Ultimate guide to iPhone security

Your iPhone is a powerful computer that is likely a (if not the) primary way you access the internet. As such, it is vital to ensure your iPhone is secure, and that your privacy is protected. Fortunately, there are some easy steps you can take to “harden” your security settings and improve your privacy when using your iPhone. 

Apple argues that its tight control over its “walled garden”(new window) ecosystem means that iPhones are inherently more secure than their Android competitors. 

This is because Android is a more open platform that allows its users to sideload apps or install them from alternative stores. It also suffers from a very fragmented ecosystem used across a huge number of devices from different manufacturers, some of which are much better at pushing security updates than others.

However, even the Apple app Store is not always as safe as Apple claims(new window), and Apple can hardly claim a monopoly on doing security properly. The truth is that no smartphone can ever be considered 100% secure, and despite Apple’s many claims, iPhones continue to suffer from privacy issues (not least from tracking by Apple itself).

In this guide, we take an in-depth look at how to improve both privacy and security on your iPhone. It specifically deals with iPhones running iOS 16.2, but most of the advice is fully applicable to all recent versions of iOS. 

Lock down your iPhone security settings

Enable two-factor authentication

One factor authentication requires something you know (your login details). Two factor authentication (2FA)(new window) requires something you have (in this case, your iPhone). 

Two-factor authentication provides a valuable extra layer of protection for your Apple account, requiring you to enter a verification code that is sent to your phone via SMS whenever you login. So unless someone has access to both your login details and physical access to your phone, they won’t be able to access your Apple account. 

To set up 2FA on your iPhone, go to Settings → [Your name] → Password & SecurityTwo-factor authentication and follow the prompts. 

2FA

Disable tracking

By default, iOS blocks apps from tracking your activity across other companies’ apps and websites. It is possible to opt-in to tracking of this kind however, so it’s a good idea to ensure tracking is disabled. 

To do this, go to SettingsPrivacy & SecurityTracking, and ensure the Allow Apps to Request to Track switch is toggled off.

Tracking

Review location services

Apps on iOS must ask your permission to use GPS, Bluetooth and other means to determine your physical location. For maximum privacy, you should disable location services entirely, as this form of tracking is highly invasive to your privacy.

However, for many of you, this will be is impractical, as some very useful apps require knowing where you are (for example, Maps)

You should at least regularly review which apps can access your location and under what circumstances (While using is usually sufficient permissions for most apps that you do want to access your location).

To review apps that can access iOS location services, go to SettingsLocation Services.

Location

Set up a strong passcode

A four-digit numerical passcode is simply not strong enough. On newer iPhones running iOS 15+, the default password is six digits long. This increases the number of possible combinations from 10,000 to one million, but even this can be improved.

In iOS 11+ you can set up a custom numeric passcode that uses as many digits as you like. For example, using an eight-digit numerical password boosts the number of possible combinations to 100 million.  

For even greater iPhone security, you should use an alphanumeric password consisting of either a mix of letters, capitals, numbers, and symbols, or a longer (but easier to remember) passphrase (a sentence consisting of a number of words separated by spaces). 

To change your passcode, go to Settings Touch ID/Face ID & PasscodeChange PasscodePasscode Options.

Change passcode

Disable biometric ID

Touch ID and Face ID are very convenient ways to unlock your phone and authenticate transactions and other sensitive stuff on your iPhone. 

In the United States, you can’t be forced to unlock your iPhone using a passcode because doing so violates your Fifth Amendment rights. However, whether biometric authentication is covered by the Fifth amendment is a hotly contested issue(new window), with some courts ruling that it is, but others that it isn’t.

Until the Supreme Court makes a definitive decision on the issue, the safest option in the US is to disable Touch ID and Face ID and rely on a strong passcode instead. 

Most other countries don’t have an equivalent to Fifth Amendment rights, so disabling your biometric authentication is less important outside the US. But you should check the laws where you live. 

To disable Touch ID or Face ID, go to SettingsTouch ID/Face ID & Passcode → and toggle the iPhone Unlock switch off.

Biometrics

Remove access when locked

Your lock screen can show a great deal of personal information, which can be accessed by anyone with physical access to your phone. You should therefore restrict what can be shown on your lock screen.

To do this, go to SettingsTouch ID/Face ID & Passcode, scroll down to the Allow access when locked section, and disable any apps that might show personal information on your lock screen.

Remove app access when locked

Remove widgets that show sensitive information

iPhone widgets are a great way to access information on your iPhone, but they can be accessed from your lock screen by anyone with physical access to your phone. You should therefore remove widgets that show personal or sensitive information.

To do this:

1. Open your iPhone, swipe right from the home screen → Edit.

Remove widgets that show sensitive information

2. Tap the button for each widget you wish to remove. 

Select which apps you want to remove

Disable notification previews

By default, when a notification appears on your lock screen, anyone with physical access to your iPhone will see a preview of the notification content. Which could contain highly sensitive information. 

To disable notification previews, go to SettingsNotificationsShow previews and change to either Never or When Unlocked

Disable notification previews

Reign in Siri

Siri is undoubtedly very useful, but while the actual analysis and processing of your device usage, which forms the basis of Siri’s personalized suggestions, is done on-device, a lot of information is still shared with Apple(new window)

The most privacy-friendly option is to disable Siri on your iPhone altogether, but you can improve your privacy while still using Siri by restricting the apps it monitors to generate its personalized search suggestions.

