There are a lot of guides out there on how to secure your iPhone, but it’s very rare for anyone to provide a good explanation of WHY you need to do this. We’re going to do first things first and talk about some of the sorts of problems you might encounter.

• When you read email on your phone there are some types of content that are active, which is to say they are small programs that run locally. These can be used to try to trigger additional things on your phone.

• Phishing emails, which are usually made to look like a financial institution, will contain an urgent message needing your attention, and a link to a fraudster’s site, which sometimes sits quietly between you and the real bank’s web site.

• A fraudster may send an email specifically to you in an attempt to get some piece of personal information. This happens when they have most of what they need to pose as you and gain access to various internet accounts, or commit more general identity theft, but are missing one piece of information needed to reset an account.

• You can also get phishing attempts via SMS messages. These are less common than email, because it’s much harder to get the ability to send bulk SMS than it is to send bulk email, but they do happen. As with the emails, the links they offer lead to sites meant to gather more information on you, and in the worst case they can remotely subvert your phone.

• When your VPN is free, your behavior and traffic are the product, and you have no idea who is purchasing them. The only legitimate free service is the one that comes with ProtonMail. This is a loss leader for their excellent email service as well as their paid VPN offering.

So to review, people will come at you seeking additional information. Often it will be a simple one shot effort to gain access to your cryptocurrency wallet, bank accounts, or anything else of a financial nature. Access to iCloud storage gives a bad actor everything you have. Less often but far more troublesome are the times where you get approached because someone is interested in your employer. Just because you don’t have millions in crypto and a blog about the market, does not mean you don’t have any risk, it’s just harder to anticipate.

This all sounds grim, but there is some good news. Nobody is ever perfectly secure, because there is constant attention on new methods to defraud people. You do not need to BE perfectly secure, you just need to get to the point where you’re more trouble than you’re worth. If you do all of the things I suggest, you will raise the bar high enough that the majority of attackers will get frustrated and go find a different target.

Physical Access:

The first thing you need to do is ensure that you phone does not become a problem if is lost, stolen, or seized. You are not going to make your phone as secure as possible, you’ll be making it as secure as you can tolerate. The reason for this is “security friction” wears people down, and rather than dialing back measures, they will often disable them.

iPhones will accept a four digit passcode but you really should use a minimum of six. Extreme security suggests employing an alphanumeric code, but then you are using both hands and the tiny keyboard, rather than the roomy ten digit keypad. That’s a problem if you’re trying to use your phone with your other hand occupied, or if you’re in a physically unstable environment, like riding public transit, or bumping along on some mountain road.

Why is it so important to skip the four digit option and use six instead? Imagine someone looking over your shoulder trying to catch your passcode. The typical working memory for an adult is three to five pieces of information at a time. Six numbers familiar numbers isn’t a burden for you, but it is for someone who is watching, but who has to remember them while waiting long enough to slyly record them somewhere.

You should set a screen timeout and the security advice out there says 30 or 60 seconds. This is one of the things that often gets in the way, so people will set it to the maximum, and that’s not good either. If you don’t find sixty seconds annoy, go with that. Many people do better with a three minute timer, that gives enough time to read a web page, or finish an order in line at a restaurant, without facing the lock. If your phone is on the desk at home and you’re writing, maybe the five minute timer is appropriate. Try to pay attention to how often you access the phone, and how many times you have to enter your code. That will guide your timeout setting.

Why would you worry about your device being seized? If the phone is stolen and recovered from the thief it is possible law enforcement would do forensics on it, thinking the perpetrator was the owner. If you are crossing a U.S. border in 2025 there is a much higher potential that you could be waved aside for an additional screening, particularly if you’ve been to a part of the world that is seen as problematic. If you have a passcode that is yours and protected by the 4th and 5th Amendments. If you used fingerprint or face ID you can absolutely be made to press a button or look at the device while someone else operates it.

The biometric features have been used to fix the problem of authentication, if you enable this you’re not entering a six digit code to unlock the device. If you’re not crossing a border, and you’re not a publicly known holder of large amounts of cryptocurrency, you’re probably safe to continue. If being held, either legally or illicitly is a concern for you, then don’t do this.

