A Defensive Computing Checklist    by Michael Horowitz

NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022

HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

iOS - Apple iPhone and iPad

Some topics below: Clipboard, Safari, iOS 15.2, iOS 15, AirTags, iOS 14.5, iOS 14, iOS 13, Death, Lock Apps, Lock Devices, System-wide ad and tracker blockers

• iOS users should hold off installing new versions of the operating system for a few weeks. By new version, I mean the major versions such as 13 and 14 and 15. iOS version 13, in particular, was a disaster with a flood of bugs fixes in the weeks just after it was released. iOS 15 had three updates in the first month after it was released. For updates such as 14.4 and 14.5 wait a few days before installing it. Minor updates, such as 14.5.1, should be installed immediately.
• Apple can read anything that is backed up to iCloud. To control what is sent to iCloud: Settings -> YourName -> iCloud where there is a huge list of apps. Disable those you don't want in iCloud. Also: Settings -> Privacy -> "Analytics & Improvements" and turn off "Share iCloud Analytics". You can disable iCloud completely and make local backups to a computer.
• How Apple Can Read Your Encrypted Messages by Jake Peterson of LifeHacker (Oct 2021). The security hole is in iCloud Backup, which can be disabled on your iOS device. However, you can not know if it is enabled on the device you communicate with.
• iPhone apps no better for privacy than Android, Oxford study finds by Paul Wagenseil for Toms Guide (Oct 2021). Apps on iOS and Android track and profile you equally.
• New study reveals iPhones aren't as private as you think by Paul Wagenseil of Toms Guide (March 2021). The study looked at the operating system, not apps. Android phones collect more data by volume, but iPhones collect more types of data. Both systems transmit telemetry, despite your explicitly opting out. iOS transmitted device location, the local IP address and the Wi-Fi MAC address of other devices on the local network. Even when logged out of an Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple's analytics servers along with info about nearby devices on the same Wi-Fi network. When queried, Apple said nothing. iOS 13.6.1 was tested.
• You should know: When you 'Ask app not to track,' some iPhone apps keep snooping anyway from Washington Post (Sept 2021). Techies knew this all along, this article explains it to the general public. Interesting point is that when the paper reported bad apps to Apple, Apple did nothing. You can see the gory details for a few iOS apps at privacyreview.co. The article offers one lousy sentence on defense. See the section below on system-wide ad and tracker blockers.
• For people most at risk of being spied on: How to defend yourself against the powerful new NSO spyware attacks discovered around the world by the Security Team at The Intercept (July 2021). Long article, no summary would do it justice. Still, do not click on unknown links, practice device compartmentalization, use a VPN, use non-default web browsers. Scams often make it seem as if a response is needed immediately.
• These two articles, about the iVerify app from security firm Trail of Bits, have the exact same title. In This app will tell you if your iPhone has been hacked (Dec 2020) Adrian Kingsley-Hughes highly recommends the app. It costs $3 and includes how-to guides, tips, tricks and tweaks for improving privacy and reducing the chances of getting hacked. See also This App Will Tell You if Your iPhone Gets Hacked by Lorenzo Franceschi-Bicchierai for Vice (Nov 2019). iVerify requires iOS 12 or later, and is compatible with all iOS devices.
• Medical Emergency: First responders are trained to look at phones for emergency contacts and medical information. To configure: Health app -> your profile photo -> Medical ID -> Edit. Fill in anything an emergency responder should know. Make sure "Show when locked" is turned on, then Done. To see it, from the lock screen, tap on Emergency Call and then Medical Info. More here: Set up your Medical ID in the Health app on your iPhone by Apple (Jan 2022) and Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020).
• Emergency SOS: (aka Emergency Call) Use Emergency SOS on your iPhone from Apple (December 2021). It calls the local emergency number (911 in US) and you can also add emergency contacts who will be texted. And: Make emergency calls on iPhone from Apple. For iOS versions 15, 14, 13 and 12 as of Jan. 2022. More: Emergency SOS on iPhone: How to set it up and activate by Britta O'Boyle (May 2021) and How to Set an Emergency Contact on iPhone (and Why) by Tim Brookes (Nov 2021).
