In the last two decades, smartphones became part of everyone's daily life, and most of us use them daily to communicate with people, read news, etc. Apple's iOS is one of the two majors operating systems for devices and is reportedly installed on about 25% of all smartphones.
Despite a recent backslash that made most privacy experts angry, Apple does have the reputation to be better in terms of data collection (Apple says that "Privacy is [...] one of our core values") than his competitor, Android. However, a recent study found out that both of them are sending data (such as GPS positions, MAC addresses of nearby devices, ...) to Apple and Google every 4.5 minutes on average.
At the end of the day, the best privacy option is to either not have a smartphone or to use something like Lineage or Graphen OS with no Google services, but most of us want/need a smartphone with most of its functionalities, so some compromises have to be made.
This article offers a list of configurations that can be changed in iOS to make your device a bit more private, and secure. These configuration options are only suggestions, and you can just handpick what fits you. In the end, you are the one that needs to decide where you want or not to trade some privacy/security for convenience.
Password & Security
- Enable Two-factor authentication
- If possible, set the Trusted Phone Number to a phone number that is not public (doesn't seem allowed to remove all the phone numbers)
- Get a verification code to allow you to recover your account in case of problems, and make sure to store it safely
- Set the "Ask to Join Networks" to "Ask", otherwise the machine will try to connect to any network without a password, which a malicious person could take advantage of
- Set "Auto-Join Hotspot" to "Never"
- For all of the memorized networks: remove the networks that you will not use again, and enable the "Private Address". For extra security, you can also disable the "Auto-Join" option, as it could for example be used by an attacker to get your WiFi password or trick you into connecting to a malicious hotspot
- Set the "Show Previews" option to either "When Unlocked" or "Never". Otherwise, an attacker could for example steal your phone, and get confidential information from your notifications (for example SMS 2FA codes)
- Enable the "Automatic Updates" option
- Make sure to always do the updates as soon as possible, as they usually include fixes for multiple vulnerabilities
- Either set to "Contacts Only" or better, to "Receiving Off"
Face ID & Passcode
- If you use Face ID, enable the "Require Attention for Face ID" option
- If you are using a numeric pin, go to "Change Passcode", and set a "Custom Alphanumeric Code"
- Disable all of the options in the "Allow Access When Locked" list
- Enable the "Erase Data" option. Be careful: if you enter a wrong password ten times, the device's data will be erased
Other General Advice
- Make sure to update the installed applications as soon as possible
- Do not jailbreak your device
- Check that you don't have unknown profiles in General -> VPN & Device Management
Payment & Shipping
Unless you are ordering physical things and/or need proper invoicing, you can put false addresses and names. Beware that
- Some payment providers will compare the information they have on you, and disallow linking if it doesn't match (often, having a correct ZIP code is enough).
- Putting a false phone number comes with the risk that something private is sent to someone random in the future.
From a privacy point of view, the best (if possible), would be to avoid linking a credit card and rather link pre-paid debit cards or buy Apple Credit.
- Remove all the synchronized items. Beware that you will lose data if you lose your device and don't make regular backups manually
Disabling the various options in this menu might improve your privacy by potentially sending fewer data to Apple, but it comes with some downsides. From a security point of view, this option is nice because it allows to:
- Find the device current or last known location (obviously)
- Send a message to the device if it is lost
- Wipe the device remotely
- Turn it off when not using
I could write a whole article about this subject. Using a VPN on your phone is good because it allows the various applications you are using to collect less data about you, and some VPNs Apps have custom DNS servers that allow blocking ads and tracking.
However, using an always-on VPN will drain your battery, and you need to make sure that you trust your VPN provider.
Alternatively to a standard VPN, Lockdown is a great option that allows you to act as a firewall and block many tracking domains.
- Set "Screen Sharing" as "Notifications Off"
- Disable the "Siri Suggestions"
- Disable "Share Across Devices"
- Either disable completely or disable the "Share Across Devices" option
- This would be set as "Name's iPhone" by default. Rename it to something else. "False name's iPhone" is great as it doesn't make it stand out.
