clued-in friend." They also go by withjumbo.com
• One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. I don't know if this is possible on an iPhone.
• Deleting Photos: Deleted photos are not really deleted, they are kept in a Recently Deleted folder (under Utilities) in the Photos app (last reviewed in iOS 15.5). See Delete photos on your iPhone, iPad, and iPod touch from Apple.
• CREATE PASSWORD PROTECTED PHOTOS
  • In the iOS 16 topic above, see the feature on biometric locks on hidden and deleted photo albums.
  • Locked Notes: the Lock Note feature of the Notes app can password protect Notes. Each Note can contain one or more photos. There is one password for all protected Notes. In iOS 15: First do Settings -> Notes. Disable "Save to Photos" so that photos inside a note do not appear in the camera roll. In the Password section, verify that it says "Require a password to view locked notes". Then, open the Notes app, create a new note, tap the camera icon -> Take Photo or Video. To password protect the Note, click the three dots in a circle (don't blame me), then Lock, then enter the password. The first time you lock a note, you can also enter a password hint. In Settings, there is also an "on My iPad account" but its not clear to me what this does. If you have existing photos, then see How to Password Protect Photos on iPhone and iPad by Benj Edwards (Oct. 2020). Cheatsheet: create a note, insert photos into the note, then lock the note with a password ... then go to the Photos app and delete the images you just password-protected ... then, go to the "Recently Deleted" folder in the Photos app and delete them there too. Locked notes are stored encrypted.
  • From W-2s to nudes, here’s how to hide sensitive photos by Tatum Hunter for the Washington Post. August 2022. Discusses the hidden album feature. Fails to point out that pictures in a hidden album are backed up to iCloud. Written by a reporter, there is nothing in the article about Locked Notes. It mentions two apps that hide files: Secret Photo Vault from Keepsafe and Private Photo Vault from Legendary Software Labs.
• LOCATION TRACKING
  • If you do not want the Find My Network or for an iPad to be part of Find My iPad be aware that these settings get turned back on without you being notified. I ran into this on an iPad running iOS 15.6.1 in September 2022. After turning off both Find My settings, I turned the iPad off (all the way off). The next time it powered back on, Find My was running. In another case, I logged out of my Apple account and then back in. After logging back in, Find My was enabled again.
  • When using the Apple Find My system to share your location with friends/family, your precise location is end-to-end encrypted when both your device and the friend’s device are running iOS 15 or newer. Apple can not see the data. Not sure, however, about non-precise location.
  • All the Ways Your Location Can Be Tracked on an iPhone July 24, 2020. How-To Geek. Covers Find My iPhone, Sharing Locations With People, Apps You’ve Given Location Access To, Photos With Location Data, Bluetooth Tracking Beacons and Cell Towers. Fails to mention Wi-Fi which can also be used to learn the location of an iPhone.
  • Block the camera from having access to location information: Settings -> Privacy tab -> Location Services -> Camera -> select Never. To check if a photo includes location info: swipe up while viewing the picture in the photos app. If it does have location info there will be a map. To share the photo without location info, click the share button, click Options near the top of the screen, then switch off the toggle for Location.
    Update June 18, 2020: On iOS 13.5.1 (tested on an iPad) it seems that that it is no longer possible to block the camera from storing location information
• To blur your home in Apple maps either send email to mapsimagecollection at apple.com with your home address and an explanation of why or, in iOS, tap the Info button (blue letter "i"i in a white circle with a blue border) in the upper-right corner, then tap on Report an Issue.
• Express Transit is an Apple Pay feature that makes it easy to pay for transit rides in a handful of cities. Maybe too easy. In Jan. 2020, some NYC subway riders were double charged. See How to Set Up Express Transit With Apple Pay.
• Beware of file conversion apps. Some 23 iOS file-conversion apps used by 3M people fail to encrypt documents by Ben Lovejoy (Feb 2020)
• Backup: Back up iPhone by Apple. Applies to four different versions of iOS. From their iPhone User Guide.
• FYI: There is an online iPhone User Guide from Apple
• What to do before you sell, give away, or trade in your iPhone, iPad, or iPod touch from Apple. October 2021.
• If your phone needs fixing, make sure your secrets are safe first by Chris Velazco in the Washington Post (October 2022). To maintain control of your phone number, remove the SIM card and put in another phone. If the phone has and embedded SIM, call your wireless carrier to discuss the options. As for a repair person having access to your files, the only one way to be sure to block this is to delete all the files before you hand your phone over.
• DEATH:  top
  You can save your loved ones grief, if you share with them your iPhone passcode and/or your iCloud credentials. Apple has a complicated system, called Digital Legacy, for allowing your survivors access to most, but not all, of your data.
  
