The short version: most iPhones have excellent default security, but Apple ships dozens of privacy and security settings that are off by default, buried three menus deep, or set to the less-private option out of convenience. This checklist covers all of them. If your time is limited, the first five items in the Authentication section deliver the majority of the security value. If you want to be thorough, work through all 18 items — the whole process takes about 30 minutes. For broader prevention strategies beyond iPhone-specific settings, see our guide on how to make your iPhone more secure in 2026.
Quick-reference summary
Before the detailed walkthrough, here's the complete checklist at a glance with priority ratings. Use this as a quick reference after you've gone through the detailed version once.
| # | Item | Category | Priority | Time |
|---|---|---|---|---|
| 1 | Strong alphanumeric passcode | Authentication | Critical | 2 min |
| 2 | Face ID / Touch ID enabled | Authentication | Critical | 3 min |
| 3 | Apple ID two-factor authentication | Authentication | Critical | 5 min |
| 4 | Stolen Device Protection | Authentication | Critical | 1 min |
| 5 | Auto-lock to 30 seconds or 1 minute | Authentication | High | 30 sec |
| 6 | App Tracking Transparency — deny all | Privacy | High | 1 min |
| 7 | Location Services audit | Privacy | High | 5 min |
| 8 | Disable analytics sharing | Privacy | Medium | 1 min |
| 9 | Sensitive permissions review | Privacy | High | 5 min |
| 10 | Advanced Data Protection for iCloud | iCloud | Critical | 5 min |
| 11 | Find My iPhone enabled | iCloud | Critical | 1 min |
| 12 | Recovery contacts and recovery key | iCloud | High | 5 min |
| 13 | VPN or DNS filtering enabled | Network | High | 5 min |
| 14 | Disable auto-join for unknown WiFi | Network | Medium | 1 min |
| 15 | iCloud Private Relay (if iCloud+ subscriber) | Network | Medium | 1 min |
| 16 | Review installed apps and delete unused | Apps | Medium | 10 min |
| 17 | Check for unknown configuration profiles | Apps | Critical | 1 min |
| 18 | Automatic updates enabled | Apps | High | 1 min |
Now let's walk through each item in detail — what to do, exactly where to find the setting, and why it matters.
Authentication (items 1–5)
Authentication is the front door. If an attacker can unlock your phone or access your Apple ID, every other setting is irrelevant — they have everything. These five items secure that front door.
1. Set a strong alphanumeric passcode
Where: Settings, then Face ID & Passcode (or Touch ID & Passcode), then Change Passcode. Tap "Passcode Options" and choose "Custom Alphanumeric Code."
Why: a 4-digit passcode has 10,000 combinations — brute-forceable in minutes with specialized hardware. A 6-digit numeric code has 1 million combinations — better, but still vulnerable. An alphanumeric code (letters + numbers + symbols) with 8+ characters has billions of combinations and is effectively unbrute-forceable with iOS's rate limiting. Since you use Face ID or Touch ID for daily unlocking, the passcode is rarely typed — so a longer, stronger one doesn't slow you down.
What to avoid: anything guessable — your birthday, phone number, 000000, 123456, or repeated digits. If someone who knows you could guess it in 10 tries, it's not strong enough. GrayKey and Cellebrite devices used by law enforcement and sophisticated attackers exploit weak passcodes; a strong alphanumeric code makes their job orders of magnitude harder.
2. Enable Face ID / Touch ID
Where: Settings, then Face ID & Passcode. Ensure Face ID is set up for iPhone Unlock, Apple Pay, iTunes & App Store, Password AutoFill, and any other available options.
Why: biometric authentication serves two purposes. First, it makes unlocking fast enough that you won't be tempted to weaken your passcode for convenience. Second, it ensures that certain sensitive operations (changing passwords, approving Apple Pay) require your physical presence — a passcode alone could be observed and replicated, but your face or fingerprint can't be (practically).
3. Verify Apple ID two-factor authentication is on
Where: Settings, then your name at the top, then Sign-In & Security, then Two-Factor Authentication.
