iOS Overview Page

[ghost]

Would like to write an overview of the security/privacy features of iOS.

[ghost]

Research points

• Apple Platform Security (PDF version which is a bit more readable)
• Apple Security Research
• iPhone user guide for built-in security
• A Day in the Life of Your Data (PDF)
• iOS Privacy Control
• Personal Safety User Guide
• App Store Privacy
• App privacy details on the App Store
• Transparency Labels
• Controlling personal information that you store with Apple
• Location Services Privacy Overview
• AirTag/AirPod Tracking
• Apple ID 2FA
• Apple Privacy Features
• Safari Privacy Overview Whitepaper
• Apple Privacy Policy
• iOS Safety Check
• Apple announces powerful new privacy and security features

[quackerex]

Thoughts on combining macOS and iOS/iPadOS overview into one page? Most of the security & privacy features seems to be similar between the OSes.
Not sure if it will make the page look crowded or confusing 🤔.

[ghost]

@quackerex - There are many features they both share that can improve a users security and/or privacy, but both are still very different with iOS/iPadOS being far superior than that of macOS when considering security/privacy.

They will both likely need their own overviews as macOS needs a lot more attention than iOS/iPadOS does in terms of recommendations and information.

As Apple develops software for their own hardware, it will even be hard to seperate the software side from the hardware side as many of the software features are build around the hardware.

Below is an extract from the Apple Platform Security kb:
Every Apple device combines hardware, software and services designed to work together for maximum security and a transparent user experience in service of the ultimate goal of keeping personal information safe. For example, Apple-designed silicon and security hardware powers critical security features. And software protections work to keep the operating system and third-party apps protected. Finally, services provide a mechanism for secure and timely software updates, power a protected app ecosystem and facilitate secure communications and payments. As a result, Apple devices protect not only the device and its data but the entire ecosystem, including everything users do locally, on networks and with key internet services.

[quackerex]

What about including Apple services like Apple Pay, Apple Health, Sign in with Apple, Apple Map, Hide My Email, Private Relay, and iCloud that also seems to have security and privacy features?

[ghost]

What about including Apple services like Apple Pay, Apple Health, Sign in with Apple, Apple Map, Hide My Email, Private Relay, and iCloud that also seems to have security and privacy features?

They're all cloud services provided by Apple which come with their own privacy and security features as part of the OS. Being cloud services can come with its own issues though as up until iOS 16.2 (US) and iOS 16.3 (World) Advanced Data Protection(E2EE) did not exist yet.

This is definitely worth a deeper dive though.

Health App & Privacy
Apple Pay & Privacy
Sign in with Apple & Privacy
Apple Maps & Privacy
iCloud Security & Privacy
Hide My Email
Private Relay

[quackerex]

They're all cloud services provided by Apple

Not all of them tho. Many of them just offer optional iCloud sync.

Being cloud services can come with its own issues though as up until iOS 16.2 (US) and iOS 16.3 (World) Advanced Data Protection(E2EE) did not exist yet.

I think many of them were already E2EE even before the introduction of ADP.

Here are some more resources.

• Private Relay White paper
• Sign in with Apple White paper

[ghost]

All of those services you mentioned are cloud ready services which can be toggled on or off, but even when off doesn't exclusively mean that data will not communicate with the cloud.

There are many factors to consider depending on the service as data can be shared from each service many different ways such as iCloud sync, iCloud backup, Sharing, allowing apps to track, location services, system services, research sensor and usage data collection, analytics and improvements, Apple advertising, and any others I've forgotten about.

On the E2E3, we had 14 points of E2EE prior to Advanced Data Protection, the total number of points is now 23.
Of course users would need to turn this on to use it.

[ghost]

Apple just joined RFC 9116, now showing a security.txt file on their website.

May provide some use to this issue.

[ghost]

Originally from ph00lt0:

We should probably encourage users to enable Lockdown mode:
https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/
Make people check that they have an iPhone/iPad that receives software updates. I often see people that don't know that >their device isn't supported any longer
Link to browser page with AdGuard
DNS profiles such as made by nitrohorse https://encrypted-dns.party/ (Probably doesn't work with Lockdown mode)
Disable Siri
Disable 'allow apps to request tracking'
Private relay?
Mail Privacy Protection?
Disable sharing with location in photos app ( and maybe Link to exif data article )
Restart the device daily can prevent a lot of malware form staying around.

[ghost]

Just to clarify on the above about configuration profiles, they should still work in Lockdown Mode if installed prior to enabling Lockdown Mode.