  
  1. How to access iPhone content when someone passes away by Joseph Keller and Adam oram (June 2022). Without the passcode Apple won't (and often can't) unlock an iPhone. If you don't know your loved one's iCloud password but you do have access to their iCloud email address/userid, you could use that email to reset the password for the iCloud account.
  2. Apple Digital Legacy was introduced in iOS 15.2 and macOS Monterey 12.1. On iOS its at: Settings -> Your name -> Password & Security -> Legacy Contact. Your Legacy Contact(s) can be anyone, they do not need an Apple ID or an Apple device. There can be up to five contacts. Apple creates an "Access Key" which the surviving person needs to store, and not lose. To get your data, the survivor has to contact Apple, provide a death certificate and hope that Apple approves it. The survivor does not get iCloud Keychain, payment information, subscriptions, and licensed media. It strikes me as ridiculous to assume that this system will still be in place, unchanged, in 10, 20 or 30 years. Probably better to just share passwords.
  3. Set it up: How to add a Legacy Contact for your Apple ID from Apple. How to set up a Legacy Contact on iPhone and iPad by Adam Oram (May 2022) has many screen shots of the process.
  4. Limitations: Data that a Legacy Contact can access from Apple. Published May 2022.
  5. Using it: How to request access to a deceased family member's Apple account from Apple (April 2022)
  6. The iPhone Feature to Turn On Before You Die by Joanna Stern in WSJ (Dec 2021)
• LOCK APPS:  top
  The ability to password protect an app is not part of iOS. However, there are a number of fudges.
  
  
  1. Since iOS version 12 (introduced Sept. 2019) there was a crude hack available using Screen Time. See How to Passcode Lock an App on iPhone by Juli Clover (Feb. 2022). The best it can do is limit access to 1 minute. Also, after an app is unlocked, there is no way to re-lock it.
  2. This March 2022 article, 6 Ways to Lock an App on iPhone and iPad in 2022 by Sahil covers: Create an automation, Replace the app with a password protected shortcut, Lock apps that have an in-built feature to do so, Lock Apple apps by restricting content and Lock any app by limiting its daily screen time. I tested the option of creating a password protected shortcut on iOS 15.5. It works, but there are many steps involved. Note that passwords are case sensitive. It is not clear, to me, if a knowledgeable user can get around the shortcut.
  3. See also How to Lock Apps on iPhone and iPad by Rosa Reyes (Nov. 2019) which covers five different techniques that work with iOS 13, iOS 12, iOS 11 and earlier: Screen Time, Restrictions (aka Parental Controls), Guided Access, Touch ID / Face ID and, on jailbroken phones, third-party apps.
• APPLE PRIVATE RELAY
  First released for iOS 15 and macOS Monterey. I have not used it and don't claim to be an expert. Still, it does not seem as good as a VPN.
  1. It is limited to Apple hardware only, a VPN is not
  2. Private Relay only encrypts certain data: When you use a VPN, it encrypts all the data (except for this)
  3. Both hide your public IP address
  4. A VPN lets you chose a physical location to connect to. Private Relay assigns you an IP address, there is no choice
  5. Private Relay is under US jurisdiction, and US data privacy laws are not good
  6. It only covers Safari, DNS and a few other apps. Which apps? It seems like a marketing ploy to push Safari
  7. It is only available to paying customers of iCloud+ which starts at $1/month
  8. See About iCloud Private Relay from Apple
  9. The design of Private Relay is new. Its always best to avoid new things for a while to see if there are any flaws.
• LOCK DEVICES:  top
  To lock an iOS device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
  
  
  • How to Temporarily Disable Face ID or Touch ID, and Require a Passcode to Unlock Your iPhone or iPad by John Gruber (June 2022). From the article: If you use Face ID or Touch ID, what happens if someone physically forces you to unlock it biometrically? There is a hard lock state where only a passcode will unlock the device. With recent iPhones/iPads, you hard lock by pressing and holding the power button and either of the volume buttons for about two seconds. This takes you to the screen where you see a slider to power down the device. At this point, its hard locked. An iPhone can be hard locked while remaining in your pocket. Do this every time you are separated from your phone, such as at a security checkpoint.
  • A different type of locking to lend a device to someone but limit them to only run one app. See How to Safely Lend Someone Else Your Phone by David Nield for Wired (July 2022). This uses Guided Access which is off by default.
• SYSTEM-WIDE AD AND TRACKER BLOCKERS:  top
  
