iOS Security Controls

by Jacob Moorman
Independent
[email protected]

Overview

I found my recent switch to an iPhone running iOS 18 very frustrating. The features, apps, and data migration were all just fine. But, as a privacy-conscious user, I struggled to acclimate to this platform's security features and controls. I spent a couple of weeks thinking about this problem, and this paper is the result of that work. I'm sharing this in case it is of use to others.

Existing Controls Guidance

As I worked to come up to speed on iOS 18 security, I read a few resources:

Apple's vendor documentation, including the iPhone User Guide, covers operating system features. The iPhone User Guide is topically structured but spreads security content across multiple sections.
Formal guidance includes CIS Benchmarks and a NIAP Common Criteria administrative guide for iOS. These topic-structured resources are worthwhile primarily when configuration tools or Mobile Device Management (MDM) are used for device setup.
iAnonymous3000 (GitHub) and whoami (Privacy Guides) are community guidance sources. These independent resources are user-focused and topically structured.

My Needs

Apply controls that align with my threat model.
Since I was going to manually configure my phone's controls, which is typical for individual users, I wanted to understand the sequence of changes that would apply to my device.
Understand the actual tradeoffs between security and functionality.

Threat Modeling

Threat models identify potential risks. They should be tailored to the user, their devices, and environments to reflect the threats they will likely encounter.

Many threat modeling frameworks exist, including STRIDE, MITRE ATT&CK®, and Objective Threat Model (OTM). I designed OTM as part of this work, recognizing that I needed a threat model that better aligned with my concerns as a mobile device user.

To form my threat model, I asked GenAI for help, working with OpenAI ChatGPT and Anthropic Claude. I used a prompt like:

I am a privacy-conscious iPhone user who uses my phone at home, in a business setting, and while traveling. Please use the STRIDE, MITRE ATT&CK, and OTM (JSON provided) threat modeling frameworks to synthesize a realistic representation of threats I may encounter. Output a threat model structured using OTM categories.

The results served as a starting point.

Configuration Sequence

Device configuration should be sequenced to ensure preventative measures are present before the device can encounter related threats. For example, various device hardening should be performed before the device is ever connected to a network. Even private, "trustworthy" networks could be compromised.

Configuration sequence may be less concerning in institutional settings where device configuration occurs using configuration tools (Apple Configurator 2) or Mobile Device Management (MDM) platforms since a complete configuration can be loaded simultaneously. However, sequencing is quite essential when manually configuring devices individually.

To form a configuration sequence, I designed a model that considers the threats at different points in the device lifecycle. I then sorted available iOS 18 features, settings, and relevant third-party solutions in alignment with the model's time segments. For convenience, I've included links to Apple documentation where applicable.

This paper's primary contribution is the novel structuring of controls by time, which increases usability and forms a more straightforward narrative.

When	What
Throughout the device lifecycle	Threat responses are focused on threat model deficiencies and increasing user awareness. Prepare, update, or evaluate the threat model and business requirements to identify control needs For a physician, "Business Requirements" might mean specific regulatory compliance requirements due to work with HIPAA-protected data For the individual, we might think of "Business Requirements" as your risk appetite Ensure appropriate tradeoffs between security and functionality User training
Before device acquisition	Threat responses are focused on supply chain attacks and device acquisition practices. Purchase devices from Apple or Apple Authorized Reseller Verify tamper-evident box seals are unbroken Verify that the serial number on the box matches the device Configure best practices and two-factor authentication for Apple Account Decide if the device will be manually configured, configured using an application like Apple Configurator 2 on a Mac, or using Mobile Device Management (MDM)
Before the device is used	Threat responses are focused on physical security attacks and setup is performed before network connections are made. Place the phone in a protective case and add a screen protector Consider unique markings for the phone and charger Store the phone in a physically-safe location Defer network, cellular, and Apple Account setup Configure device locking Configure passcode, FaceID, TouchID Enable Lockdown Mode Configure locked access, including turning off locked access for USB devices Uninstall unneeded applications
Before network connection	Threat responses are focused on network-based attacks and appropriate network configuration. Select appropriate networks and cellular providers Configure network settings and enable private network addresses Enable secure DNS, such as Cloudflare's 1.1.1.1 Set up VPN, if a dedicated application is not required by the VPN provider
Before applications are used	Threat responses are focused on application-based attacks and application management. Configure automatic OS updates Configure automatic application updates Set up VPN, if a dedicated application is required by the VPN provider Install secure app alternatives such as Signal and Protonmail Configure apps for security (tracking, location, data, contacts, hardware) Disable unneeded features (possibly Handoff, AirDrop, Continuity Camera) Configure advertising, Siri, Apple Intelligence, iCloud storage and access Set up a password manager, such as 1Password
Before the device leaves physical control	Threat responses are focused on latent data and lifecycle management. Encrypt backups Configure Advanced Data Protection Configure Stolen Device Protection Configure Find My iPhone Prepare an incident response plan: Review cloud data permissions, network credentials, cloud data Change account passwords Safety Check for an emergency stop to sharing Secure device disposal for repurposed, sold, or disused devices Remote device wipe for stolen or lost devices
Before excess time passes	Threat responses are focused on undetected compliance issues and audits. Procedure for ongoing devices, user accounts, networks, and data audits with human review and automated tools Configure Screen Time Configure App Privacy Report Integrate tools like Mobile Verification Toolkit (MVT) for spyware detection Subscribe to vendor security announcements to become aware of new security releases Take Apple threat notification seriously, if you receive one

