Harden your iPhone instead of switching

1 · Apple account & iCloud

The Apple account is the biggest lever – this is where most of the effort pays off. Work through the items at your own pace; you don't have to change everything at once, and every checkmark already gets you a step further.

• Enable Advanced Data Protection (ADP): Settings → [Name] → iCloud → Advanced Data Protection. This brings end-to-end encryption to backups, photos, notes, reminders, Safari history, Wallet and much more.
• Turn on iCloud Private Relay – part of iCloud+ (already included in the 50 GB plan for about €0.99/month). It routes your Safari traffic through two separate relays, so that no one – not even Apple – sees your IP and the destination domain at the same time. It applies only to Safari; it's redundant when a VPN is active; and it's unavailable if iCloud is completely turned off.
• "Hide My Email": also included in iCloud+ – it generates random throwaway addresses that forward to your real inbox. Good for not revealing your real address when signing up for things.
• Slim down iCloud sync: keep only the services you really need.
• Maximal variant – turn iCloud off completely (optional): If you don't want to store any data with Apple at all, disable iCloud completely ([Name] → iCloud → all services off) and in particular turn off iCloud Backup ([Name] → iCloud → iCloud Backup → off). Then also don't sync Photos, Contacts, Calendars, Notes & iCloud Drive to the cloud.
• Instead, back up locally & encrypted: create backups via the Mac (Finder) or Windows and enable "Encrypt local backup" – that way the data stays only with you, including passwords and Health data. And remember: no backup = no mercy. 🙂
• "Find My" / "Find My iPhone": if you use iCloud, leave it enabled – it's needed for locating the device and the anti-theft wipe. Caution: if you turn iCloud off completely, "Find My" disappears entirely – then there's no more location tracking and no more remote erase.
• Two-factor with a hardware key: register at least 2 security keys (e.g. YubiKey) under [Name] → Sign-In & Security → Security Keys.
• Set Stolen Device Protection to "Always": Face ID & Passcode → Stolen Device Protection.

2 · Privacy & Security

Settings → Privacy & Security

• Allow Apps to Request to Track: OFF.
• Apple Advertising → Personalized Ads: OFF.
• Analytics & Improvements: all toggles off (iPhone Analytics, iCloud Analytics, Improve Siri & Dictation, Security Research, etc.).
• Sensor & usage data to Apple: off wherever possible.
• Turn on the App Privacy Report – it shows which apps communicate in the background.
• Enable Lockdown Mode if it's acceptable: it disables JIT in Safari, blocks 2G, only allows accessories when unlocked, and hardens memory protection. Lockdown + ADP is the configuration on iOS that comes closest to a hardened profile. → When do I need this? More on this below

Lockdown Mode – only when you really need it

Lockdown Mode is Apple's strongest protective feature – but it is not a default tip for everyone. It's specifically meant for people who have to reckon with sophisticated, targeted attacks.

Who is Lockdown for?

3 · Location Services

You don't have to sacrifice location entirely – usually it's enough to decide deliberately per app. Path: Privacy & Security → Location Services

• Turn it off entirely – or set each app to "Never" or "While Using" with Precise Location disabled.
• Go through System Services (at the very bottom) – switch off nearly everything: Significant Locations (OFF + delete entries), Routing & Traffic, location-based suggestions/ads, Device Management, iPhone Analytics.
• Leave "Find My iPhone" and "Emergency Calls & SOS" on.
• Enable the "Status Bar Icon" – it shows an arrow whenever a system service requests your location.

4 · Apple Intelligence, Siri & Dictation

This is about voice and AI features that are convenient but can carry data off the device. Whatever you don't need, you can switch off with peace of mind – you can always turn it back on later.

• Apple Intelligence completely OFF (Settings → Apple Intelligence & Siri). Even with "Private Cloud Compute," data leaves the device.
• Disable Siri completely – don't just limit it: "Hey Siri"/"Siri," the side button, lock-screen suggestions, app suggestions and "Intelligence while typing" all off. Siri is the bridge through which speech, requests and context leave the device – which is why you should switch it off entirely and consistently here.
• Dictation OFF (Keyboard → Dictation).
• Spotlight / Siri & Search: for each app, disable "Show in Search," "Show Suggestions" and "Suggest App Notifications."

5 · Wireless connections

Radio interfaces that are off can't give you away. Relax and turn off whatever you're not currently using – in everyday life you'll barely notice it.

• Bluetooth: off when not in use. In Control Center, don't just "temporarily disconnect" – the real switch is in Settings.
• AirDrop: Receiving OFF or "Contacts Only."
• AirPlay & Handoff: OFF.
• Personal Hotspot: OFF when not actively needed.
• Wi-Fi: off permanently if you work over cellular + VPN anyway. If on: set Private Wi-Fi Address → "Rotating" per network.
• NameDrop / sharing contacts: OFF.

6 · Cellular – the 5G question

Why?

• 2G is the biggest weakness: no network authentication, encryption that can be cracked in real time. IMSI catchers often force a downgrade to 2G.
• LTE/4G authenticates the network, but sends the IMSI in the clear before authentication – passive IMSI catchers remain possible.
• 5G SA (Standalone) is the only generation that transmits the subscriber identifier encrypted (SUCI instead of IMSI) – the first real privacy leap at the radio layer since GSM.
• 5G NSA (predominant in Germany today) uses the LTE control plane and doesn't yet offer this protection.

