How to better protect your iPhone and iPad against hacks and other security and privacy risks

iPhone passcode
iPhone passcode (Image credit: iMore)

While many of the conveniences of iOS and macOS make our iPhones and iPads easier to use, there are also ways to remove those conveniences and make our them even more secure. If your privacy is worth more to you than ease of use, here's how you can better lock down your iPhone and/or iPad, and any Mac it might connect to.

Note, These steps are not necessary for most people, most of the time. Following them will absolutely make your iPhone, iPad, and/or Mac more secure but will also make it much less convenient. Consider it the difference between living in a house with a lock on the door and maybe an alarm system compared to living in a panic room. Think carefully about your risk level, read over your options, then implement the ones that make sense to you. You can always go back and turn more on, or off, as your needs or feelings change.

How to setup and use a strong password, Touch ID, and/or Face ID

If you have Touch ID or Face ID on your iPhone or iPad, use it. It's more identity than security, but it provides a good, balanced approach to letting you in while keeping others out. So good, in fact, that if you want to increase security, you can upgrade from a 6-digit passcode to a strong, alphanumeric password.

If a passcode is like a lock on your door, a password is like a series of deadbolts. It'll take you longer to get in, but it'll take anyone else so long to get in they may was well not even try.

How to minimize data exposure on your iPhone or iPad Lock screen

Notification Center on iPhone

Notification Center on iPhone (Image credit: iMore)

For the sake of convenience, Apple allows you to access Notification Center, Wallet, Siri, and Control Center right from your Lock screen. That means you can quickly glance at incoming messages, pay for your Starbucks beverages, set a Reminder, or toggle on the Flashlight. It also means anyone else within eyeshot or reach can glance at your messages, try and photograph your barcode, ask for certain types of information, and toggle on Airplane mode without having to enter your passcode, Touch ID, or password.

If you value those features on your Lock screen, then by all means enjoy their convenience. If security and privacy is more important to you, however, you can turn them all off.

How to use 2-factor authentication

Two-factor authentication: Everything you need to know!

Security works best in layers, and defensive depth means having as many layers are possible. Biometrics (like Touch ID or Face ID) cover "something you are", while the password is "something you know", a token is "something you have".

With 2-step authentication, you will have to enter an app-specific password, or an additional token the first time you set up the service on your device, but it'll make it more than twice as strong for only a minimal amount of extra effort.

How to keep your web browsing, location, social and other data private

Your iPhone and iPad can accumulate a lot of data over time, including data you may not want or need it to accumulate. Likewise, you can grant access to your data to a lot of apps and services over time, including apps and services you may no longer want or need to have access. Luckily, iOS makes it easy to review and change your privacy settings. So do many online services as well. Also, if you're on a network you don't trust, and have access to a VPN service you do, you can use that to help keep your data private as well.

Lock is all down

If you value your privacy and security over your convenience and ease of use, the above are some of the steps you can take to further lock down your iPhone, iPod touch, iPad, and Mac. It's by no means a complete list, and it's by no means for everyone. It's what's you can do to better protect yourself against some of the more common privacy and security issues you're likely to encounter.

Updated June 2018: Updated for more recent best practices.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