• TEXT SIZE: can be adjusted system-wide at Settings -> Display & Brightness -> Text Size
• CLIPBOARD  top
  1. All apps can read the clipboard, even when they are not running. This flew under the radar until June 2020 when beta versions of iOS 14 started reporting on it. Many apps were doing it. The camera app embeds your location in every photo. Copy a picture and apps can learn your location without having location access. There is no defense (that I know of) in iOS 13. In iOS 14 there is a warning, not yet (July 4, 2020) sure if there will be a defense.
  2. Anything copied to the iOS clipboard/pasteboard can be read by any app. If a picture is copied, then GPS location information, which is embedded in the image, is easily available to apps. Tested with iOS 13.3. Apple was told about this in Jan. 2020 and they will not change anything. The defense should be to deny the camera app access to location information, but iOS can not do that. From: Security demo reminds iOS users that any app (or widget) can read the clipboard silently by Benjamin Mayo (Feb 2020)
• iOS Defenses: Both articles cover a lot of ground. iPhone privacy checklist (2021 edition) by Adrian Kingsley-Hughes for ZDNet (Jan 2021). How to stay as private as possible on Apple's iPad and iPhone by Jonny Evans at Computerworld (Feb. 2019).
• iOS Defense video: 13 Things You Should Be Doing To Protect Your iPhone by Gary Rosenzweig (April 2022, 12 minutes, iOS v15). Among the suggestions are setting a SIM PIN, turning on Find My iPhone, insuring that iCloud backup is enabled, turning OFF both the "ask to join networks" WiFi option and the USB Accessories option. Also, review the many "Allow access when locked" options.
• iOS Defense: Dealing with a stolen iPhone Sept. 2019 by Marc Rogers
• iOS Defense: Every now and then turn the iOS device off and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. It is not a perfect defense, but the NSA recommends rebooting/restarting a phone every week. Reboots to install bug fixes count. More: Turn off, turn on: Simple step can thwart top phone hackers by AP News (July 2021)
• iOS Defense: How Jamie Spears Spied on Britney Spears Through iCloud by Lorenzo Franceschi-Bicchierai (Oct 2021). Using iCloud to spy on someone's iPhone is an extremely common way abusers spy on their loved ones. All that is needed is the password for the Apple ID of the victim. The article describes detecting this and stopping it. In a browser, I suggest (not in the article) a Chromebook running in Guest Mode. Login to iCloud.com -> Account Settings -> My Devices.
• iOS Defense: Advice on AirDrop is in the Mobile Scanning section.
• iPhone 12: Why you should keep your bank cards away from an iPhone 12 The Star (Nov. 2020). Hint, the very strong magnets on the back side of the phone.
• Wi-Fi: Some Wi-Fi devices will re-join a network (SSID) they have seen before. To prevent this, after using a public Wi-Fi network, tell the operating system to Forget it. On iOS version 14, remembered networks are in Settings -> Wi-Fi -> My Networks. Click the blue I in the blue circle, then click "Forget This Network". Also in the Wi-Fi Settings of iOS 14, change "Auto-Join Hotspot" to Never and "Ask to Join Networks" should be either Notify or Ask.
• FYI: The battery health information Apple provides in the iOS Settings (Battery -> Battery Health) is meaningless. From: Confirmed: Your iPhone is lying to you by Adrian Kingsley-Hughes for ZDNet (Jan 2022).
• VPN bug: A bug in VPNs on iOS 13 and 14 was first made public by ProtonVPN in March 2020: VPN bypass vulnerability in Apple iOS. As of June 2022 and iOS version 15.5 the bug still exists. The problem is a VPN leak, some data leaves the device outside of the encrypted VPN tunnel. The ProtonVPN suggested work-arounds do not work. I blogged about this on my personal site in May 2022.
• SAFARI  top
  1. iOS 14 introduced a Privacy Report that shows which trackers attempted to follow you and which ones it blocked. To see it, tap the "aA" at the left side of the address bar -> Privacy Report.
