If one object you own encapsulates who you are, how you think, and what you do, it’s your smartphone. Our phones not only contain our contacts and messages, but capture and store countless other metrics about our lives, from financial records to health data to myriad communications with everyone we know.
Smartphones also contain data about the places we go (and the routes we took to get there) as well as the searches we make and websites we browse (revealing what’s on our minds). Thanks to journaling and to-do apps, they even document our goals, hopes, and dreams. And smartphones aren’t just data-retention devices; the apps and services we use on them broadcast data about us to third parties.
That’s why it’s so important to understand what privacy and security protections the smartphone you use offers–and to make sure you have such protections enabled. I’ve written before that Apple is unique among modern tech giants in that it builds its products with privacy at the forefront. But many of those protections and tools available on every iPhone only make a difference if you’re aware of them–and judging from my conversations with friends, many people aren’t.
If you’re an iPhone user, these are the security and privacy features you need to know about–and should be using.
Security code autofill
What it is: Many sites and apps–from Facebook and Google to financial services–offer two-factor authentication, or 2FA. With 2FA enabled, logging into a website or app requires both your password and a unique code which is texted to your phone number or delivered via an app such as Google Authenticator. You have to input this code in order to gain access to your account. Even if someone else has your password, they won’t be able to break into your accounts if they can’t get the code.
The problem is many people choose not to enable 2FA, which has traditionally been a pain involving hopping back and forth and copying and pasting. So Apple gave iOS 12 a feature called security code autofill. Now when you log into an app or website where you have 2FA enabled, you no longer need to navigate to the Messages app to retrieve your texted 2FA code. As soon as the text with the code arrives, it’ll be routed to the iPhone’s keyboard where you can just tap on the code to autofill it into the security field in an app or website.
Why it’s important: Apple eliminated the most annoying thing about 2FA–which means more people are now likely to adopt it. If an app or website offers 2FA you should enable it immediately. Thanks to iOS 12’s security code autofill, 2FA will no longer slow you down.
How to enable it: Security code autofill is built into iOS 12, so you don’t need to enable the feature on your iPhone. When you get a text with a 2FA security code, it’ll be automatically routed to the code field on the app or website you are trying to log into.
You will, however, need to enable 2FA on any apps or websites you want to use the security feature with. I highly recommend enabling 2FA on every social media and financial site you use. You can see if some of the sites you use offer 2FA here.
Password reuse auditing
What it is: iOS has long had the Keychain–an encrypted password manager that saves your usernames and passwords so they can be auto-filled on apps and websites you log in to. But with iOS 12, your Keychain now has a password reuse auditing tool built in. What this does is identify every instance where you’ve reused a password for multiple sites and apps.
Why it’s important: Password reuse is a major security problem. Before iOS 12, I used the same four or five password variations across over 200 sites and apps–and I wasn’t alone. Two recent surveys found that 59% of people use the same password everywhere and 83% of people reuse the same password on multiple sites. If just one of those sites or apps gets hacked, your information anywhere else you used that password is at risk.
Thanks to password reuse auditing in iOS 12, you can see which websites you’ve reused passwords on and then give them unique passwords. However, that’s not the biggest advantage of this tool. The real advantage is that it visualizes how vulnerable you’ve made yourself by reusing the same password on multiple sites–and as we’ll see in a moment, you can easily create unique strong passwords for every site and app you use.
How to enable it: iOS’s password reuse auditing tool is a built-in feature in iOS 12. To see it in action–and to see which sites and apps you’ve reused passwords on, go to the Settings app on your iPhone, scroll down, and tap “Passwords & Accounts,” and then tap “Website & App Passwords.” This is where your Keychain is located. You’ll need to authenticate with Face or Touch ID and then you’ll be taken to a list of your app and site passwords.
Any site or app that has an exclamation mark in a triangle next to it means you are also using its password for another site or app. If you see this symbol, tap on it. On the next screen you’ll see a link that says “Change Password on Website.” This will take you to that site’s password management screen where you can change your password.
If you have dozens or hundreds of services that use the same password, creating unique passwords may seem daunting–BUT do it anyway. I changed 25 passwords a day for seven days, and now every account I have uses a unique password.
Automatically create strong web and app passwords
What it is: iOS 12 also has a new feature that will automatically create complex and unique passwords for websites and apps. These are passwords that are so complex it is doubtful anyone could ever guess them–even you.
But you don’t even need to write these passwords down. iOS 12 will automatically save them to your Keychain and they will be synced across all your iOS devices and Macs, where they’ll automatically be filled in when you log into a site or app.
Why it’s important: As we’ve seen, even if you already have a pretty strong password, it becomes much weaker if you use it at multiple sites. But most of us don’t even have strong passwords. Generally, people choose weak passwords because they are easier to remember. But password managers like the one built into iOS and MacOS have made remembering passwords obsolete. Still, the problem remains that many people simply don’t create strong, random, and unique passwords. So now iOS 12 will do it for you.
How to enable it: Next time you create an account in an app or at a website on your iPhone, when you select the “Create password” field, you’ll now see iOS has automatically inserted a unique password in the field. Tap the “Use Strong Password” button to use the recommended password and iOS will automatically store it in your Keychain. iOS never generates the same strong password twice.
Set encrypted messages to auto-delete
What it is: iOS automatically uses end-to-end encryption on all messages sent using Apple’s Messages app. This means no one can read your messages except for you and the recipient, not even Apple–even if the company is ordered to by a government agency. Yet end-to-end encryption won’t stop someone who has access to your phone from accessing your messages, which is why you should set them to auto-delete sooner rather than later. Once an encrypted message is deleted from your device, it is virtually impossible to recover (though a copy will remain on recipients’ devices until they delete it too).
