Ask HN: How to make iOS more private and secure?
I’m looking for suggestions beyond the basic “use a password instead of a pin”, “use 2fa”, don’t connect to public WiFi”. I think I’ve got my iPhone setup pretty well, but I suspect I’m missing more than just a few things. Any suggestion is appreciated, I’m willing to at least try it.
51 comments
[ 3.8 ms ] story [ 126 ms ] threadOr link to a longer form post?
For me, I can’t tell if you are looking for some architectural patterns you hope apple will adopt?
Or for a discussion about DuckDuckGo, DNS over https, and VPN usage, Firefox focus, etc?
- Change your DNS resolver to something you trust
- Use a paid VPN service (bonus points if it disables your internet when it's not connected to the VPN)
- Enable erasing data after several failed password attempts
- Disable notification previews on the lockscreen / when locked
- Disable Siri, control center, widgets, etc. on the lockscreen / when locked
- Disable Touch/Face ID when entering a risky location (airport, etc.)
- Disable location services, camera, microphone, etc. for every app you can
- Disable sending analytics to Apple and app developers
- Use a privacy conscious search engine (DuckDuckGo, StartPage)
- Install a good content blocker (1Blocker)
- Don't use apps like Facebook that violate your privacy
That's all I can think of for now.
Is it going to be a manual disable?
It appears Wallet still works so you should still be able to get to boarding passes without unlocking the device.
It's not so clear VPN providers, even paid ones have your best interests in mind
For higher levels of security, it would be better the VPN was controlled by yourself
[0]: https://github.com/trailofbits/algo
I believe that, unless the VPN specifically disables it, you can go to any VPN in settings-> VPN and enable "connect on demand" - the system will only send data if the VPN reports it's active. Apps can also request connect-on-demand themselves.
Have you any suggestions here?
Thanks
There are also people running public instances around the web, like me [2], so you don’t have to install and manage your own.
You could also go with AdGuard DNS [3] or nextdns [4].
[1] https://pi-hole.net/
[2] E-mail me at root@jamespond.co for beta access
[3] https://adguard.com/en/adguard-dns/overview.html
[4] https://nextdns.io/
Also under experimental settings for safari, only enable
andIts quite cheap as compared to others, agreed, but I would like to still see if there are good free Adblockers.
Does that mean setting up your own DNS server that resolves directly to the root servers?
While this makes obvious sense, iOS is pretty good and forcing logs to be anonymised. Also one can only log string literals so the developer can’t just leak sensitive data there.
This being said, I wonder if Apple can capture somebody making a function that would loop over some string and log it letter by letter.
Wipe/reset your iPhone every now and then. There is residual data left on the phone from app/data deletion (left over databases even). A factory reset will clear this, OS updates can help as well. The "Other" section of your iPhone storage is dangerous.
Make sure the emergency feature to disable TouchID/FaceID is enabled. When turned on it kills biometrics until you put in your (hopefully unique and complex) password. Otherwise, biometrics is safer.
Don't add any mail accounts to the native iOS mail app.
Ensure that access to USB accessories while the phone is locked is turned off.
Work only on LTE and your own private Wi-Fi (your job will have very complex monitoring tools like FireEye). Disable cellular data on any apps that you won't actively be using.
Backup your iPhone to a secure location when travelling, wipe your phone and then re-build your phone using the backup upon arrival. Destroy the backup after.
Don't open any shady URLs and make sure you always update iOS. Turn on auto-update.
Security is critical on iOS as some apps have the ability to log you in or restore a session without any sort of credential check. This is despite the fact that unique device identifiers are not supposed to be used by devs.
Protect yourselves!
Woah, I haven't heard this advice before—is the argument that the native mail app is less sandboxed than an App Store app? If so that makes a lot of sense (especially given P0's recent exploit chain involving an IMAP client vulnerability), sigh.
Another thing you can do is to download apps using one Apple ID, then login again to the App Store with a different Apple ID.
The tricky thing about iOS is things are always changing, so precautions that might seem fruitless today may be critical tomorrow.
[1] https://canarymail.io/
Do you think better it’s is better to have an interim account after reset the phone and before rebuild the phone with the backup?
I've noticed this before. How is that possible?
https://nextdns.io/
- [0] https://github.com/StevenBlack/hosts
The pac self hosting feature seems cool too.
I’m just using nextdns now though so won’t be actively using any future mind apps for now. But good to know
[1] https://www.privacytools.io/operating-systems/#mobile_os