  2. Tweaks are at Settings -> Safari
  3. Turn on Prevent Cross-Site Tracking. More: How to view website trackers in mobile Safari by Lance Whitney Oct 2020
  4. Turn off Privacy Preserving Ad Measurement
  5. Turn off the AutoFill options
  6. Turn off Quick Website Search and Preload Top Hit
  7. Turn off Search Engine Suggestions and Safari Suggestions because it sends some search queries to Apple
  8. Maybe change the Search Engine. DuckDuckGo does not spy on you, but it uses Bing for search results
  9. In the settings for websites section: adjust zoom level (no one right answer), set Camera, Microphone and Location to Deny
  10. Ad blocking in the Content Blockers section. Installed blockers, such as Lockdown or 1Blocker need to be enabled here. AdGuard for iOS is a free content-blocking extension. See it here. For more: Best ad blockers for iPhone and iPad in 2021 by iMore.
  11. tip: Periodically (monthly?) erase Safari's memory (think the movie 2001). Advanced -> Website Data -> click the red "Remove All Website Data"
  12. tip: The Safari web browser is a prime target for hackers and there have been a number of vulnerabilities with it, such as this one (Jan. 2020), so you may be safer using a browser that is a lesser target, such as Firefox or Firefox Focus.
  13. tip: when you long-press on a link, you see a preview image of the target/destination website. To instead see the URL, look in the top right corner of the preview for a "Hide preview" link. Click it. More.
  14. For extreme privacy settings see Apple iOS 15 Privacy Guide by Michael Bazzell (Sept 2021)
• iOS 15.2: (released December 2021)  top

  The new App Privacy Report strikes me a as a big deal. It opens the black box of what apps do. You can see how often apps access Contacts, Camera, Location, Photos and the Microphone. It also shows network activity which is great for anyone able to block domains in their router. Off by default. Turn it on: Settings -> Privacy -> App Privacy Report. One flaw: network activity is not seen in the report when using a VPN. Another bug: calls an IP address a domain. More here (Nov 2021) and here (Jan 2022).

  The new Legacy Contact feature allows you to specify who can access your Apple account when you die. More on this in the Death sub-section.

• iOS 15: (released September 2021)  top
  1. The new App Privacy Report will show how many times an app has accessed these already-restricted things: location, photos, camera, microphone, and contacts. Eh. What is new and important is that it will report on the domains the app phones home to, and, how often. We will finally be able to see the apps reporting on us to ad/tracker companies. However, there is no blocking of the spy domains. For that see the section below on system-wide ad and tracker blockers. To enable it: Settings -> Privacy -> Record App Activity
  2. How to Set Up a Recovery Contact on iPhone, iPad, and Mac by Samir Makwana for How To Geek (Dec 2021). For when you forget your Apple ID password or device passcode.
  3. The new Hide My Email feature will create random alias email addresses. For more see the topic of Multiple Email Addresses in the email section.
  4. The new Private Relay feature is very limited. It will hide your public IP address, but only while using Safari. This means Apple sees all your web browsing. Only available if you pay for iCloud. It is not clear if it adds any layers of encryption. A VPN is a better way to hide your public IP address.
  5. New "Shared with Me" feature. Settings -> Messages -> Shared with You. Maybe disable sharing in some apps
  6. By default, iOS 15 on an iPhone 11 and newer does not completely turn off. See How to Find Your Lost iPhone, Even If It's Turned Off from LifeHacker (Oct 2021). Even off, it will send out Bluetooth Low Energy beacons for the Find My feature. If your iPhone is stolen, this is good news as bad guys immediately turn them off. If you don't want the phone location to be public, then the big hammer is to disable the Find My feature. Or, when the phone is being shut down look for a new button "iPhone Findable After Power Off" and click it. I tested this on an iPad running iOS 15 and there was no new button at shutdown, so it seems to be iPhone only.
  7. Settings -> Passwords. Turn off the AutoFill Passwords option. Also look at any Security Recommendations
  8. The new Focus feature is an improved version of Do Not Disturb that lets you set up different Focus modes for different tasks like work, reading, sleeping, etc. Each Focus allows you to choose which apps and which people can send you notifications. Configure this at Settings -> Focus. The plus icon creates a new Focus.