Why: your Apple ID controls iCloud backups, Find My iPhone, iMessage, FaceTime, App Store purchases, and potentially your email. If an attacker compromises your Apple ID without 2FA, they can remotely wipe your device, read your iCloud-synced messages, download your photos, and lock you out. With 2FA enabled, they'd also need access to one of your trusted devices — a dramatically higher bar. Apple has made 2FA mandatory for most new accounts, but older accounts may still have it off. Check.
4. Enable Stolen Device Protection
Where: Settings, then Face ID & Passcode, then scroll down to Stolen Device Protection, then turn it on.
Why: this feature, introduced in iOS 17.3, addresses a specific attack pattern: someone observes your passcode (shoulder surfing at a bar, for example), then steals your phone. Without Stolen Device Protection, that passcode is enough to change your Apple ID password, disable Find My, and lock you out of your own account permanently. With it enabled, sensitive operations (changing Apple ID password, turning off Find My, changing Face ID) require biometric authentication plus a one-hour security delay when you're away from familiar locations. This single setting has prevented thousands of "stolen iPhone" account takeover cases since its launch.
5. Set Auto-Lock to 30 seconds or 1 minute
Where: Settings, then Display & Brightness, then Auto-Lock.
Why: a shorter auto-lock window reduces the time your phone is unlocked and unattended. If you set your phone down on a table and walk away, a 30-second auto-lock means the window for someone to access your unlocked device is half a minute. At 5 minutes (a common default), it's an eternity. The convenience trade-off is minimal because Face ID makes re-unlocking instant.
Privacy settings (items 6–9)
These settings control what data apps and Apple itself can collect from your device. They don't prevent hacking directly, but they reduce the data available for profiling, social engineering, and targeted attacks.
6. App Tracking Transparency — deny all tracking
Where: Settings, then Privacy & Security, then Tracking. Turn off "Allow Apps to Request to Track" to silently deny all tracking requests — apps won't even show you the prompt.
Why: when this is on, apps that try to access your IDFA (Identifier for Advertisers) for cross-app tracking are automatically denied. This doesn't stop all tracking — apps can still use fingerprinting and server-side attribution — but it removes the easy, reliable cross-app identifier that the advertising industry relied on. Turning it fully off (deny all) rather than "Ask" (which shows a prompt per app) is simpler and ensures you never accidentally tap "Allow."
7. Audit Location Services
Where: Settings, then Privacy & Security, then Location Services. Review every app in the list.
What to do: for each app, choose the minimum access it needs. Most apps should be "While Using the App" or "Never." Very few apps legitimately need "Always" — navigation (Google Maps, Waze), fitness trackers, and Find My are the main exceptions. Scroll to the bottom and tap "System Services" — disable "iPhone Analytics," "Routing & Traffic," "Improve Maps," and "Significant Locations" (which logs every place you visit frequently). Keep "Find My iPhone," "Emergency Calls & SOS," and "Setting Time Zone" on.
Why: location data is extraordinarily sensitive. It reveals where you live, work, worship, who you visit, whether you've been to a doctor or lawyer, and your daily patterns. Apps with "Always" location access can track you continuously and sell that data to data brokers. Restricting to "While Using" means the app only gets your location when you're actively looking at it.
8. Disable analytics and advertising data sharing
Where: Settings, then Privacy & Security, then Analytics & Improvements. Turn off every toggle: "Share iPhone Analytics," "Improve Siri & Dictation," "Share iCloud Analytics," and "Improve Assistive Voice Features." Then go to Settings, then Privacy & Security, then Apple Advertising, and turn off "Personalized Ads."
Why: these toggles control whether Apple receives diagnostic and usage data from your device. While Apple's data practices are better than most, the privacy-maximizing choice is to share nothing. Disabling "Personalized Ads" means Apple's own ad network (in the App Store and Apple News) won't use your data for ad targeting. None of these affect your phone's functionality.
9. Review sensitive permissions (camera, microphone, contacts, photos)
Where: Settings, then Privacy & Security. Tap into each category: Camera, Microphone, Contacts, Photos, Calendars, Reminders, Bluetooth, and Local Network.