Concrete settings

Settings → Cellular → [SIM] → Voice & Data

• Choose 5G Auto (not "5G On" – battery). It uses SA where available.
• Data Roaming: OFF, except when traveling.
• VoLTE/VoNR: ON (otherwise calls fall back to 2G/3G with weak crypto).
• Wi-Fi Calling: OFF if Wi-Fi is disabled anyway.
• Block 2G/3G: iOS doesn't offer this as a toggle – only Lockdown Mode disables 2G. If IMSI catchers are a concern, Lockdown is the tool of choice.

7 · Safari (if used)

Only relevant if you actually use Safari – in which case a few switches already get you a lot.

• Prevent Cross-Site Tracking: ON.
• Hide IP Address from Trackers & Websites: ON.
• Advanced Tracking & Fingerprinting Protection: ON (for both private and normal browsing).
• Block Pop-ups & Fraudulent Website Warning: ON.
• Search engine: DuckDuckGo or Startpage.
• Clear History and Website Data regularly.

10 · Apps & permissions

The rule of thumb is relaxed: each app gets only what it really needs – everything else can happily stay off.

• Limit photo access per app to "Selected Photos" or "None."
• Microphone, camera, contacts, calendar, Bluetooth, local network: only grant what's actually needed.
• Background App Refresh: restrictive per app or off globally (General → Background App Refresh).
• App Store: turn off automatic downloads, require a passcode for in-app purchases.
• Push tokens: not disableable per app without MDM – rule of thumb: fewer apps = less token exposure.

11 · VPN (Always-On) & DNS

• Enable "On Demand" in the WireGuard configuration – the tunnel re-establishes itself automatically.
• For true Always-On ("no tunnel, no traffic," the equivalent of "Block connections without VPN" in GrapheneOS) you need a supervised device and a VPN payload in the profile – an advanced step you set up separately when needed. You build the rest of the managed setup (DNS, passcode policy, restrictions) with your Mac. → Step by step below
• Encrypted DNS: install a DNS profile (e.g. dnsforge.de) and check that it takes effect as the system DNS – not just over Wi-Fi. With WireGuard active, the tunnel DNS should win; verify with a DNS leak test in the browser. → Install the profiles directly below

11a · Install the dnsforge DNS profile for iOS

The most convenient path to encrypted, ad- and tracker-filtering DNS on the iPhone: a ready-made configuration profile from dnsforge.de. It applies system-wide (DoH/DoT), not just in the browser – no App Store, no extra app needed.

1) Get the profile from dnsforge.de

The ready-made iOS profiles are available directly from the provider. Open the iOS section there and pick a variant – each variant offers two profiles: DoH (HTTPS, the recommended default) or DoT (TLS, the alternative).

2) Install & activate the profile

Note: The profiles come directly from the provider dnsforge.de (servers in Germany, no logging). Only install configuration profiles from sources you trust.

11b · For pros with a Mac: "Managed Device" via Apple Configurator

If you have a Mac, you can set up your iPhone with Apple Configurator (free in the Mac App Store) as a supervised device and build your own configuration profile. This lets you enforce hardening instead of merely recommending it and bundle it cleanly into a single signed profile. This is the advanced route; for most people, steps 1–13 are enough.

What does this give you?

• Bundle several building blocks in one profile: DNS (dnsforge), passcode policy, restrictions and a mail account – signed and "all of a piece."
• Tougher restrictions become enforceable that, as a normal setting, would only be "recommended."
• Managed DNS that installed apps can't bypass or remove.

Step 1 – Prepare Configurator

Step 2 – Create the profile (sensible payloads)

In Apple Configurator: File → New Profile. Then configure only the areas ("payloads") you need:

Save or export it as iPhone_unsigned.mobileconfig – that's the still unsigned profile I'm about to sign.

Step 3 – Your provider's mail or ActiveSync account

Add a Mail payload (classic IMAP/SMTP) or an Exchange payload (Exchange ActiveSync) to the profile. Tip: leave the password field empty – then the iPhone asks for it once securely at install time, instead of storing it in the profile.

The username is usually the full email address. The current details in your provider's help are always authoritative. For Exchange ActiveSync (mail, calendar & contacts in one), enter the server, domain/user and SSL per your provider's documentation.

Step 4 – Sign the profile without an Apple Developer account

iOS shows an unsigned profile as "Not Verified." Signed with a trusted certificate, it shows up in green as "Verified." For this you do not need a paid Apple Developer account – a free European S/MIME certificate from Actalis is enough (valid for 1 year, one free certificate per email address).

brew install openssl@3

alias ossl=/opt/homebrew/opt/openssl@3/bin/openssl

# private key
ossl pkcs12 -in certificate_s_mime_mv.p12 -nocerts -nodes -out signer.key
# your own certificate
ossl pkcs12 -in certificate_s_mime_mv.p12 -clcerts -nokeys -out signer.crt
# CA chain (intermediate certificates)
ossl pkcs12 -in certificate_s_mime_mv.p12 -cacerts -nokeys -chain -out chain.pem

ossl x509 -in signer.crt -noout -subject -issuer -dates -ext extendedKeyUsage

plutil -lint iPhone_unsigned.mobileconfig

ossl smime -sign -in iPhone_unsigned.mobileconfig -out iPhone.mobileconfig \
  -signer signer.crt -inkey signer.key -certfile chain.pem -outform DER -nodetach

Step 5 – Install

Get the signed iPhone.mobileconfig onto the iPhone (via Apple Configurator, AirDrop or email to yourself), then install it under Settings → Profile Downloaded. It should now appear in green as "Verified."

14 · What is NOT achievable on iOS

• Per-app network blocking without configuration profiles/MDM.
• User-side verification of the boot chain.
• Sandbox control and Storage Scopes like under GrapheneOS.
• Complete removal of Apple telemetry – some endpoints can't be disabled. Here VPN + DNS blocklists that filter the relevant telemetry domains help.