  9. You can change the default browser or email client in Settings. For a browser, click on any installed browser, then "Default browser app"
  10. You can change the size of the font on an app-by-app basis. First, you have to add the Text Size option to the Control Center. Do this at Settings -> Control Center -> click the green circle with a white plus sign next to Text Size. In the Control Center the icon is two As, one big, one small. Then run an app that you want to change, open Control Center and indicate that the change is only for the one app.
  11. Email tracking: to block tracking pixels and your public IP address: Settings -> Mail -> Privacy Protection -> Protect Mail Activity. Only applies to the iOS Mail app. More
• AirTags (new in iOS 14.5)  top
  1. Beware poisoned Apple AirTags that exploit unpatched "Lost Mode" flaw by Graham Cluley (Sept 2021). Apple has known of this bug for four months and not fixed it. AirTags can be put in Lost Mode. If someone finds the tag, they can scan it with NFC and be taken to a unique page for the tag at found.apple.com which has the owner's phone number. But bad guys can put scripts in the phone number field that manipulate the apple website to trick a Good Samaritan. Details from Bobby Rauch.
  2. If you are moving, an AirTag can track your stuff. See Army wife uses AirTag hack to track her movers while PCSing (Jan. 2022)
  3. Apple's AirTag trackers made it frighteningly easy to 'stalk' me in a test by Geoffrey Fowler for the Washington Post (May 2021). The article is behind a paywall. A big point in the article is that Apple does not do enough to prevent AirTags being used for domestic abuse. In a test in San Francisco, the AirTag updated its location every few minutes. When moving, the location was accurate to half a block. When stationary, it was precise.
  4. Video from the above article Apple's AirTags could be used by stalkers. Here's how to protect yourself
  5. What to do if you find an AirTag or get an alert that an AirTag is with you from Apple (April 2021). How to learn the serial number of an AirTag. It requires NFC and will work on Android too. Note that making a detected AirTag play a sound often failed in Fowler's tests (above).
  6. AirTag stalking defense: Use a Bluetooth scanner to locate the Bluetooth devices near you. An Apple Air Tag will show as being made by Apple. Once you find the AirTag, you can take ownership of it if you have an iPhone (or destroy it with a hammer). The LightBlue® scanner by Punch Through Design is available on iOS and Android. On Android, Location must be on system-wide for the app to work. From the Privacy, Security, & OSINT Show - Episode 219 by Michael Bazzell (June 2021) and How to Scan for Nearby AirTags Using an Android Phone by Chris Hoffman (May 2021)
  7. AirTag stalking no defense: AirTags are supposed to beep after 3 days (later changed to 1?) to warn people of their presence. But, the speaker in an AirTag can be physically removed.
  8. Android users can detect AirTags with the free AirGuard app from Secure Mobile Networking. Note that there is another app with the same name.
• iOS 14.5: (released April 2021)  top
  1. You can disable some system apps such as Safari, FaceTime, AirDrop, Siri and more with Settings -> Screen Time -> turn on Content & Privacy Restrictions -> Allowed Apps.
  2. You can disable Apple Advertising in the same section: Settings -> Screen Time -> Content & Privacy Restrictions -> Apple Advertising
  3. Settings -> Privacy -> Tracking and chose if apps should ask for permission to track you or if tracking should be banned system-wide. Note that this is a scam, apps still track you regardless of this setting.
  4. There is a new App Privacy section for iOS apps. Review it before installing any new app. Maybe review it for existing apps too.
• iOS 14:  top
  1. Some defensive improvements introduced in v14: realtime notice when any app uses the microphone or camera. Lists apps that recently accessed each. Realtime notice when an app accesses the clipboard. An app can be given access to one picture only. LAN access controls. Only allow an app access to your approximate location. Warns of hacked passwords in the Keychain. Somewhat randomized MAC addresses.
  2. Relevant articles: 8 Privacy Features iOS 14 Users Need to Know by Lance Whitney (Oct 2020) and iOS 14 Privacy Features: Approximate Location, Clipboard Access Warnings, Limited Photos Access and More by Juli Clover (Oct 2020).