What to do: for each permission, ask yourself: "Does this app need this to do what I use it for?" A social media app may reasonably need camera access for posting photos. A weather app does not need your contacts. For Photos, use "Selected Photos" (available since iOS 16) instead of "Full Access" whenever possible — this lets you grant access to specific photos without exposing your entire library. Revoke anything that doesn't make sense. Pay special attention to "Local Network" — many apps request this to discover devices on your WiFi, but it also lets them fingerprint your home network. Deny it unless the app controls smart home devices or needs local network discovery.
iCloud security (items 10–12)
iCloud holds your backups, photos, messages, passwords, health data, and more. Securing it is as important as securing the phone itself — because iCloud data can be accessed from any device with your Apple ID credentials.
10. Enable Advanced Data Protection for iCloud
Where: Settings, then your name, then iCloud, then Advanced Data Protection. Follow the setup flow.
Why: by default, Apple holds the encryption keys for most of your iCloud data — meaning they can decrypt it if served with a legal request, and it could be exposed in a breach of Apple's infrastructure. Advanced Data Protection enables end-to-end encryption for iCloud Backup, Photos, Notes, Reminders, Voice Memos, Safari Bookmarks, Siri Shortcuts, Wallet Passes, and more. With ADP enabled, only your devices hold the decryption keys — not even Apple can read the data. This is the single most important iCloud security setting. The trade-off: if you lose all your trusted devices and your recovery key, Apple cannot help you recover your data. That's why item 12 (recovery contacts) is paired with this one.
What's still not covered: iCloud Mail, Contacts, and Calendars are not end-to-end encrypted even with ADP, because they need to interoperate with non-Apple email/calendar protocols. Apple's official security guide documents exactly which data categories are covered.
11. Verify Find My iPhone is enabled
Where: Settings, then your name, then Find My, then Find My iPhone. Ensure "Find My iPhone," "Find My network," and "Send Last Location" are all on.
Why: if your phone is lost or stolen, Find My lets you locate it, play a sound, mark it as lost (which locks it and displays a message), or remotely erase it. "Send Last Location" automatically sends the phone's location to Apple when the battery reaches a critically low level — so you have a last-known location even if the battery dies. The "Find My network" option uses Bluetooth signals from nearby Apple devices to locate your phone even when it's offline. These features have recovered thousands of stolen phones and, critically, the remote erase function protects your data if the phone is unrecoverable.
12. Set up account recovery contacts and a recovery key
Where: Settings, then your name, then Sign-In & Security, then Account Recovery. Add at least one recovery contact (a trusted family member or friend with an Apple device). Optionally, also generate a Recovery Key.
Why: with Advanced Data Protection enabled, losing access to all your trusted devices would mean losing access to your data permanently — unless you have a recovery path. A recovery contact can approve your identity if you need to regain access. A recovery key is a 28-character code you store offline (printed, not in a note on your phone) that can unlock your account as a last resort. Set up at least one recovery contact; the recovery key is belt-and-suspenders if you want the extra safety net.
Network protection (items 13–15)
Your phone is constantly connected to networks — cellular, WiFi, sometimes both. Network-level protection ensures that the connection itself doesn't become the attack vector.
13. Use a VPN or DNS filtering service
Where: install a VPN-based filter app (Casper's Cloak, AdGuard, or configure NextDNS) from the App Store. Enable the VPN profile when prompted.
Why: a VPN-based DNS filter does two things. First, it encrypts your traffic — so public WiFi networks, ISPs, and network operators can't observe or inject anything. Second, it blocks connections to known malicious domains (phishing sites, malware command-and-control servers, ad trackers) at the DNS level before your phone ever loads the content. This is an external defense layer that works across every app — it's the network equivalent of the app permission restrictions you set above. Casper's Cloak adds AI threat detection that catches zero-day phishing domains not yet on blocklists, plus tracker blocking that covers approximately 50,000 known tracker endpoints.
14. Disable auto-join for unknown WiFi networks
Where: Settings, then Wi-Fi, then "Ask to Join Networks" — set to "Ask" or "Off." Also: for any saved public networks (coffee shops, airports, hotels), tap the info icon and disable "Auto-Join."
