The operating system for Apple phones and tablets, iOS, has about 39% of the mobile device market in the US, and about 24% in the world. That’s a lot of iPhones, iPads, and iPods! Your mobile device collects a lot of data about you, and you store a lot of data on it, so it’s critical that you take the time to set your security and privacy settings.
Apple is known for building strong security and privacy into its software. Cybersecurity and privacy experts almost universally recommend iOS over Android. However, that doesn’t mean that you should simply accept the default iOS settings. There are changes you can make to increase the security and privacy of iOS.
For some settings, I don’t have a recommendation related to security or privacy, so I don’t describe them in this guide. For those, feel free to keep the default, or choose based on your preferences.
Each major version of iOS (12.0, 13.0, etc.) includes new settings, and may change your existing settings, so be sure to go through this guide each time you do a major iOS upgrade.
This guide was last updated for iOS 13.3 on an iPhone. The settings and steps may differ based on version of iOS and device.
Note: This page contains affiliate links. As an Amazon Associate I earn from qualifying purchases. Please see Affiliate Disclosure.
To open iOS settings, simply tap the Settings app (an icon of gray gears). We’ll go through the settings it contains in order.
You’ll see your name (and your smiling face, if you’d added it). Tap that to open the Apple ID settings.
Password & Security
Change Password: This is your Apple ID password, not your iOS password. If you haven’t already, set a long, strong password (15+ characters, with a mix of uppercase, lowercase, numbers, and special characters). You’ll need to type this into your device from time to time, so make a password you can remember. You may need to enter this password to open your password manager app, so don’t rely on just grabbing it from your password manager. Once you create it, I recommend saving it in a password manager, such as LastPass, in case you forget it.
Two-Factor Authentication: If this isn’t already on, tap Turn On Two-Factor Authentication, then tap Continue. Follow the steps. Learn more in How & Why to Use Two-Factor Authentication.
Recovery Key: If you don’t already have one, tap Recovery Key to create one. I recommend saving it in a password manager, such as LastPass.
Tap Back in the top left until you get back to the Apple ID settings. Then tap iCloud.
Under Apps Using iCloud, toggle off any apps that you don’t want to store data in iCloud. I recommend keeping to a minimum the data you store in iCloud.
In the list, tap iCloud Backup. I recommend toggling this On, unless you’re going to frequently back up your device to your computer.
Scroll down the list and tap Find My. This allows you to find, lock, or wipe/erase your iPhone remotely, if it becomes lost or stolen. I recommend toggling this On. I also recommend toggling Enable Offline Finding and Send Last Location to On.
Go back to the previous screen, then either toggle iCloud Drive to Off, or, if you toggle it On, then toggle Off any apps below it that you don’t truly need to save their data to iCloud Drive.
Go back to Settings and tap Bluetooth.
Bluetooth: I recommend toggling this to Off. Toggle it to On when you truly need it, then toggle it Off again. Bluetooth has poor security, and is easily hacked, so keep it off as much as possible.
Go back to Settings and tap Notifications.
Show Previews: I recommend setting this to When Unlocked. If you set it to Always, then anyone can see your notifications without unlocking your phone, which could reveal sensitive data.
Go back to Settings and tap Screen Time.
Screen Time is the name of the parental controls built into iOS, though you can use it for yourself as well. It includes the following features:
- Downtime: Control when the phone can be used.
- App Limits: Control how much time can be spent on individual apps or categories of apps.
- Always Allowed: Control which apps are always available.
- Content & Privacy Restrictions: Control the content, purchases, and downloads that are available on the phone.
Go through the settings and configure as you’d like the settings to apply to you, or to your kids who use this phone. Or, leave Screen Time disabled if you don’t want to use it.
Go back to Settings and tap General.
Tap About, then tap Name. I recommend that you give your phone a name that doesn’t identify the phone as yours, to make it harder for anyone trying to target you.
Tap Software Update, then tap Automatic Updates. Toggle to On.
Go back to General and tap AirDrop. I recommend setting to Receiving Off, and only enabling AirDrop when you need it. It’s often abused by people who AirDrop nude photos or other unwanted content to nearby devices. When you do need it, set it to Contacts Only or Everyone, AirDrop what you need, then set it back to Receiving Off.
Go back to General and tap VPN. If you have a VPN (virtual private network), tap Add VPN Configuration and follow the steps. You can ignore this if your VPN has its own app.
Siri & Search
Go back to Settings and tap Siri & Search.