Network:

Your phone has multiple sorts of networks and all of them have associated hazards. There is a baseband radio that connects to the cellular network, a WiFi radio for local networks, and a Bluetooth radio that is mostly used for connecting other devices. While the jobs are distinct, in modern phones this is often the function of a single chip. There are Apple features that must be on or off together for Bluetooth and WiFi, because of this.

If your phone has an active cellular plan your number is exposed to incoming attacks. We’ll deal with that in detail later. Your phone is also providing details about your location to the cellular network whenever it is connected. There are law enforcement tools like the Stingray that can muscle out legitimate cellular providers in order to capture information about phones in a given area. Similar tools, although not as high powered, are available to hackers. If you are going to be in an area that concerns you having your phone turned all the way off and tucked into a Faraday bag for good measure is the way to go.

WiFi networks can be spoofed. If someone is hunting your employer they can pick up the names of networks used from outside your building and offer the same name, but without the appropriate encryption. Older standards once allowed people to crack wifi encryption but the more recent WPA standards have put a stop to that. This is mostly a situational awareness issue -if something changes and you are not expecting a change, then stop every you are doing, pay close attention, and if you are at all unsure, stick to using cellular data.

Open WiFi networks are a different sort of problem. You go to a coffee shop or a hotel, and you don’t know what’s between that nice fast free network and the rest of the world. Once this was a terrible hazard, because both email and web pages were unencrypted. Today almost everything uses TLS encryption. That padlock you see on web pages when they’re secure is not limited to web pages, it can be used for any network service. But even with TLS if you’re tricked into using a bad guy’s WiFi network, there is a potential for a “man in the middle attack”. There are tools that can slip in between you and your trusted sites, and you might not notice them in action.

The solution for this is pretty easy, you completely disempower threats on these untrusted networks by using a VPN on your phone. You’ve heard the saying “if the service is free, you are the product”, and that is painfully true with free VPNs. The only no cost VPN that we know to be trustworthy is the one that comes with ProtonMail. The company makes their money with paid email and VPN services. Their free email and the associated low speed VPN are meant to entice new users to try the service.

ProtonMail is a very good choice for replacing Google or Microsoft with something supremely private, and you’ll get ten devices worth of VPN with it. If you don’t want the email you can get just ProtonVPN for $x. Another worthy VPN only competitor is Mullvad.

Applications:

The very first rule is that unless you are a developer, you only get applications from the App Store. There have been too many situations where people were told to load an app from elsewhere, thinking they’d get a nice cryptocoin faucet, and instead they lost everything. The Apple ecosystem is really tight and it’s kept that way for a reason.

Application permissions need to be checked. If there’s no plausible reason for an app to need something, turn it off. Camera and microphone are good ones to check first, location gets misused for consumer behavior tracking, and almost nothing really needs to see your contacts.

But before you check every single app, ask yourself if you’re really using it. The things that you loaded, tried, and didn’t like are taking up space and providing a potential attack surface. It’s much less common on Apple’s App Store than on Google’s Play Store, but when a software vendor is crashing, and its employees are fleeing, sometimes terrible things happen to the users of their apps.

It’s not a security issue really, but you should also go through and limit background refresh. If you’re not using an app it doesn’t need to be draining your battery and chattering who knows what information with their back end tracking system. And you should get in the practice of swiping from the lower left to the middle of the screen, and shutting down any apps you aren’t using. Once you develop this habit, you’ll be surprised at how much longer a charge lasts.

Data Privacy:

You must fully encrypt your phone.

If you enable Find My iPhone it can be wiped remotely if lost or stolen.

Do you even show notifications? I can’t stand interruption, I disable that stuff, and will replace apps that have red blinking animation and similar nuisance behavior.

Updates:

Keep your System Settings app on your home screen, and if you see that red notification, check to see if there’s a software update. Apple is really disciplined about updates, they come about once a quarter, and it’s very rare to ever have any trouble from one. The exception to that rule is really old devices, those in the five years or more range, as they’ll get less testing. Symptoms of a bad update include overheating and rapid battery drain. (How to check which apps are doing it?)

You should also get in the habit of periodically checking the App Store. Unlike the System Settings app, you will NOT get a notification when there are updates.