22 Comments
  • Great post Rene. Posted via iMore App
  • Great set of advice. An addendum about Zdziarski's trusted pairing method: A lot is exposed - contacts, messages, photos - even the audio files of text messages - and it is available wirelessly after the initial trust is established. Video in action (long, but interesting): https://www.youtube.com/watch?v=z5ymf0UsEuw&feature=youtu.be He cautions that this is not vulnerable to the random theft on the street, but it would be for anybody to whom you loan or surrender your unlocked phone, from your co-worker to they officer at the TSA checkpoint. Give them an unlocked minute to establish a pairing, and your phone may be persistently compromised. Lesson: do not give your unlocked phone to anybody, ever, or, if forced, wipe and reinstall as new as soon as possible thereafter. This fun article suggests you should do this when you receive your new phone, too: http://gizmodo.com/the-nsa-actually-intercepted-packages-to-put-backdoor... I'm not sure how much tinfoil is in my hat, but on a just-received device, there is nothing really to lose yet, anyway. Sent from the iMore App
  • I always set up a new phone or computer from scratch, and I almost always set up a new device from scratch. I never did it for security, but for battery life and performance. Security is certainly another very good reason to do it. It's a pain, but I can typically be set back up in 2 days thanks to so much being online these days. But, um, so much is online these days... (security vs. convenience — think about it too long, you'll need that hat!)
  • Backdoor pairing can be have two very different points of view. I am not an IT specialist. I am just an iPhone user. I would not have know anything about backdoor pairing had I not been a victim of "cybercrime". Backdoor pairing takes away the device's owners ability to stop the backdoor pairing. Further more, it is impossible to know that you have been what I call "hacked" until damage is caused. I only allowed my device to be handled by a trusted companion and because Apple/Mac has not real way of showing the backdoor pairing from my end it almost impossible to prove. My phone is still currently under investigation. Sent from the iMore App
  • "Unfortunately, in their current form, if someone else takes physical possession of your computer they can retrieve those keys and use them to access your iPhone and/or iPad." And this is why I ignored the latest scare. If someone has physical possession of my computer and is intent on getting information out of it and/or my iOS devices I'm pretty screwed. I've either been raided by the law or had my stuff (all of it) stolen. If my Macbook is stolen but my iOS devices aren't, I'm wiping the Macbook remotely. If both are, I'm getting to a computer ASAP and wiping everything remotely. If I've been served with a warrant etc... see comment about being screwed, above. Don't get me wrong - this is a great post. But when people start freaking out about security issues they also need to really pay attention to the details. Any exploit that require physical access to a device is a FAR lower priority to me than remote exploits.
  • Physical access can absolutely be game over. This is more about layered protection. The more roadblocks in place, the more effort needs to be expended to get your data, and the higher value you have to be for someone to bother.
  • Yep. And the fact is that very few of us are high value enough for someone to bother. Hence why I kinda don't worry past some of the basics (strong, non-duplicated passwords, firewalls, VPN when needed, drones, anti-aircraf... uh, never mind.)
  • Do Macs have a remote wipe option, or can that be added Rene? So many people carry an Air around with them, thy are effectively mobile kit. I've been using two factor for Gmail for about 18 months now. It's hassle free and so far works fine. I carry a tiny laminated card with back up codes, so far unused. Thanks for article, Richard posted a link on G+.
  • You might want to check Zdziarski's video - 10 seconds of physical access can lead to literally irrevocable, undetectable remote access to your data (though the tip on using Configurator to manage pairings eliminates that risk). Sent from the iMore App
  • Yeah I know. "physical access" isn't something others get to my machines. Look, it's not that I discount the existence of the exploit, but that I think it's incredibly unlikely that most people will ever a) be targeted for this exploit and b) allow their machines to be physically accessed by a malicious party. The intersection of the people in A and B are really small. That doesn't mean the vulnerabilities shouldn't be addressed but for the vast majority of us it's not relevant. AS Rene points out, making things more secure sometimes comes at the cost of convenience or usability. If I'm to pay that cost, I want to get some benefit for it and I'm unconvinced that I will see that here. Consider the first version of Windows Vista where MSFT was taking security seriously after seen exploit after exploit against prior versions. Every time you did something that was possibly compromising, it asked you to confirm that action. It was annoying as hell because the vast majority of things that most people were doing (installing known good software, etc) were fine. There wasn't a risk to them. They eventually dialed back on this, but it's a delicate balance.
  • This is not a question of security vs convenience balance - unless you a) believe there are any diagnostic routines where unencrypted personal data would be unless explicitly included, and b) believe that Apple decided the cost of writing that exclusion and/or the convenience of an in-store Apple technician outweighed customer's privacy with their contacts, messages, voice mails, etc -- in which case you think Apple holds customer data and privacy in absolute contempt. Sent from the iMore App
  • Hahahaha...he said, "backdoor access."
  • Heh :-D
  • Safe like iCloud.. Right?... Lolz Posted via iMore App
  • Another great article.
  • Nice article about Mobile Security and privacy !!!
  • Apple need / must to add following steps:
    - Two Factor Authentication to all iCloud services.
    - Create individual password per devise for iCloud access and sync.
    - or List of the approved devise and option to approved or remove them on fly.
    - Option to trust or don trust computer each time phone is connected to the PC or Mack. Like it was done on Blackberry longtime ago. Please remember that strong password is good option and fingerprint scanner also is a good option when you on any Apple ios devise, but you still need to enter same password to access iCloud from Mac or PC it's just not that safe anymore.
    From my underspending user must have option to add separate password or additional pin get access to iCloud services Mail, Contacts, Notes, fined my iPhone, Remainders, etc. Sent from the iMore App
  • Yeah, then apple could sue Google for using two factor authorization like they already offer...but apple never copies anyone, right? Posted via the Android iMore App!
  • Please take the time to submit your feedback to Apple. The more that do it, the better chance it'll be implemented! www.apple.com/feedback
  • Great piece, Rene. I really don't see why so many people are so afraid. Everyone authority, even the NSA may know everything about me, so that's not a risk (since I'm a normal citizen, not a drug dealing people smuggler of some sort). I'm not famous, so hacks and such may happen, but why would they? Why would anyone want to hack anyone they don't hate or isn't high-profile. For money, perhaps, but my mac or iPhone would be a poor target, if money is what they want, and that also goes for a lot of other people's macs and iPhones.
  • I'm middle-of-the-road in my security preferences. I have a strong password so no one can get in my phone without either it or my fingerprints. I love Guided Access for when someone wants to use my phone (sure you can use my phone, but it won't be "smart"!) too. I have dual authentication for Google too. I don't get into the guts of my computer or wipe my phone for an update mostly because if someone has possession of these devices and can bypass my password then they are probably executing my Will. Sent from the iMore App
  • My iPhone doesn't have a private browsers switch in the settings as it states in ur secruity article! Knew something wasn't right! Sent from the iMore App