Why it’s important: By default, iOS will store all your iMessages on your phone forever–and they will be transferred to your new phone when you get one. But these messages often contain very personal communications with our loved ones or details that could make us or them vulnerable. For example, parents will often communicate with their children about their schedules and whereabouts, such as what time they will be at soccer practice. A third party who gains access to years worth of those messages could reasonably work out where your child is going to be and when. Other times, we’ll share sensitive information with our family or friends via text messages–like the code to our home security system if a friend is watching our place while we are away. This information would be invaluable to a stalker or thief and there’s no reason a copy of it should be sitting around on your phone for years.
Beyond issues of privacy, years worth of text messages can take up an insane amount of space on your smartphone. Back when I had my text messages set to save forever, I looked at how much space they were taking up on my 64GB iPhone: 8.5GB! And I never go back and look at text messages that are more than a week old.
How to enable it: On your iPhone go to Settings>Messages>Keep Messages. On the next screen, you’ll be able to select to keep messages for 30 days, 1 year, or forever. By default, this is set to forever, but I recommend everyone set it to 30 days, or at the most, one year.
What it is: iOS’s built-in web browser.
Why it’s important: Apple has given Safari built-in privacy features that other web browsers like Google’s Chrome would never dream of offering. The most recent version of Safari stops advertisers from tracking you around the web, stops Facebook and Google from tracking your browsing history via like and share buttons, and stops websites from identifying you by “fingerprinting,” a technique which uses your device’s unique digital signature to identify it online. Safari also lets you manage if websites can gain access to your camera and microphone.
How to enable it: Safari is iOS’s default browser, so in order to take advantage of its privacy features, you just need to use it to traverse the web.
Audit and block apps that have access to your camera, microphone, location, and more
What it is: iOS offers you an easy way to see what apps you have given permission to access your camera, microphone, contacts, location, reminders, photos, health data, and more. You can also easily revoke an app’s access with the tap of a button.
Why it’s important: If you’ve decided you’ve given an app too much access to your info or hardware, you can easily revoke that app’s access at the system level, cutting it off from harvesting any more of your data.
When considering if an app should continue to have access to certain types of your data or hardware, ask yourself if you use features in that app that requires such access? For example, if you never check yourself into places in Facebook, why should the Facebook app continue to have access to your location data (which it is then free to use in other ways, such as for tracking your movements)?
How to enable it: Go to Settings>Privacy and you’ll see a list of various types of data your iPhone holds, from location data to photos. You’ll also see items like camera and microphone in the list.
Tapping on any one of these items takes you to a list of apps that have requested access to that type of data, such as health data, or your iPhone’s hardware, like its microphone. To restrict an app from accessing that data anymore, simply toggle its switch to off. Now the app will be completely blocked from accessing that data or hardware. The only way it can regain access again is if you toggle its switch back on.
Search more privately by changing your engine
What it is: By default, Safari uses Google’s search engine to return results when you do a web search. Google pays Apple billions every year to be the default search engine. But Apple also allows you to choose a different search engine, including offering the privacy-focused DuckDuckGo.
Why it’s important: Using Google for search just gives the company more information about you and allows it to better track your movements around the web. In the past few years Microsoft’s Bing, Yahoo, and even underdog DuckDuckGo have improved their search algorithms; all three now serve results that are virtually indistinguishable from Google’s. I recommend DuckDuckGo, since its business model doesn’t rely on collecting data about you.
How to enable it: Go to Settings>Safari>Search Engine and tap DuckDuckGo.
Quickly disable Touch ID and Face ID
What it is: Depending on which iPhone you own, you use either Touch ID or Face ID to unlock your phone without needing to enter a passcode. They’re handy, but don’t offer the same amount of constitutional protections that passcodes offer. That’s why iOS now allows users to disable Touch ID and Face ID at a moment’s notice.
Why it’s important: Thanks to Fifth Amendment protections, in most instances law enforcement can’t compel someone to enter a passcode to unlock a device without a search warrant. But courts have said that biometric authentication methods aren’t similarly protected. In many states, law enforcement can force you to unlock your phone using Face ID or Touch ID–and you must comply if asked. Law enforcement aside, while Touch ID and Face ID are convenient, both leave you vulnerable to unwanted unlocks when you are sleeping.
How to enable it: Go to Settings>Emergency SOS and make sure the “Call with Side Button” toggle is on (green). Now, whenever you want to quickly disable Face ID or Touch ID press the iPhone’s Side button five times. A screen will appear that shows three sliders: power off, Medical ID, and Emergency SOS. Below them will be a cancel button. Once this screen appears, Face ID and Touch ID are automatically disabled and you’ll only be able to unlock your phone with your passcode (keep in mind, once you unlock it with a passcode, Face ID and Touch ID are reenabled).
In a worst case scenario, nuke your data
What it is: iOS offers a feature which deletes all data on your iPhone if the wrong passcode is entered 10 times in a row.
Why it’s important: The contents of your iPhone contains personal and private details about every aspect of your life. If the worst happens and someone steals it, it’s good to know that with this security feature, the thief won’t have endless opportunities to guess your passcode. Once they get it wrong for the tenth time all the data on your iPhone will automatically be deleted, and can’t be recovered.
Yes, this is a worst-case scenario, but it’s better than having all your personal and private data in the hands of a thief or hacker.
How to enable it: Go to Settings>Face ID & Passcode (Touch ID & Passcode on an older iPhone) and at the bottom of the screen toggle the “Erase Data” switch to on.