Advanced Methods:

I’ve used Lockdown Mode but I found it invasive, I periodically had cause to disable it. I think I’m about to turn it back on, but the jury is out, since I so seldom encounter new people any more.

I truly hope, if you’ve been reading here, that you already have 2FA in every place you possibly can.

I’ve never done a YubiKey for phones, and not used them much in other places. The problem I always run into is that I will drill for device loss/seizure. There is an order of magnitude more work if you have to make arrangements for that scenario. But I better buy an NFC YubiKey and have a go at that. I wonder if it’s possible to do a plain/YubiKey protected apps setup, in other words a compartment within a single phone. Leave the YubiKey home and you leave the problems there, too.

And separate devices? This is the way for those in high threat environments.

Conclusion:

Speaking as a guy with half a dozen cell phones in the house and not one active cellular plan at the moment, I really struggled writing this. There are a lot of things I do that are just not appropriate for random iPhone users. These things include:

• Never sharing carrier numbers, it’s always Google Voice.

• Nobody calls me on PSTN any more.

• Signal is all names any more, not even GV gets shared.

• Phone is typically left off unless I have something to do with it.

• When out & about the SIM is usually in a pill container on my keyring.

• Mobile devices boot with ProtonVPN in fail closed mode.

Most people would have seen this as bizarre paranoia a year ago. Have you looked at the news lately? You think these anti-signature strike moves are out of line?

There’s a person I know who spent time in prison due to failure to scrub EXIF data from a photo. There’s a guy who died in a drone strike in Raqqa ten years ago, I didn’t know him, but our networks overlapped. And somewhere, out there, a heroin addict is blaming me for problems he has due to letting someone on pretrial release (BOP monitored phone) into his cluster of Signal chats. I’ve stopped counting the court cases I’ve read with similar features - I just recall a few that provided insight.

I think I’m going to need to self-soothe here for a bit, maybe dig last year’s T-Deck out, put the radio hat back into my Pi5, and see if anyone else around here is as professionally paranoid as I am.

🔐 Device Access & Authentication

• Use a strong passcode: Avoid 4-digit codes. Use at least 6 digits, ideally an alphanumeric passcode.

• Enable Face ID/Touch ID: Adds convenience without sacrificing security.

• Auto-lock quickly: Set to 30 seconds or 1 minute.

• Erase data after 10 failed attempts: Stops brute-force unlock attempts.

🌐 Network & Communications

• Use a VPN on untrusted Wi-Fi.

• Disable Auto-Join Hotspots to avoid malicious access points.

• Turn off Wi-Fi and Bluetooth when not in use to reduce attack surface.

• Use iMessage/FaceTime for end-to-end encrypted calls/texts.

• Beware SMS links—phishing is still common.

📱 Apps & Permissions

• App Store only: Avoid sideloading or sketchy third-party app stores.

• Review permissions: Settings → Privacy & Security → App Permissions. Deny location/camera/mic when not necessary.

• Limit Background App Refresh—reduces data leaks and battery drain.

• Check for configuration profiles: Remove any you don’t recognize (Settings → General → VPN & Device Management).

🔒 Data Protection & Privacy

• Enable Full Disk Encryption (default on iOS).

• Turn on Find My iPhone for remote wipe.

• Hide sensitive previews in notifications (Settings → Notifications → Show Previews → “When Unlocked”).

• Limit ad tracking: Settings → Privacy & Security → Apple Advertising.

• Disable analytics sharing with Apple and app developers if privacy is priority.

🛡️ Updates & Maintenance

• Keep iOS updated—patches fix security holes quickly.

• Update apps regularly via App Store.

• Remove unused apps that could pose risks.

• Backup with encryption: iCloud (encrypted) or local backup via Finder/iTunes with “Encrypt local backup” checked.

🧰 Advanced / High-Security

• Lockdown Mode (Settings → Privacy & Security): For those at risk of targeted attacks (journalists, activists). Restricts many features.

• Use strong Apple ID security: Enable 2FA, use a unique password.

• Security Keys for Apple ID: Hardware keys (YubiKey, etc.) add strong phishing resistance.

• Check security recommendations: Settings → Passwords → Security Recommendations.

• Separate work/personal devices if handling highly sensitive info.