Siri gives you more privacy than other voice assistants, but if you don’t want to use it (as I don’t), you can toggle Off these settings:
- Listen for “Hey Siri”
- Press Home for Siri
- Suggestions in Search
- Suggestions in Look Up
- Suggestions on Lock Screen
Touch ID & Passcode
Go back to Settings and tap Touch ID & Passcode.
Toggle to On the items that you want to use Touch ID for.
Scroll down to Allow Access When Locked. Toggle to On only the items that you want to allow to be used when the screen is locked, and toggle to Off all others. Think carefully about what a person could learn about you, or what they could do, if they had access to your phone. I recommend disabling at least Home Control, Wallet, and USB Accessories.
Erase Data: If you toggle this to On, your device will erase itself after someone (you or someone else) fails to unlock the device 10 times in a row. This is a great security feature, but it’s obviously very dangerous. Be sure you’re taking regular backups before you toggle this to On, in case your device erases itself and you need to restore from backup.
Go back to Settings and tap Emergency SOS.
Emergency SOS allows you to alert emergency services and your emergency contacts.
Auto Call: If you toggle this On, your device will automatically call emergency services and your emergency contacts when you activate Emergency SOS.
Emergency SOS also temporarily disables Touch ID. If you’re in a situation where you think you may be compelled to use your finger to unlock your device against your will, you can quickly force your device to require typing in the passcode to unlock it. If this is how you intend to use Emergency SOS, you may want to disable Auto Call, depending on whether you want to alert emergency services and your emergency contacts in such a situation.
Go back to Settings and tap Privacy.
Location Services: If you’re privacy-conscious, you may be tempted to simply toggle this to Off. However, be aware that that will prevent Find My iPhone from working.
Tap Location Alerts to see Show Map in Location Alerts. Toggle this to On to see a map of your location when your device alerts you that an app is tracking your location.
Go back to Location Services and tap Share My Location. Here you see again the option to enable Find My iPhone. I recommend toggling Share My Location to Off unless you have a true need to share your location with people or software.
Go through the list of apps and set the Allow Location Access setting. I recommend choosing Never for any app that doesn’t truly require your location.
At the bottom of the list, tap System Services. I recommend toggling all to Off except those that truly require your location, such as Cell Network Search, Emergency Calls & SOS, and Find My iPhone.
Go back to Privacy. Tap through each app and category, setting your privacy as desired.
Back in Privacy, scroll down and tap Analytics. Set your Analytics preferences as desired. I generally like to share data that helps make software and services better, as long as my data is anonymized. You may choose to disable if you’d rather not send your data (even anonymized data) to Apple.
The collected information does not identify you personally and can be sent to Apple only with your explicit consent. … When it’s collected, personal data is either not logged at all, removed from reports before they’re sent to Apple, or protected by techniques such as Differential Privacy. … Analysis happens only after the data has gone through privacy-enhancing techniques so that it cannot be associated with you or your account.Apple
Back in Privacy, tap Advertising. I recommend toggling Limit Ad Tracking to On to reduce the amount of ad tracking. You may want to occasionally come here and tap Reset Advertising Identifier to reset your identifier, which is used to track your activity. Learn more in Apple’s Advertising & Privacy. A few excerpts:
Advertisers can use an Advertising Identifier, or other information they have about users, such as a phone number or email to match users to segments on Apple’s advertising platform. During the match process, these identifiers are obscured to limit personally identifiable information being disclosed.
Whenever you want to clear the data associated with your Advertising Identifier, you can simply reset it.
If you enable Limit Ad Tracking, you may still receive the same number of ads, but the ads may be less relevant to you.Apple’s Advertising & Privacy
Wallet & Apple Pay
Go back to Settings and tap Wallet & Apple Pay.
Apple Pay allows you to make payments without revealing your account details to the merchant. The merchant will not see your credit card (or other account) info. That’s great because merchants continue to suffer data breaches. If the merchant never has your credit card info, they can never leak it. Learn more about digital wallet security.
Double-Click Home Button: I recommend toggling to Off to make it harder for someone else to pay from your device, or to access other sensitive wallet data.
Go back to Settings and scroll down to the list of installed apps. I recommend tapping your way through each of these, looking for any settings related to security or privacy.
In Settings, scroll down to the default apps, and tap Phone. If you’re annoyed by robocalls (as I am!), you can toggle Silence Unknown Callers to On. When you get a call from a number that isn’t in your contacts, your phone won’t ring or vibrate, and the call will be sent to voicemail. Note that iOS will accept incoming calls from numbers you recently called, even if they aren’t in your contacts.