  3. Settings -> Privacy -> "Analytics & Improvements": turn off all three options (Share iPad Analytics, Improve Siri & Dictation and Share iClouid Analytics). Note: on an iPhone the setting is "Share iPhone Analytics"
  4. Settings -> Privacy -> "Apple Advertising": disable "Personalized Ads". While there, click on "View Ad Targeting Information" It might be interesting.
  5. Settings -> Privacy -> Tracking -> turn off "Allow Apps to Request to Track". While there, you can also deny tracking permission from any apps that were granted it in the past. If you ever see a prompt: "Allow xxx to track your activity across other companies' apps and websites?" (where xxx is the name of an app), the correct answer is "Ask App Not to Track"
  6. Settings -> Privacy -> Location Services: If Location Services is enabled, then for each app that is allowed to use location data, turn off "Precise Location" except for a mapping app. At the bottom of the list of apps is "System Services". In this section, turn off the options under "PRODUCT IMPROVEMENT" (iPad or iPhone Analytics, Popular Near Me, Routing & Traffic, Improve Maps). If Location Services are off, turn it on to make these changes, then disable it again.
  7. Review everything else in Settings -> Privacy
  8. Most people (not everyone) want apps to be automatically be updated. This is controlled at Settings -> App Store -> App Updates
  9. Settings -> Siri & Search. Siri is like the Borg. To disable Siri use either "Press Home for Siri" or "Press Side Button for Siri". Maybe disable Listen for Hey Siri. Maybe delete Siri & Dictation History. Maybe delete some or all of the four types of Siri Suggestions. Then it gets ugly. Siri wants to spy on every installed app to learn how you use the app and include data from the app in Siri searches. For every app, you have to configure it to block Siri assimilating the app. Ugh. If nothing else, block Siri from financial apps. Probably a good idea to block web browsers too.
  10. A new Private Address option was added to the definition of each Wi-Fi network. This creates a MAC address that is used only on that specific Wi-Fi network. Previously the same MAC address was used on every Wi-Fi network. Good news: it is on by default.
  11. Settings -> Notifications > Show Previews. Opt for either "When Unlocked" or "Never" to prevent notifications from leaking information you don't want strangers to see. Or, in the same section configure notifications for individual apps.
  12. If you use the Apple Mail app: Settings -> Mail -> Privacy Protection and turn on "Protect Mail Activity"
  13. iMessage: chose how long to keep old messages at Settings -> Messages > Keep Messages
• iOS 13:  top
  1. The Silence unknown callers feature sounds great (I do not use an iPhone). If someone who is not in your Address Book calls, the phone will not ring, the call will go to voicemail. The call does show up in Recent Calls list. Enable it: Settings -> Phone -> Silence Unknown Callers. See Detect and block spam phone calls from Apple (May 2021) and this 2019 article from Mac Rumors.
     NOTE: In July 2022, Susan Bradley suggested another feature that does the same thing. See Got a cell phone? Are you getting more spam calls? She suggests Settings -> Focus -> Do Not Disturb -> toggle it ON -> tap on the People tab -> tap on Calls From -> select All Contacts
  2. Review everything in Settings -> Privacy. This includes the "Analytics & Improvements" section where I would turn off all three options. In the Advertising section, turn on "Limit Ad Tracking" and reset the Advertising Identifier periodically. In the Location Services section, click on System Services and then turn off the three options under "PRODUCT IMPROVEMENT"
  3. For the iPhone 11 only. Settings -> Privacy -> Location Services -> System Services -> Networking and Wireless has a new Location toggle for the ultra-wideband service. This was a bug fix because the U1 chip was broadcasting your location even with the normal location settings turned off.
  4. Parental Controls: Guided Access can limit iOS to a single app. More below.
  5. Parental Controls: Screen Time can set all sorts of limits. Enable it with: Settings -> Screen Time. Prevent kids from using certain apps, installing new apps, disable in-app purchases, block access to certain websites and control who kids are are able to contact. It also does assorted usage auditing. More from Apple (Dec 2019) and Macrumors (Dec 2019).