Why: your iPhone remembers WiFi networks it has connected to and automatically reconnects when it sees them. Attackers exploit this with evil twin access points — a rogue hotspot named "Starbucks WiFi" or "Airport Free WiFi" that your phone connects to automatically because it joined a network with that name before. Once connected, the attacker controls your DNS, can serve captive-portal phishing pages, and can observe unencrypted traffic. Disabling auto-join for public networks forces you to consciously choose which networks to connect to.
15. Enable iCloud Private Relay (iCloud+ subscribers)
Where: Settings, then your name, then iCloud, then Private Relay. Turn it on.
Why: Private Relay routes Safari traffic through a double-hop relay architecture (Apple sees your IP but not your destination; a third-party relay sees your destination but not your IP). This prevents websites from seeing your real IP address in Safari, which is a strong tracking signal. It only applies to Safari — not other browsers, not apps. If you already use a VPN (item 13), that covers the IP-masking function for all traffic; Private Relay adds Safari-specific double-hop separation even when the VPN is active, though the two may interact differently depending on your VPN provider's configuration.
App hygiene (items 16–18)
Every app on your phone is a potential attack surface. Reducing the number of installed apps and keeping them updated minimizes that surface.
16. Review installed apps and delete what you don't use
Where: Settings, then General, then iPhone Storage. This lists every app sorted by size, with the last-used date.
What to do: scroll through and delete any app you haven't used in 3+ months. Every installed app has potential access to whatever permissions you granted it, may contain vulnerabilities that get exploited before they're patched, and runs background processes that can be used for tracking. Fewer apps means fewer potential attack vectors. If you need an app again later, you can always re-download it from the App Store.
17. Check for unknown configuration profiles
Where: Settings, then General, then VPN & Device Management. If this menu item doesn't appear, you have no profiles installed (which is normal).
Why: configuration profiles can modify deep system settings — installing root certificates, changing DNS, configuring VPN, or installing apps outside the App Store. Legitimate uses include corporate device management (MDM), carrier settings, and some VPN/DNS apps. If you see a profile you don't recognize and didn't install, that's a serious red flag. Stalkerware and some malware use configuration profiles to establish persistence on iOS. If you find one you can't account for, delete it immediately.
18. Enable automatic app and OS updates
Where: for the OS: Settings, then General, then Software Update, then Automatic Updates — turn on all toggles (Download iOS Updates, Install iOS Updates, Security Responses & System Files). For apps: Settings, then App Store, then enable "App Updates."
Why: the majority of successful exploits in 2026 target vulnerabilities that have already been patched. Automatic updates ensure you get security fixes as soon as they're available, closing the window between Apple publishing a patch and you installing it. Rapid Security Responses — smaller patches deployed between full OS releases — are especially critical because they address actively exploited vulnerabilities. With all three toggles on, your phone stays current without you thinking about it.
How often to re-check this list
Most of these settings are set-once-and-forget. But three categories need periodic review:
- App permissions (items 7 and 9): review quarterly. New apps you install get permissions; apps you already have may request additional permissions after updates. A 5-minute quarterly review catches permission creep.
- Installed apps (item 16): review quarterly. Delete apps you've stopped using. Fewer apps, smaller attack surface.
- Passwords (not on this list, but related): check Settings, then Passwords, then Security Recommendations after any major data breach you hear about. iCloud Keychain alerts you to compromised credentials — fix them immediately when flagged.
The rest — passcode, 2FA, Advanced Data Protection, auto-updates — stay configured once set. If Apple changes a default in a major iOS release, they typically highlight it during the update flow. We'll update this checklist when iOS 20 ships with any new settings that matter.
Bottom line
iPhones have strong default security, but the difference between default and hardened is significant. The 18 items on this checklist — prioritized and ordered by impact — take about 30 minutes to work through. The first five (authentication) deliver the majority of the security value. Advanced Data Protection (item 10) is the single biggest iCloud security upgrade most people haven't enabled. Network-level protection (item 13) adds an external defense layer that works across every app. And regular permission audits (items 7, 9, 16) prevent the slow accumulation of unnecessary data access that apps quietly request over time.
Bookmark this page and revisit it quarterly for the permission and app reviews. Forward it to the family members who ask you for tech help — the instructions are specific enough that anyone can follow them without further explanation.