AirPlay & Handoff
- Set "Automatically AirPlay on TVs" to "Never"
- Disable "Transfer to HomePod"
- Disable "Handoff"
Background App Refresh
- If you want to make sure applications are not doing anything when they are not used, you can disable this option for them
- Disable the "Enable Dictation" option
Language and Region
- Set your preferred language and region to match the place where you are living
Siri & Search
- Disable "Listen for 'Hey Siri'"
- Disable "Press Side Button for Siri "
- Disable all of the "Content from Apple" and "Suggestions from Apple"
- If you do not need GPS, you can disable the location totally. Otherwise, you can set the permissions individually and enable/disable the location totally depending on when you need it
- We discussed the "Share My Location" thing in a previous part of this article
- Make sure that applications that don't need to have access to your GPS have the permission set to "Never"
- If you want to allow applications the permission to see your location, consider disabling the "Precise Location" option. For example, a weather forecast map doesn't need to have your accurate location (with the better option being to disallow any location and to enter the place you want to get the weather for manually)
- If you are not sure about wanting to allow an application to access your location, set the permission to "Ask Next Time Or When I Share"
- Disable "Allow Apps to Request to Track"
Applications and Others
- Review all the permissions (Contacts, Calendar, ...), and remove all the unnecessary ones (i.e., the ones you are not using. For example, Twitter doesn't need to see your contacts or your calendar).
- Disable "Research Sensor & Usage Data"
- Disable "Analytics & Improvements"
- Disable Personalized Ads" in "Apple Advertising"
- Note that Apple introduced an option to "Record App Activity" in iOS 15. You might want to enable it for a couple of days to see what your applications are doing
- Disable "In-App Ratings & Reviews". There is little interest to leave reviews to applications, and it is bad from a privacy point of view
- In "Account Settings" -> "Personalized Recommendations", use the "Clear App Usage Data" to remove unnecessary data
- In "Account Settings" disable "Personalized Recommendations"
Wallet & Apple Pay
- In "Transaction Defaults", remove the "Email" and "Phone", and put a false address (be careful if you intend to order physical devices later)
- I recommend not using Apple's password manager. I'm not saying that it is secure/private or not, but using it will trap you a bit more in Apple's ecosystem. Using it is still better than using the same password everywhere from a security point of view
- Disable the "Detect Compromised Passwords" option in the "Security Recommendations"
Mail - Privacy Protection
- Enable "Block All Remote Content"
- Disable "Protect Mail Activity" and "Hide IP Address". It looks like this is using Apple's VPN to avoid tracking pixels, but if we already use a VPN and blocked all remote content (which include tracking pixels), then there is little point
- If you don't need the people you call to see your phone number, you might avoid having it broadcasted in the "Show My Caller ID" menu
- Unless you use iMessage (which I don't recommend), disable the option
- Unless you use FaceTime (which I don't recommend), turn it off
- You might want to consider using Firefox Focus as a Default Browser App
- Set the Search Engine to DuckDuckGo
- Disable the Search Engine Suggestions
- Disable the "Quick Website Search"
- Disable the "Safari Suggestions"
- Disable the "Preload Top Hit" option
- Disable all the options in the "AutoFill" section
- If you have Firefox Focus installed, allow it as a "Content Blocker" in the "Extensions"
- Set the "Downloads" dir to be "On My iPhone"
- If you use a VPN (or don't and don't want Apple to see anything), set "Hide IP Address" to "Off" in the "Privacy and Security" Menu
- In "Privacy and Security", disable the "Check for Apple Pay" menu and "Privacy Preserving Ad Measurement"
- Not the best from a security point of view, but if you want more privacy you can disable the "Fraudulent Website Warning" in "Privacy and Security"
- In the "Settings for Websites", set the "Camera", "Microphone" and "Location" to "Ask" or "Deny"
- Enable the "On-Device Mode" option
- Disable the "Share ETA" option
- Disable all the options in "Climate"
- Disable all the options in "Contribute To Maps"
- Disable "Follow up by Email"
- Disable iCloud Sync
- Disable Private Sharing
- The "Health Details" and "Medical ID" could be useful in the case where you have a health emergency and are unconscious. You should balance the good and bad points and decide which option is right for you before filling in things. Note that everyone which has access to your phone (even locked) will be able to see this information
- Disable "iCloud Photos"
- Disable "My Photo Stream"
- Disable "Shared Albums"
- Note that disabling these will mean that your pictures are not automatically saved anymore
- Disable "Scan QR Codes"
- Sign out if you are signed in
- Make sure to always properly set the permissions for new applications
- The more apps you add, the more you are tracked. Consider not installing apps that are not strictly necessary, or accessing services through the browser
Credits and Extra Reading
- NIST: Apple OS/iPad OS 14 STIG Ver 1, Rel 2 Checklist Details
- Douglas J.Leith: Mobile Handset Privacy: Measuring The Data iOS
and Android Send to Apple And Google