  6. iOS 13.2 tips: Bad iPhone battery life? Here's how to diagnose and fix battery drain issues by Adrian Kingsley-Hughes (November 2019).
  7. As of June 6, 2019 it is early on this. Sign up for a website or app with your Apple ID and there is a new option to hide your email address. Do so, and Apple will create a new email address specifically for the one website or app. When the site or app sends you email, Apple forwards it to your real email address. Good thing? The downside to this is that Apple has access to your email and knows what apps and websites you use. See the Extra Credit section for better options.
• You can set an iOS device to erase all data after too many failed attempts to enter the PIN/passcode. In Settings, go to "Touch ID & Passcode" or "Face ID & Passcode". Then, enable "Erase Data". Seems like the only choice in both iOS 13 and 14 is 10 bad passcodes.
• The Jumbo privacy assistant is an iOS app to increase your privacy on Facebook, Twitter, Amazon, Google and Alexa. It was released in April 2019. It adjusts the 30-odd Facebook privacy settings, deletes old tweets, erases Google Search history and deletes the voice recordings stored by Alexa. More. Geoffrey Fowler, of the Washington Post, who focuses on Privacy, said it was his favorite app of 2019: "In clear language and colorful illustrations, it explains the real choices we have and makes recommendations like you'd get from a really clued-in friend." They also go by withjumbo.com
• One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. I don't know if this is possible on an iPhone.
• Deleting Photos: Deleted photos are not really deleted, they are kept in a Recently Deleted folder (under Utilities) in the Photos app (last reviewed in iOS 15.5). See Delete photos on your iPhone, iPad, and iPod touch from Apple.
• Create password protected photos: The Lock Note feature of the Notes app can password protect Notes. Each Note can contain one or more photos. There is one password for all protected Notes. In iOS 15: First do Settings -> Notes. Disable "Save to Photos" so that photos inside a note do not appear in the camera roll. In the Password section, verify that it says "Require a password to view locked notes". Then, open the Notes app, create a new note, tap the camera icon -> Take Photo or Video. To password protect the Note, click the three dots in a circle (don't blame me), then Lock, then enter the password. The first time you lock a note, you can also enter a password hint. In Settings, there is also an "on My iPad account" but its not clear to me what this does. If you have existing photos, then see How to Password Protect Photos on iPhone and iPad by Benj Edwards (Oct. 2020). Cheatsheet: create a note, insert photos into the note, then lock the note with a password ... then go to the Photos app and delete the images you just password-protected ... then, go to the "Recently Deleted" folder in the Photos app and delete them there too. Locked notes are stored encrypted.
• Location tracking: All the Ways Your Location Can Be Tracked on an iPhone July 24, 2020. How-To Geek. Covers Find My iPhone, Sharing Locations With People, Apps You’ve Given Location Access To, Photos With Location Data, Bluetooth Tracking Beacons and Cell Towers. Fails to mention Wi-Fi which can also be used to learn the location of an iPhone.
  June 18, 2020: On iOS 13.5.1 (tested on an iPad) it seems that that it is no longer possible to block the camera from storing location information.
  Block the camera from having access to location information: Settings -> Privacy tab -> Location Services -> Camera -> select Never. To check if a photo includes location info: swipe up while viewing the picture in the photos app. If it does have location info there will be a map. To share the photo without location info, click the share button, click Options near the top of the screen, then switch off the toggle for Location.
• To blur your home in Apple maps either send email to mapsimagecollection at apple.com with your home address and an explanation of why or, in iOS, tap the Info button (blue letter "i"i in a white circle with a blue border) in the upper-right corner, then tap on Report an Issue.
• Express Transit is an Apple Pay feature that makes it easy to pay for transit rides in a handful of cities. Maybe too easy. In Jan. 2020, some NYC subway riders were double charged. See How to Set Up Express Transit With Apple Pay.
• Beware of file conversion apps. Some 23 iOS file-conversion apps used by 3M people fail to encrypt documents by Ben Lovejoy (Feb 2020)
• Backup: Back up iPhone by Apple for both iOS 13 and 12. No date. From their iPhone User Guide.
• DEATH:  top
  You can save your loved ones grief, if you share with them your iPhone passcode and/or your iCloud credentials. Apple has a complicated system, called Digital Legacy, for allowing your survivors access to most, but not all, of your data.
  
  
  1. How to access iPhone content when someone passes away by Joseph Keller and Adam oram (June 2022). Without the passcode Apple won't (and often can't) unlock an iPhone. If you don't know your loved one's iCloud password but you do have access to their iCloud email address/userid, you could use that email to reset the password for the iCloud account.
  2. Apple Digital Legacy was introduced in iOS 15.2 and macOS Monterey 12.1. On iOS its at: Settings -> Your name -> Password & Security -> Legacy Contact. Your Legacy Contact(s) can be anyone, they do not need an Apple ID or an Apple device. There can be up to five contacts. Apple creates an "Access Key" which the surviving person needs to store, and not lose. To get your data, the survivor has to contact Apple, provide a death certificate and hope that Apple approves it. The survivor does not get iCloud Keychain, payment information, subscriptions, and licensed media. It strikes me as ridiculous to assume that this system will still be in place, unchanged, in 10, 20 or 30 years. Probably better to just share passwords.
  3. Set it up: How to add a Legacy Contact for your Apple ID from Apple. How to set up a Legacy Contact on iPhone and iPad by Adam Oram (May 2022) has many screen shots of the process.
  4. Limitations: Data that a Legacy Contact can access from Apple. Published May 2022.
  5. Using it: How to request access to a deceased family member's Apple account from Apple (April 2022)
  6. The iPhone Feature to Turn On Before You Die by Joanna Stern in WSJ (Dec 2021)
• LOCK APPS:  top
  The ability to password protect an app is not part of iOS. However, there are a number of fudges.
  
  
  1. Since iOS version 12 (introduced Sept. 2019) there was a crude hack available using Screen Time. See How to Passcode Lock an App on iPhone by Juli Clover (Feb. 2022). The best it can do is limit access to 1 minute. Also, after an app is unlocked, there is no way to re-lock it.
  2. This March 2022 article, 6 Ways to Lock an App on iPhone and iPad in 2022 by Sahil covers: Create an automation, Replace the app with a password protected shortcut, Lock apps that have an in-built feature to do so, Lock Apple apps by restricting content and Lock any app by limiting its daily screen time. I tested the option of creating a password protected shortcut on iOS 15.5. It works, but there are many steps involved. Note that passwords are case sensitive. It is not clear, to me, if a knowledgeable user can get around the shortcut.
  3. See also How to Lock Apps on iPhone and iPad by Rosa Reyes (Nov. 2019) which covers five different techniques that work with iOS 13, iOS 12, iOS 11 and earlier: Screen Time, Restrictions (aka Parental Controls), Guided Access, Touch ID / Face ID and, on jailbroken phones, third-party apps.
• LOCK DEVICES:  top
  To lock an iOS device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
  
  
  • How to Temporarily Disable Face ID or Touch ID, and Require a Passcode to Unlock Your iPhone or iPad by John Gruber (June 2022). From the article: If you use Face ID or Touch ID, what happens if someone physically forces you to unlock it biometrically? There is a hard lock state where only a passcode will unlock the device. With recent iPhones/iPads, you hard lock by pressing and holding the power button and either of the volume buttons for about two seconds. This takes you to the screen where you see a slider to power down the device. At this point, its hard locked. An iPhone can be hard locked while remaining in your pocket. Do this every time you are separated from your phone, such as at a security checkpoint.
  • A different type of locking to lend a device to someone but limit them to only run one app. See How to Safely Lend Someone Else Your Phone by David Nield for Wired (July 2022). This uses Guided Access which is off by default.