In Settings, scroll down to the default apps, and tap Safari. Follow my Safari Security & Privacy Guide.
If you use the Podcasts app, you may want to occasionally reset your identifier, which is used to track your activity.
In Settings, scroll down to the default apps, and tap Podcasts. Scroll to the bottom and toggle Reset Identifier. That will reset your identifier the next time you use the Podcasts app.
Right above that toggle you’ll see Podcasts and Privacy. Tap it to read more about what what Apple collects. Here are a few excerpts:
We also collect data on podcast listening and interactions in order to understand, and provide reports about podcast listenership. This data includes information about the podcasts you listen to, such as how much of a podcast you listen to, when you listen, and when you stream, download or subscribe. … We designed Apple Podcasts so that this data is not linked to other Apple services. This information is associated with a random unique identifier that is specific to Apple Podcasts and not associated with your Apple ID. … To reset the identifier included in playback data sent to Apple on iOS, go to Settings > Podcasts > Reset Identifier. This will also reset the identifier for any paired watchOS devices.Apple: Podcasts and Privacy
Apple iMessage Security
Apple’s iMessages system, which powers its Messages app, is end-to-end encrypted. That means iMessages can’t be read by third parties, making them much more private than standard SMS/text messages. Just remember that if you send messages to someone who’s not using an Apple device (if the messages are green rather than blue), those messages are outside of the iMessages system.
Apple iMessages are end-to-end encrypted in transit (as they travel from one device to another), but if they’re stored in your iCloud backup, Apple will have the key to decrypt (read) them. There are two ways to prevent this:
- Enable Messages in iCloud
- Disable iCloud Backup
Option 1: To enable Messages in iCloud, go to Settings, then tap your photo your name. Then, tap iCloud. Then, toggle Messages On. This removes your Messages from your iCloud backup (if you have iCloud Backup enabled).
Option 2: To disable iCloud Backup, go to Settings, then tap your photo your name. Then, tap iCloud. Then, tap iCloud Backup. Then, toggle iCloud Backup Off. Note that this will disable iCloud Backup for your entire phone, not just your messages. If you do this, I highly recommend that you back up your phone to your computer, and encrypt that backup (see Using iOS Safely below).
End-to-end encryption provides the highest level of data security. Your data is protected with a key derived from information unique to your device, combined with your device passcode, which only you know. No one else can access or read this data. … Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.iCloud security overview (apple.com)
When you use Messages in iCloud … your content is automatically stored in iCloud. That means they’re not included in your iCloud Backup.What does iCloud back up? (apple.com)
If you have iCloud Backup turned on, then your backup includes a copy of the key that protects your messages. … If you have iCloud Backup turned off but Messages for iCloud turned on … your messages will be shared among all your devices, but your encryption key will remain local to those devices. According to Apple, that encryption key will not be saved to the company’s servers.How to FBI-proof your encrypted iPhone backups (theverge.com)
Keep in mind that your messages sent to others could still be backed up into their iCloud accounts.
Using iOS Safely
Install all software updates (for iOS and apps) as soon as they’re available. You should set your device to do this automatically (see settings above), but also watch for any update prompts.
When you install an app, grant it as few permissions as possible. You can always grant more permissions later, if you truly need to.
Even if your device backs up to iCloud, you can still back it up to your Mac using Finder, or to your PC using iTunes. Be sure that you check the box to encrypt your backup. I recommend storing the password in your password manager (I like LastPass).
Don’t use public Wi-Fi for anything sensitive, because you’re using an insecure, untrusted network. Instead, use your device’s mobile/cellular data, or use a VPN (virtual private network) to protect your traffic when using public Wi-Fi.
There isn’t antivirus or anti-malware for iOS as there is for computers, so you don’t need to install any antivirus or anti-malware apps on your device. Apple has been removing antivirus and anti-malware apps from its App Store since 2015, to prevent people from installing apps posing as antivirus and anti-malware. You can learn more in Why Apple iPhones Don’t Need Antivirus Software.
Regularly delete unnecessary apps from your device. This decreases your “attack surface”; it limits the ways your device could be compromised.
Be sure to also secure your Apple account. Set a strong password and enable two-factor authentication.
Jailbreaking an iOS device makes it less secure, because it removes many of the protections built in by Apple. Avoid jailbreaking.
Erase your device before you sell or donate it. See Apple’s documents What to do before you sell, give away, or trade in your iPhone, iPad, or iPod touch and Sell or give away your iPhone.