  
  1. The Guardian Firewall +VPN app from Sudo Security blocks trackers, phishing, malware and page hijackers. It does not claim to block block ads. The app is free to install and see what it will block if you pay for the app. You can pay by the day, month ($10), quarter or year ($100). The paid app is a real VPN. Blocking is done at the VPN server, not on the iOS device. From a trustworthy source. See About the Guardian iOS Firewall App by me (Aug 2019). Website: guardianapp.com
  2. The Lockdown app (by Confirmed, Inc) blocks both ads and trackers. It is open source and blocking is free. Blocking is done on the iOS device, nonetheless, it installs as a VPN and can not run alongside a real VPN. When it is active, you do not see a VPN indicator. In my testing I found that the app said it was on even when it was off. It has a blacklist but no white list. There is a paid upgrade to a VPN but the website (lockdownhq.com) says nothing about who created the app and for that reason I can not recommend the paid VPN. As of Feb. 2020, the list of blocked domains had not been updated for 7 months. As of Sept 2021, the list on Github had not been changed since July 2019. They seem to have another website, no idea why.
  3. Both apps log what they block, and you can see the log on the iOS device, but neither pinpoints the app being blocked. Neither logs what they they did not block. Both claim to be a firewall, but they are not, at least, not in the traditional sense. They are domain blockers. iOS does not have a firewall.
  4. Disconnect has a number of privacy oriented products. Their Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS. No ad blocking. Great feature is that you can block whatever domains you want to block. It can not be used in conjunction with a VPN.
  5. The nextdns.io app competes more with Lockdown than Guardian. I prefer it over Lockdown because it is more functional and more customizable. To begin with, it logs all DNS activity, not just blocked domains, which helps you create your own black list. It also does white listing. It can apply to one device, multiple devices or an entire LAN. Logging is both customizable and optional. The app itself can be password protected. NextDNS also does encrypted DNS with DoT and DoH. Like Lockdown, it installs as a VPN but you do see an active VPN indicator on the status bar when it is running. One drawback is that the logs are not visible in the app, you have to use the nextdns.io website to see them.
  6. In Sept. 2021, I tested v5.14 of Blokada on iOS 14.8 and it did not work at all. I ran some apps and their DNS activity did not show up in the Activity section. Forget blocking. The log showed many errors. The software is free and it blocks nothing by default (poor UI) you have enable assorted blocking lists. How do you chose among the lists? It installs as a VPN but it is not a VPN.
     In June 2022, I took another look. Blokada offers many products and the differences between and among them were very confusing. One product is free, the VPN certainly is not. Then too there is their Cloud and a Plus products, it is not clear what they are. The cloud product does have an allow list and a block list.
• Block spam texts: The almost-secret hidden iPhone switch that blocks spam text messages and notifications by David Gewirtz (Jan 2020). Settings -> Messages -> turn on "Filter Unknown Messages". The texts arrive, but you are only notified if sender is in your Contacts. Article comments note that this may not work.
• Periodically review the list of Wi-Fi networks your mobile device has previously connected to and remove those you no longer need.
• When it comes time to dispose of an iOS device: How to factory reset your iPhone, iPad, or iPod touch from Apple. (Feb. 2022)
• Also see the Bluetooth topic to change the default public Bluetooth device name
• Also see the Mobile Scanning and Sharing topic
• Also see the Mobile OS Spying section.
• Also see the Location Tracking section.
• Also see the Voice Assistant section for info on SIRI.
• Also see the Stalkerware topic
• FYI: The Settings That Make Smartphones Easier for Everyone to Use by J. D. Biersdorfer (September 2022). The accessibility features Apple and Google include in their mobile software can help people of all abilities get more from their devices.
• FYI: iOS network security has a hole and nothing can be done about it. For one thing, TCP/IP ports are closed rather than stealth (see nmap scan). iOS 13, 14, 15 and earlier versions, seem to have a backdoor. TCP port 62078 is open and can not be closed - there is no firewall in iOS. The port is not listed in TCP and UDP ports used by Apple software products. This open port has been known about at least since 2013 (here and here and here). I tested multiple VPNs (OpenVPN, Windscribe, ProtonVPN, Lockdown firewall and the Guardian firewall) and none blocked access to the port.
• FYI: Apple is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Just like Android, iOS lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.

Copyright 2019 - 2022