Your iPhone is a powerful computer that is likely a (if not the) primary way you access the internet. As such, it is vital to ensure your iPhone is secure, and that your privacy is protected. Fortunately, there are some easy steps you can take to “harden” your security settings and improve your privacy when using your iPhone.
- Enable two-factor authentication
- Disable tracking
- Review location services
- Set up a strong passcode
- Disable biometric ID
- Remove access when locked
- Remove widgets that show sensitive information
- Disable notification preview
- Reign in Siri
- Use Proton VPN
- Use privacy-friendly alternatives to Apple apps
Apple argues that its tight control over its “walled garden” ecosystem means that iPhones are inherently more secure than their Android competitors.
This is because Android is a more open platform that allows its users to sideload apps or install them from alternative stores. It also suffers from a very fragmented ecosystem used across a huge number of devices from different manufacturers, some of which are much better at pushing security updates than others.
However, even the Apple app Store is not always as safe as Apple claims, and Apple can hardly claim a monopoly on doing security properly. The truth is that no smartphone can ever be considered 100% secure, and despite Apple’s many claims, iPhones continue to suffer from privacy issues (not least from tracking by Apple itself).
In this guide, we take an in-depth look at how to improve both privacy and security on your iPhone. It specifically deals with iPhones running iOS 16.2, but most of the advice is fully applicable to all recent versions of iOS.
Lock down your iPhone security settings
Enable two-factor authentication
One factor authentication requires something you know (your login details). Two factor authentication (2FA) requires something you have (in this case, your iPhone).
Two-factor authentication provides a valuable extra layer of protection for your Apple account, requiring you to enter a verification code that is sent to your phone via SMS whenever you login. So unless someone has access to both your login details and physical access to your phone, they won’t be able to access your Apple account.
To set up 2FA on your iPhone, go to Settings → [Your name] → Password & Security → Two-factor authentication and follow the prompts.
By default, iOS blocks apps from tracking your activity across other companies’ apps and websites. It is possible to opt-in to tracking of this kind however, so it’s a good idea to ensure tracking is disabled.
To do this, go to Settings → Privacy & Security → Tracking, and ensure the Allow Apps to Request to Track switch is toggled off.
Review location services
Apps on iOS must ask your permission to use GPS, Bluetooth and other means to determine your physical location. For maximum privacy, you should disable location services entirely, as this form of tracking is highly invasive to your privacy.
However, for many of you, this will be is impractical, as some very useful apps require knowing where you are (for example, Maps)
You should at least regularly review which apps can access your location and under what circumstances (While using is usually sufficient permissions for most apps that you do want to access your location).
To review apps that can access iOS location services, go to Settings → Location Services.
Set up a strong passcode
A four-digit numerical passcode is simply not strong enough. On newer iPhones running iOS 15+, the default password is six digits long. This increases the number of possible combinations from 10,000 to one million, but even this can be improved.
In iOS 11+ you can set up a custom numeric passcode that uses as many digits as you like. For example, using an eight-digit numerical password boosts the number of possible combinations to 100 million.
For even greater iPhone security, you should use an alphanumeric password consisting of either a mix of letters, capitals, numbers, and symbols, or a longer (but easier to remember) passphrase (a sentence consisting of a number of words separated by spaces).
To change your passcode, go to Settings → Touch ID/Face ID & Passcode → Change Passcode → Passcode Options.
Disable biometric ID
Touch ID and Face ID are very convenient ways to unlock your phone and authenticate transactions and other sensitive stuff on your iPhone.
In the United States, you can’t be forced to unlock your iPhone using a passcode because doing so violates your Fifth Amendment rights. However, whether biometric authentication is covered by the Fifth amendment is a hotly contested issue, with some courts ruling that it is, but others that it isn’t.
Until the Supreme Court makes a definitive decision on the issue, the safest option in the US is to disable Touch ID and Face ID and rely on a strong passcode instead.
Most other countries don’t have an equivalent to Fifth Amendment rights, so disabling your biometric authentication is less important outside the US. But you should check the laws where you live.
To disable Touch ID or Face ID, go to Settings → Touch ID/Face ID & Passcode → and toggle the iPhone Unlock switch off.
Remove access when locked
Your lock screen can show a great deal of personal information, which can be accessed by anyone with physical access to your phone. You should therefore restrict what can be shown on your lock screen.
To do this, go to Settings → Touch ID/Face ID & Passcode, scroll down to the Allow access when locked section, and disable any apps that might show personal information on your lock screen.
Remove widgets that show sensitive information
iPhone widgets are a great way to access information on your iPhone, but they can be accessed from your lock screen by anyone with physical access to your phone. You should therefore remove widgets that show personal or sensitive information.
To do this:
1. Open your iPhone, swipe right from the home screen → Edit.
2. Tap the – button for each widget you wish to remove.
Disable notification previews
By default, when a notification appears on your lock screen, anyone with physical access to your iPhone will see a preview of the notification content. Which could contain highly sensitive information.