• SYSTEM-WIDE AD AND TRACKER BLOCKERS:  top
  
  
  1. The Guardian Firewall +VPN app from Sudo Security blocks trackers, phishing, malware and page hijackers. It does not claim to block block ads. The app is free to install and see what it will block if you pay for the app. You can pay by the day, month ($10), quarter or year ($100). The paid app is a real VPN. Blocking is done at the VPN server, not on the iOS device. From a trustworthy source. See About the Guardian iOS Firewall App by me (Aug 2019). Website: guardianapp.com
  2. The Lockdown app (by Confirmed, Inc) blocks both ads and trackers. It is open source and blocking is free. Blocking is done on the iOS device, nonetheless, it installs as a VPN and can not run alongside a real VPN. When it is active, you do not see a VPN indicator. In my testing I found that the app said it was on even when it was off. It has a blacklist but no white list. There is a paid upgrade to a VPN but the website (lockdownhq.com) says nothing about who created the app and for that reason I can not recommend the paid VPN. As of Feb. 2020, the list of blocked domains had not been updated for 7 months. As of Sept 2021, the list on Github had not been changed since July 2019. They seem to have another website, no idea why.
  3. Both apps log what they block, and you can see the log on the iOS device, but neither pinpoints the app being blocked. Neither logs what they they did not block. Both claim to be a firewall, but they are not, at least, not in the traditional sense. They are domain blockers. iOS does not have a firewall.
  4. Disconnect has a number of privacy oriented products. Their Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS. No ad blocking. Great feature is that you can block whatever domains you want to block. It can not be used in conjunction with a VPN.
  5. The nextdns.io app competes more with Lockdown than Guardian. I prefer it over Lockdown because it is more functional and more customizable. To begin with, it logs all DNS activity, not just blocked domains, which helps you create your own black list. It also does white listing. It can apply to one device, multiple devices or an entire LAN. Logging is both customizable and optional. The app itself can be password protected. NextDNS also does encrypted DNS with DoT and DoH. Like Lockdown, it installs as a VPN but you do see an active VPN indicator on the status bar when it is running. One drawback is that the logs are not visible in the app, you have to use the nextdns.io website to see them.
  6. In Sept. 2021, I tested v5.14 of Blokada on iOS 14.8 and it did not work at all. I ran some apps and their DNS activity did not show up in the Activity section. Forget blocking. The log showed many errors. The software is free and it blocks nothing by default (poor UI) you have enable assorted blocking lists. How do you chose among the lists? It installs as a VPN but it is not a VPN.
     In June 2022, I took another look. Blokada offers many products and the differences between and among them were very confusing. One product is free, the VPN certainly is not. Then too there is their Cloud and a Plus products, it is not clear what they are. The cloud product does have an allow list and a block list.
• Block spam texts: The almost-secret hidden iPhone switch that blocks spam text messages and notifications by David Gewirtz (Jan 2020). Settings -> Messages -> turn on "Filter Unknown Messages". The texts arrive, but you are only notified if sender is in your Contacts. Article comments note that this may not work.
• Periodically review the list of Wi-Fi networks your mobile device has previously connected to and remove those you no longer need.
• When it comes time to dispose of an iOS device: How to factory reset your iPhone, iPad, or iPod touch from Apple. (Feb. 2022)
• Also see the Mobile Scanning and Sharing topic
• Also see the Mobile OS Spying section.
• Also see the WhatsApp section.
• Also see the Location Tracking section.
• Also see the Voice Assistant section for info on SIRI.
• Apple can read your iCould backups. To backup an iPhone securely, back it up to a Mac or Windows PC and password protect it. More.
• You can tell when a web browser is using a secure encrypted connection. Not so with mobile apps. Apple was supposed to mandate that iOS apps only use encrypted communication. They call this mandate App Transport Security (ATS). But, it's a scam and there is no defense.
• FYI: iOS network security has a hole and nothing can be done about it. For one thing, TCP/IP ports are closed rather than stealth (see nmap scan). iOS 13, 14, 15 and earlier versions, seem to have a backdoor. TCP port 62078 is open and can not be closed - there is no firewall in iOS. The port is not listed in TCP and UDP ports used by Apple software products. This open port has been known about at least since 2013 (here and here and here). I tested multiple VPNs (OpenVPN, Windscribe, ProtonVPN, Lockdown firewall and the Guardian firewall) and none blocked access to the port.
• FYI: Apple is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Just like Android, iOS lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.

Copyright 2019 - 2022