Security is at perpetual war with convenience. The faster and easier it is for us to get to our stuff, the faster and easier it is for someone else to try to break in. Make it tougher for them, though, and it can get tougher for us as well. One of the biggest advantages the iPhone and iPad give us is a better balance of the two. Touch ID and Face ID let us have strong passwords but also biometric access. iCloud Keychain lets us have unique passwords but not have to remember them all. Two-step authentication protects our accounts but in a way that's still simple to use. That said, the iPhone and iPad also have options that help us be even more private and secure. Here's how to use them!
1. Be strong
If you have a recent iPhone or iPad, you have one of Apple's personal identity sensors—Touch ID or Face ID. It lets you use biometrics to authenticate so you can unlock your device and use Apple Pay, and authorize purchases for iTunes, the App Store, and other apps. Because of this added convenience, you now have the option of creating a six-digit password, rather than using just four digits.
Take advantage of it—if you're not using 6-digits yet, go to Settings > [Touch ID or Face ID] & Passcode, and change your passcode. You'll be able to enter a new six-digit code. Even better, because you no longer have to enter your passcode as often, switch to a stronger, longer, more complex password lock instead. Sure, once in a while it'll be a pain to enter it, but that's offset by how infrequently you have to do it—only when you reboot, fail Touch ID or Face ID multiple times, or don't use your phone for 48 hours. (If you're really concerned about security, and are willing to give up on convenience for it, turn Touch ID or Face ID off and force a strong, complex password for entry.)
Even if your device doesn't have Touch ID or Face ID, you should absolutely still use a passcode lock. Not only does it protect your iPhone or iPad from casual snooping—or from people tweeting "poopin" the minute you leave it unattended—it prevents thieves from getting your data, and makes wiping it just a secure.
2. Be private
What good is having biometric ID and a 6-digit passcode or strong password if the lock screen gives all your personal data and access away?
- Control Center lets you turn on the flashlight with unlocking, but also lets a thief turn on Airplane Mode to prevent tracking.
- Notification Center lets you glance are your messages and updates, but also lets a snooper do the same.
- Siri lets you ask questions and give commands, but also lets anyone else pull up some of your information.
Touch ID and Face ID are so convenient that it only takes a second or two to unlock anyway. So, if you're the least bit concerned about privacy and security, disable notification center, control center, and even Siri from your lock screen. If you want to go half-way, disable control center and turn off previews for your messages. That way no one can disable your device or read your messages (though they can still see who messaged you).
3. Be safe
Security works best with defensive depth, and defensive depth means having as many layers to your security as possible. A passcode is something you know. Touch ID and Face ID—your fingerprint and your face—are things you have. Sadly, since Apple doesn't allow you to use both passcode and biometric identification for added security, that alone doesn't add any depth. It simply adds convenience. Enter 2-step verification.
With 2-step you need to enter both as password and a token—something you know and something you have. The token is supplied to your iPhone, iPad, Apple Watch or another device over SMS or over an app like Google Authenticator, Authy, 1Password, etc. That way, if someone gets your password but doesn't have the device and the current token—which change continuously—they still can't get in.
Not all services offer it and many do it differently but for anything that contains personal information, including your email, messages, online storage, etc., you should absolutely enable it.
Note: Apple is in the midst of transitioning from an old to the new 2-factor system but everyone should still have access to one of the two.
- How to set up two-factor authentication for iCloud
- How to set up two-factor authentication for Google
- How to set up two-factor authentication for Dropbox
- How to set up two-factor authentication for Facebook
- How to set up two-factor authentication for Twitter
- How to set up two-factor authentication for Tumblr
- How to make two-factor authentication easy with Authy
4. Be clean
What you look at on your devices is your business. If you don't want it being anyone else's business, though, you should make sure cookies, web history, and other information about your browsing doesn't get recorded and tracked across the internet. Safari pioneered private browsing, but almost every browser offers it now. They also offer ways to delete information that's already been logged. For iPhone and iPad, simply go to Settings > Safari. For Google, regardless of device, go to activity controls.