To disable Siri, go to SettingsSiri & Search and toggle the Listen for “Hey Siri” and Press Home/Side Button for Siri switches off.

Disable Siri or control what it can access

Alternatively, scroll down the Siri & Search page to find a list of apps that Siri collects data from and disable ones you don’t think Siri needs access to.. 

Use Proton VPN

Using a VPN on your iPhone is invaluable for protecting your privacy and security. A VPN:

  • Prevents your internet service provider from seeing your activity online (which also prevents most forms of government mass surveillance)
  • Prevents websites you visit from knowing your real IP address
  • Defeats many forms of online censorship
  • Protects you from WiFi hackers when using insecure public hotspots
  • Prevents public WiFi hosts from selling your browsing habits to advertisers
  • Allows you watch your favorite movies, shows, and sports events when traveling away from home
How a VPN works on your iPhone

Learn more about why you need a VPN on your iPhone

You should be aware, however, about the VPN bypass vulnerability, where iOS does not correctly close open connections when you connect to a VPN server. We are still waiting for Apple to fix the problem, but it can be mitigated by turning Airplane Mode(new window) on and off again after you have connected to a VPN server. 

Proton VPN is an audited no-logs VPN service based in privacy-friendly Switzerland.

Use privacy-friendly alternatives to Apple apps

With the launch of iOS 16.2, Apple announced support for end-to-end encryption(new window) (E2EE) for most of its iPhone apps (with the notable exception of Mail, Contacts, and Calendar because of the “need to interoperate with the global email, contacts, and calendar systems”). 

Learn why end-to-end-encryption is important(new window)

This is welcome news, but even where E2EE is used to secure the contents of your data, you should be aware that Apple collects a great deal of metadata (the how, where, when, and who) through its apps(new window)

At the time of publication, Advanced Data Protection is available in the US “and will start rolling out to the rest of the world in early 2023”. Even where available, Apple may not allow you to immediately enable Advanced Data Protection on newly registered iPhones(new window) because  “this wait time helps to protect your account and data”. 

If you can, you absolutely should enable it by going to Settings → [Your name] →iCloudAdvanced Data ProtectionTurn On Advanced Data Protection.

However, a better option is to use third party apps that genuinely respect your privacy in a way that Apple promises to, but often fails to live up to its marketing.

Get Proton VPN!

Proton Mail

Proton Mail(new window) is a secure email service based in privacy-friendly Switzerland. All emails sent between Proton Mail users are automatically E2EE encrypted and you can send E2EE emails to non-Proton users using our password protection feature or the OpenPGP encryption standard. 

Even if you don’t use E2EE for external users, all emails are stored on our servers using zero-access encryption. They are encrypted using your public key and can only be decrypted using your private key, so no-one else but you can access them (including us). 

Learn how encrypted email works(new window)

As with Proton VPN, Proton Mail is 100% free, with advanced features available if you upgrade to a Proton Mail Plus plan. 

Proton Mail will never use your metadata for advertising purposes, and unlike with Apple Contacts, all contacts in Proton Mail are fully end-to-end encrypted. 

Instant messaging

With Advanced Data Protection, Messages stored in iCloud are set to become E2EE, but Apple still uses metadata from its Messenger app for advertising purposes. Fortunately, there are some great open source messaging apps for iOS that genuinely respect your privacy(new window) out there.

Password Manager

Again, there are some great open source and privacy-focused alternatives to iCloud Passwords and Keychain(new window)

Once you’ve installed a third-party password manager app on your iPhone, you can set iOS to use it as the default password manager for auto-filling login details. To do this, go to SettingsPasswordsPassword Options and select your new password manager from the list.

Change your default password manager

To ensure iOS doesn’t store autofilled passwords to iCloud anyway, go to Settings → [Your name] →iCloudPassword and Keychain and toggle the Sync this iPhone switch off.

Disable Sync this iPhone

Proton Drive

Proton Drive(new window) makes an excellent privacy-first alternative to iCloud. Files uploaded using the audited open source Proton Drive app for iOS(new window) are end-to-end encrypted and can be easily shared with a simple URL. 

Proton Drive for iOS

Proton Calendar

Again Proton offers a privacy-friendly alternative to the iCalendar app. Proton Calendar(new window) for iOS keeps your sensitive information end-to-end encrypted, so only you can access it. 

Manage your schedule across devices and apps, manage invitations without leaving your Proton Mail inbox, and quickly add events received by email, such as flights, meetings, or concerts.

Proton Calendar(new window) is available for free to everyone with a Proton VPN, Proton Mail, or Proton Drive account (including free ones). 

Final thoughts

iPhones are more secure than Android phones, but there are many things you can do to tighten up the security settings on yours. 

You should also always keep in mind that Apple’s expansive privacy claims are often more to do with canny marketing than any real concern for your privacy. Fortunately, you are under no obligation to stick to Apple’s apps on your iPhone. 

Related articles

How to fix a 502 error
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
  • Privacy basics
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .