Securing iPhone/iPads For Fun & Profit
iPhones and iPads are very secure by default. But there are some additional steps you can take to improve their security.
Ensure your Apple Id/iCloud password is, at minimum, unique to Apple — that is, not used anywhere else. A properly random password is preferable.
Find My iPhone
Ensure Find My iPhone/iPad is turned on under Settings → iCloud → Find My → Find My iPhone.
With this enabled, the device can only be reset and reactivated if the phone has been wiped beforehand by your Apple Id password. Without this process, the device is useless to anyone else, even if they can get past the PIN. Additionally Find My provides access to remote wipe, lost mode and location tracking.
Lockdown Mode is a new feature in iOS 16. Although supposedly for high-value targets, Lockdown Mode is useful for everybody. It performs a number of attack-surface reduction techniques which limits some functionality — which you may not even notice. One particularly valuable feature is that the iPhone will not interact with other devices via a cable unless the device is unlocked. This makes the use of third-party charging stations much safer and reduces the possibility that the device can have data exfiltrated or become compromised/adulterated.
Generally you will also see a lot more prompts such as:
Turn it on under Settings → Privacy & Security → Lockdown Mode and let the device reboot. If this mode is too restrictive, turn it off.
Another way to use this mode is to enable it while travelling but otherwise leave off.
The Control Centre is opened by swiping from the top right corner. This provides access to various tools such as power, Do Not Disturb and volume. But it also provides access to the connectivity controls which enables Flight Mode, or to turn on/off mobile data, wifi and Bluetooth. The issue with this is that these functions are available while the phone is locked, which makes it possible for a thief to turn off connectivity to the device, making the Find My features unavailable to the device's owner. If these connectivity controls are not accessible, the thief should abandon the device for fear of being tracked.
To turn this off: Settings → Face Id & Passcode → scroll down to Allow Access When Locked → untick Control Centre.
Also turn off Today View and Search.
By default, SMS and iMessage messages are visible from the lock screen. This means a malicious actor with access to the phone can still see incoming messages which may be personal or reveal 2FA (two-factor authentication) codes. To ensure messages are only available when unlocked: Settings → Notifications → Messages → untick Lock Screen, Notification Centre and Banners. Set Show Previews to When Unlocked. These settings are much more inconvenient but much more private and secure.
Dictation may be used accidentally which might transmit what you say to someone inadvertently. If dictation is not generally required, turn it off: Settings → General → Keyboard → Untick Enable Dictation.