If you're at a coffee shop, hotel, or some other public place where you can't trust the network, you may want to consider tunneling your activities through a VPN as well.
5. Be tough
Just because an app wants your location it doesn't mean you want that app to have it. Not only is your location among the most private information you have, monitoring your location is a drain on your iPhone's or iPad's battery and processor. So, make sure you go through your Settings > Privacy > Location and turn off anything you don't use regularly or need urgently. You can always turn in back on when and if you need it again.
Likewise, if you've given other apps access to your Twitter (make sure you use Share > Request Desktop Site on iOS), Facebook, or other accounts, periodically go through and review that access as well.
6. Be smart
Security is at constant war with convenience. Fortunately, in order to tip the scales slightly more towards convenience, there are password managers. They store all your strong, unique passwords and grant you access with either a single master password or your fingerprint or face via Touch ID or Face ID. Thanks to action extensions, you can even use them to fill passwords right into Safari and other apps.
iCloud Keychain comes built right in, but if you want to be even more secure, you can use 1Password (opens in new tab), Lastpass (opens in new tab), DataVault (opens in new tab) or another dedicated password manager that offers additional features like security audits, alerts, teams, token support, and more.
Your top tips?
Those are our top tips for taking your iPhone, iPod touch, and iPad security to the next level! If you've got any other tips, or alternate ways to keep stuff safe on iOS, let us know!
○ How to use two-factor authentication
○ How to protect your data from being hacked
○ How to quickly temporarily disable Face ID
○ Best practices for staying safe on social media
○ Best VPN services
○ How to lock down your data on iPhone and iPad
○ Best ways to increase iPhone and iPad security
○ How to back up your iPhone, iPad, and Mac
○ Differential privacy — Everything you need to know!
Get the best of iMore in in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
After reading your suggestions, I thought it makes perfect sense to disable Control Center access on lock screen. Why allow a thief to switch your locked iPhone to Airplane Mode and prevent tracking? Especially with Touch ID devices, it only takes a fraction of a second longer to access Control Center AFTER you unlock your device. But then I thought a thief can very easily switch off a locked iPhone thus rendering it undiscoverable in Find my iPhone! So in reality, disabling Control Center access on lock screen does not provide any real security benefits in this regard. I think it would make more sense from a security point of view if iOS prevented unauthorized users from switching off a locked device (first unlock, then switch off).
Truthfully, there's not much you can do to stop a thief. Actually this article just helped a few of them who didn't know putting the phone in airplane mode would stop tracking smh.
Depending on the thief's goal, there are ways to make yourself a less desirable target.
I would think most thefts occur without the thief watching for password type or notification shade availability. They see the phone and steal it and deal with the particulars afterwards.
Yes, it's true. But the thief eventually has to turn it back on again, or else why steal it? Yes, they can go to a dead zone, or put it in a faraday cage, but let's be honest; not all thieves are going to think of that and not all thieves are going to turn it off. There is no tip that is 100% foolproof, so I wouldn't diminish this tip so easily.
Power cycling an iPhone puts it into a much higher security state—for instance it disables Touch ID. Depending on why someone wants your device, it can make a difference. I agree securing power-off would be ideal, but there will likely always be some way around it necessitated by trouble shooting. (i.e a way to restart when the interface freezes or when the OS becomes corrupt.)
I have a 8 digit code on my phone! Try figuring that one out. If you think the police is going to grab your phone. Power it down. While the court can make you use your fingerprint to log in, (Because they can take your fingerprint) they can't force you to give up a password. TouchID doesn't work when you first turn it back on. A locked iPhone is almost worthless. You can only get a tiny fraction of money for it that a Unlocked one would get you. Really what can they do with it? Remove the screen and sell someone a used iPhone screen? Very little money in that. The rest of the phone is worthless locked up. Powered up/down, doesn't make a difference. TouchID is effortless that any and all iPhone user these days should lock their phone down. It would make everyone safer. Right now it's a gamble. Maybe it's locked, maybe it isn't!!! Even if they take the phone from you while it's unlocked, it's really still for the most part worthless as trying to go into the TouchID Password setting will require you entering the Password!!! Apple Pay won't work as that requires TouchID. I guess maybe they could buy a App in the App store if that's unlocked. If the screen saver is on and turns off after no use for a short period, it'll power off and to turn it back on would need TouchID or the code. Again, as long as it's Locked, that helps everyone with a iPhone to not make them a target when a criminal seems someone walking by with a iPhone!!! The crime is not worth it because a locked phone is almost worthless. There's been a few hacks in the past to get around the lock screen. So turning this stuff off on the lock screen is a good idea. Do you use any of it anyway?
There is. It's called, HARD RESET. You can reset an iPhone even if it's locked. It will make the iPhone delete all that was left thus leaving a bare bones iPhone that is according to you is worth more than an "Unlocked" iPhone. If the thief wants to steal Information, it's quite impossible. Like that one time the FBI/CIA wanted to open a terrorist's iPhone for information but Apple won't help them.
Except, they (FBI) did crack the phone. Look it up.
I completely agree, this happened to me on my trip to Spain last summer. I had control centre off on lockscreen and a 20 character alphanumeric password but all of it was in vain because the thief just turned off the phone as soon as he stole it.
Apple should really not allow devices with passcodes/touchid enabled to be turned off without the authorisation.
Not being able to turn it off without a Code or TouchID, maybe that's a idea. Still they took your phone and it's pretty much WORTHLESS!!! In time as more iPhone users wise up and LOCK THEIR PHONES because with TouchID there's no excuse not to do it, people won't bother to steal them. It wouldn't be worth it. What can a person do after taking a locked iPhone from someone? There's no way to Unlock it. You can't plug it into a computer and wipe it and all is good. Doesn't work! They're not going to get much for a used iPhone screen. What other parts can you really take from it and sell? Anything else is worth even less. What needs to happen is everyone LOCK THEIR IPHONES!! When they're all locked, they no longer become a target. It's a worthless device. There is no excuse to not locking a iphone!!! Someone that steals your iPhone and turns it off is a criminal, and maybe it's a good thing you don't track them down!!! People would do it and get hurt. If you leave your iPhone someplace and a person finds it, more then likey they won't just turn it off, but would somehow get it to you. You calling your phone and asking for a meeting place. I did this with a dumb phone. My dumb phone slipped off in the parking lot, I got home, saw I didn't have it and called my phone and they answered and I went back and picked it up from them. Find My Phone, work about the same way. Even then you need access to something to get on the Internet and use find my phone to find your phone!!! Call your phone, and if it's just someone that found your phone, that would be faster and simpler anyway. That person is not just going to turn the iPhone off. The Criminal would.
"If you're really concerned about security, and are willing to give up on convenience for it, turn Touch ID off and force a strong, complex password for entry." How does turning TouchID *off* increase my security? If anything, TouchID feels MORE secure that other means of unlocking since it requires my fingerprint and is stored in a secure enclave. More generally, I think people should realistically evaluate how much security they really need or want. For example, yes, you can turn off Siri from the lockscreen, but then you can't use "hey Siri" to wake her and ask her to do something. That's a feature I use in my car a fair bit to do things like send a quick text to someone I'm meeting that traffic's gone to **** or to ask for the nearest coffee shop, etc. Sure, it's theoretically a security hole, but is it really worth giving that up to be slightly more secure? After all, someone can only use the lock screen notifications if they have physical access to your phone. In that case, I'd argue that being careful to never leave the phone unattended is the true security measure. Don't get me wrong - this is a good, useful overview. But like turning off everything to maximize battery, someone can easily end up abandoning many of the features that make a modern iOS device fun and useful. Balance is key and that starts with a realistic evaluation of your personal security risks.
I'm by no means advocating security and privacy above all else, simply informing people of their options so they can make better informed choices for themselves. Touch ID is a convenience. A strong password is more secure and, unlike a fingerprint, can't be taken from you while you're being held or are asleep/unconscious. Everything is a tradeoff. Personally, I leave almost all the convenience on, but I'm much more frugal about location services.
If Im being held by authorities or physically manipulated when unconscious... oh COME ON. That's so far off to one side of the curve of probability as to be FUD. Same for lifting fingerprints. Yes, if you're up against police or intelligence agencies you have issues. But then you shouldn't be looking to iMore for security advice in that case.
Not at all. For example, people who are dating may simply not want their messages to show up on screen, or have the possibility their phone may be unlocked and have their information seen while they're sleeping. Again, these features exist so everyone can make an informed decision about their situation.
+1 on this. Some people don't want anyone in their family snooping in on their devices either. Especially not the kids messing around with things and getting it all messed up. And no, I'm not in a relationship like that, and I don't have kids, so these points don't apply directly to me. But I know people who have expressed these posts aloud. So they are real points. To each their own...
You are making it sound as though "manipulated when unconscious" is something from a Hollywood movie. I have witnessed college students use the thumb of an unconscious drunk peer to unlock their phone. Fortunately it was only to play the prank of taking embarrassing photo's on their phone, but none the less it happened.
If you are targeted, (i.e. not a random theft), the thief could lift your fingerprint and make a new one to fool TouchID. A feature I've wanted from Apple is "check iCloud to see if phone was wiped before presenting TouchID prompt". Then if someone steals your phone, you can wipe it and be confident that even if someone lifts a fingerprint off of it, they still can't get in.
Allowing Touch ID + Passcode would be great for multifactor as well.
Speaking of Multi-factor...... when are we gonna get actual multi-factor AUTHENTICATION and not just verification? That was supposed to rollout in the fall of 2015.
I finally got it. I had to upgrade all I could and iTunes programs on all my associated computers, including Windows, but then I was able to setup real two factor auth. Posted via the iMore App for Android
Biometric can never be a strong security authentication method on its own, that's impossible because you CANNOT change your biometric data once it is taken from you. Your fingerprint, iris print, etc do not change over time. Your passwords can. Biometric security is a great addition to the primary authentication system such as the strong password and so on. Also, in US, your fingerprints can be taken from you and used to unlock without violating your rights. However, if you use a password, you have the 4th amendment right to not give it up. Passwords are stored in your brain but your biometric is externally accessible.
very good puncted and Very well written. But the question is. The only national conference dedicated to the needs of iPhone and iPad?
Touch ID is not secure. I've had my phone unlock itself in my pocket multiple times when Touch ID was enabled but that had never happened for a pass code. Don't trust Touch ID. Posted via the iMore App for Android
I don't see how that's even possible? For one thing,I believe after 3 failed attempts it goes to the password screen!!! Then you have to hit cancel, so back and after a couple failed attempts doing that, TouchID is completely blocked!!! Now you're forced to enter your code. So it really sounds like a pile of DooDoo your spouting. As in what you're saying is complete B.S. as it's impossible!!! I've tried over and over again to get my phone to Unlock with the wrong finger. it hasn't happened yet in over a year now I've had my iPhone 6 with TouchID. Ya, I see there at the end, Posted by the iMore App for Android. Clearly a fandroid that doesn't have a clue what he's talking about. TouchID is very secure.
> your browsing doesn't get recorded and tracked across the internet. I assume you meant to say "..doesn't get recorded on the local device". Private browsing has nothing to do with preventing the site from recording your information and from tracking, all it does to make sure your browser history is not recorded on the local device but the site and tracking databases will still have it. To prevent tracking via third party scripts loaded on the site, you use a content blocker that can work but the site itself still records information and can share it.
Which is why you install a Adblocker!!! I use Purify on my iPhone. Then all the tracking on you gets blocked! You can even go the next level for even better security. As long as you don't give the site any personal info on you, they have no idea who you are and any data collected doesn't point to you.
If you are concerned about your Contacts privacy, which are being copied to Facebook, WhatsApp, Google and Skype servers without you knowing about it, you can use an app called ContactShield. This app encrypts information that you select as a sensitive data... and for now, it is FREE.
Use a secure VPN (ExpressVPN, Nord, PIA), use a password manager (1Password), and don't be stupid about what info you put online. There. Done.
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.