To disable notification previews, go to Settings → Notifications → Show previews and change to either Never or When Unlocked.
Reign in Siri
Siri is undoubtedly very useful, but while the actual analysis and processing of your device usage, which forms the basis of Siri’s personalized suggestions, is done on-device, a lot of information is still shared with Apple.
The most privacy-friendly option is to disable Siri on your iPhone altogether, but you can improve your privacy while still using Siri by restricting the apps it monitors to generate its personalized search suggestions.
To disable Siri, go to Settings → Siri & Search and toggle the Listen for “Hey Siri” and Press Home/Side Button for Siri switches off.
Alternatively, scroll down the Siri & Search page to find a list of apps that Siri collects data from and disable ones you don’t think Siri needs access to..
Use Proton VPN
Using a VPN on your iPhone is invaluable for protecting your privacy and security. A VPN:
- Prevents your internet service provider from seeing your activity online (which also prevents most forms of government mass surveillance)
- Prevents websites you visit from knowing your real IP address
- Defeats many forms of online censorship
- Protects you from WiFi hackers when using insecure public hotspots
- Prevents public WiFi hosts from selling your browsing habits to advertisers
- Allows you watch your favorite movies, shows, and sports events when traveling away from home
You should be aware, however, about the VPN bypass vulnerability, where iOS does not correctly close open connections when you connect to a VPN server. We are still waiting for Apple to fix the problem, but it can be mitigated by turning Airplane Mode on and off again after you have connected to a VPN server.
Proton VPN is an audited no-logs VPN service based in privacy-friendly Switzerland.
Use privacy-friendly alternatives to Apple apps
With the launch of iOS 16.2, Apple announced support for end-to-end encryption (E2EE) for most of its iPhone apps (with the notable exception of Mail, Contacts, and Calendar because of the “need to interoperate with the global email, contacts, and calendar systems”).
This is welcome news, but even where E2EE is used to secure the contents of your data, you should be aware that Apple collects a great deal of metadata (the how, where, when, and who) through its apps.
At the time of publication, Advanced Data Protection is available in the US “and will start rolling out to the rest of the world in early 2023”. Even where available, Apple may not allow you to immediately enable Advanced Data Protection on newly registered iPhones because “this wait time helps to protect your account and data”.
If you can, you absolutely should enable it by going to Settings → [Your name] →iCloud → Advanced Data Protection → Turn On Advanced Data Protection.
However, a better option is to use third party apps that genuinely respect your privacy in a way that Apple promises to, but often fails to live up to its marketing.
Proton Mail is a secure email service based in privacy-friendly Switzerland. All emails sent between Proton Mail users are automatically E2EE encrypted and you can send E2EE emails to non-Proton users using our password protection feature or the OpenPGP encryption standard.
Even if you don’t use E2EE for external users, all emails are stored on our servers using zero-access encryption. They are encrypted using your public key and can only be decrypted using your private key, so no-one else but you can access them (including us).
As with Proton VPN, Proton Mail is 100% free, with advanced features available if you upgrade to a Proton Mail Plus plan.
Proton Mail will never use your metadata for advertising purposes, and unlike with Apple Contacts, all contacts in Proton Mail are fully end-to-end encrypted.
With Advanced Data Protection, Messages stored in iCloud are set to become E2EE, but Apple still uses metadata from its Messenger app for advertising purposes. Fortunately, there are some great open source messaging apps for iOS that genuinely respect your privacy out there.
Again, there are some great open source and privacy-focused alternatives to iCloud Passwords and Keychain.
Once you’ve installed a third-party password manager app on your iPhone, you can set iOS to use it as the default password manager for auto-filling login details. To do this, go to Settings → Passwords → Password Options and select your new password manager from the list.
To ensure iOS doesn’t store autofilled passwords to iCloud anyway, go to Settings → [Your name] →iCloud → Password and Keychain and toggle the Sync this iPhone switch off.
Proton Drive makes an excellent privacy-first alternative to iCloud. Files uploaded using the audited open source Proton Drive app for iOS are end-to-end encrypted and can be easily shared with a simple URL.
Again Proton offers a privacy-friendly alternative to the iCalendar app. Proton Calendar for iOS keeps your sensitive information end-to-end encrypted, so only you can access it.
Manage your schedule across devices and apps, manage invitations without leaving your Proton Mail inbox, and quickly add events received by email, such as flights, meetings, or concerts.
Proton Calendar is available for free to everyone with a Proton VPN, Proton Mail, or Proton Drive account (including free ones).
iPhones are more secure than Android phones, but there are many things you can do to tighten up the security settings on yours.
You should also always keep in mind that Apple’s expansive privacy claims are often more to do with canny marketing than any real concern for your privacy. Fortunately, you are under no obligation to stick to Apple’s apps on your iPhone.