Tradeoffs

Regulatory requirements may compel companies and professional users to take a conservative approach that favors security. However, the individual user has greater flexibility and might favor functionality over security. In considering the various controls and decision points in implementing iOS 18, I generated this list of tradeoffs that can be considered when choosing which controls are appropriate:

Device model: What type of iPhone should the user have? Different iPhone models have different capabilities. For example, some iPhones support TouchID while others support FaceID. Newer devices generally integrate more and enhanced security features compared to older devices. SecurityWeek reported that newer iPhones will receive at least 5 years of security updates. It may be necessary to compare iPhone models to identify optimal functionality vs cost.
Where to buy: iPhone devices are available from Apple, authorized Apple resellers, and many other potential sources. Devices are recognized to be most capable of security when obtained from legitimate sources. Cost and availability may be a factor.
Biometric features: Some iPhone devices support TouchID, which allows an authorized fingerprint to unlock the phone, and some devices support FaceID, which allows an authorized face to unlock the phone. TouchID and FaceID can be helpful ways to avoid entering your password when unlocking your device in public settings. The tradeoff is that in the United States, several legal cases (including Katelin Seo v. State of Indiana) have considered whether you can be compelled to provide your device password or unlock your phone with face or fingerprint, and the situation is evolving.
Location-tracking features: The iPhone's location-tracking features allow optimized user experiences when navigating with the Maps app, as well as the location of lost devices using the Find My Phone app. When location tracking features are enabled, care may be needed to decide who can access location data. In a data breach, sensitive location information about where you live or the places you go could be exposed.
Siri: Siri is Apple's digital assistant technology. While it is possible to interact with Siri by keyboard, many users interact with Siri by voice. Siri can help with scheduling, answer lookups, and initiate app actions like sending text messages. Since Siri listens for voice activation, some users have raised concerns about accidental activation, the recording of private conversations, and who may have access to Siri data.
Apple Intelligence: New in iOS 18, Apple Intelligence adds artificial intelligence (AI) features to the iPhone for personalization. While these features are designed for privacy with on-device processing, some users may have general concerns about artificial intelligence or the newness of these features.
Continuity features: Apple provides Continuity features, allowing you to move and transmit data seamlessly between your devices as you work. These features include AirDrop, Handoff, and iPhone Mirroring. Some users do not have other Apple devices — just an iPhone — and in this case, the features may be of no or less use and can be disabled. Other users should evaluate whether the features are needed.
Advanced Data Protection: By default, when your data is stored encrypted in iCloud, the encryption keys reside in an Apple data center. Apple's access to the encryption keys allows them to assist with data recovery. With the Advanced Data Protection feature, you retain your encryption keys and are responsible for any data recovery.
iCloud storage: Many iOS applications, including Photos, Notes, and Passwords, are designed to store or sync data to iCloud. This behavior is configurable. iCloud storage is part of some people's backup strategy, while others choose not to place their data on iCloud. Accessing iCloud data from other computers via a web browser is also configurable.

Conclusion

While implementing controls as an individual user on iOS 18 was initially challenging, I hope this paper provides helpful information for others on that journey. Remember to right-size and right-time your controls based on your threat model and needs.

License

This first release was made on 2025-01-08.