iPhone Security Settings: The Complete Guide to Locking Down Your Device

iPhones have a well-earned reputation for security. Apple designs its devices with privacy in mind, and it shows. But here’s the thing: a lot of the most powerful protections Apple has built into iOS aren’t switched on by default.

Out of the box, your iPhone is configured for convenience. That means some settings that could significantly improve your security are sitting there, quietly turned off, waiting for you to find them.

This guide walks you through the most important iPhone security settings you should review right now — what they do, why they matter, and exactly how to turn them on.

Advanced Data Protection

Where to find it: Settings > [Your Name] > iCloud > Advanced Data Protection

iCloud backs up nearly everything on your iPhone — your photos, messages, notes, and more. By default, most of this data is encrypted, but Apple holds the keys, which means it could theoretically be accessed in response to a legal request or a breach.

Advanced Data Protection changes that. When you turn it on, your iCloud data becomes end-to-end encrypted. Only your trusted devices can decrypt it and not even Apple can read it.

It’s one of the most impactful privacy upgrades you can make, and most people have never heard of it.

Before you enable it, you’ll need to:

• Set up Two-Factor Authentication with your Apple Account.
• Update iOS on all devices linked to your iCloud account.
• Set up a recovery contact or recovery key (if you lose access, Apple can’t help you recover your data).

To enable Advanced Data Protection:

1. Open the Settings app.
2. Tap your name at the top.
3. Tap iCloud.
4. Scroll down and tap Advanced Data Protection.
5. Follow the prompts to set up account recovery, then toggle it on.

Fig 1. Turning on Advanced Data Protection.

Stolen Device Protection

Where to find it: Settings > Face ID & Passcode > Stolen Device Protection

Introduced in iOS 17.3, Stolen Device Protection was Apple’s response to a growing wave of iPhone thefts, where criminals would first observe victims entering their passcode before snatching the device.

With the passcode in hand, a thief could reset the Apple Account password, turn off Find My, and drain the victim’s Apple Wallet — all in minutes.

Stolen Device Protection makes that much harder.

When it’s enabled and your iPhone is away from familiar locations (like home or work), it does two things:

• Biometric-only actions: Sensitive tasks like viewing saved passwords, changing your Apple Account email, or accessing stored payment cards require Face ID or Touch ID. There’s no passcode fallback.
• Security delay: For the most critical changes, like turning off Find My or changing your Apple Account password, there’s a mandatory one-hour delay followed by a second biometric check. This gives you time to mark your device as lost before a thief can fully take over.

To enable Stolen Device Protection:

1. Open the Settings app.
2. Tap Face ID & Passcode.
3. Enter your passcode.
4. Scroll down to Stolen Device Protection and toggle it on.

Fig 2. Turning on Stolen Device Protection and enabling Always for the Security Delay.

It’s worth enabling the “Always” option for the security delay — not just “Away from Familiar Locations” — if you want maximum protection. This ensures the delay applies everywhere, not just when you’re out of your usual spots.

Wired Accessories

Where to find it: Settings > Privacy & Security > Wired Accessories

This one sounds technical, but the concept is simple: when you plug your iPhone into a computer or a USB port you don’t control, that connection can do more than just charge your phone. It can also transfer data.

“Juice jacking” is the term for attacks that exploit public USB charging ports — in airports, hotels, or coffee shops — to silently access or infect your device while it charges.

Apple’s Wired Accessories setting controls exactly when your iPhone allows a USB connection to exchange data. Setting it to Ask for New Accessories (or Always Ask) means your iPhone will prompt you before allowing any new device to connect, even if the phone is unlocked.

To configure this:

1. Open the Settings app.
2. Tap Privacy & Security.
3. Scroll down to Wired Accessories.
4. Select Ask for New Accessories or Always Ask.

Note: These options are only available if your iPhone has a USB-C connector (iPhone 15 or newer). If you have an older iPhone with a Lightning connector then the most secure option is Automatically Allow When Unlocked.

Fig 3. Changing the Wired Accessories settings.

This setting was originally created to block forensic tools that attempted to brute-force iPhone passcodes through the charging port — and in 2025, Apple patched a vulnerability that allowed sophisticated attackers to temporarily bypass it.

That’s a reminder that even Apple’s best protections can have gaps, and keeping this setting as restrictive as possible is the smart move.

App Privacy Report

Where to find it: Settings > Privacy & Security > App Privacy Report

Most people have no idea what their apps are actually doing in the background. App Privacy Report changes that.

Once turned on, it keeps a detailed log of every time an app accesses sensitive permissions — your camera, microphone, location, contacts, photos, or media library. It also shows a breakdown of each app’s network activity, including the domains it contacts most frequently.

This matters more than you might think. App Privacy Report can help you spot two distinct problems: legitimate apps that are quietly collecting far more data than they need to, and — in more serious cases — confirming the presence of spyware.

From the scans we’ve carried out at Certo, tools like mSpy, FlexiSpy, and Hoverwatch are among the most commonly detected threats on compromised devices. If something like that is running on your phone, App Privacy Report may be the first place you notice unusual permission use or unexpected network activity.

To enable App Privacy Report:

1. Open the Settings app.
2. Tap Privacy & Security.
3. Scroll down and tap App Privacy Report.
4. Tap Turn On App Privacy Report.

Fig 4. Turning on App Privacy Report.

Give it a few days to build up data, then review which apps are accessing what. If a weather app is regularly accessing your microphone or camera, that’s a red flag worth acting on.

Stop Apps from Tracking You

Where to find it: Settings > Privacy & Security > Tracking

Every time you use an app, it may be collecting data about you and sharing it with advertisers and data brokers — even connecting your activity across completely unrelated apps. This is called cross-app tracking.

Apple introduced App Tracking Transparency (ATT) to give you control over this. With the Allow Apps to Request to Track toggle turned off, apps can’t even ask for permission to track you. The request is automatically denied.

To turn this off:

1. Open the Settings app.
2. Tap Privacy & Security.
3. Tap Tracking.
4. Toggle off Allow Apps to Request to Track.

Fig 5. Disabling App Tracking.

Background Security Improvements

Where to find it: Settings > Privacy & Security > Background Security Improvements

Most people know to keep iOS updated, but fewer know that Apple also pushes smaller, targeted security patches between major updates.

These are called Rapid Security Responses, and they’re designed to address critical vulnerabilities quickly, without waiting for the next full software release.

To enable them:

1. Open the Settings app.
2. Tap Privacy & Security.
3. Tap Background Security Improvements.
4. Toggle on Automatically Install.

This means that when Apple discovers a serious vulnerability being actively exploited in the wild, your device gets patched as quickly as possible — often without you even noticing.

Fig 6. Turning on Background Security Improvements.

Safari Advanced Tracking Protection

Where to find it: Settings > Apps > Safari > Advanced > Advanced Tracking and Fingerprinting Protection

Safari already does a solid job of blocking cross-site tracking by default. But in iOS 17, Apple went further with Advanced Tracking and Fingerprinting Protection — a more aggressive setting that strips out additional identifiers websites use to profile you.

“Fingerprinting” is when a site builds a profile of your device based on technical characteristics — your screen resolution, fonts, time zone, and more — to recognize you even if you clear your cookies or use private browsing.

By default, this setting only applies to Private Browsing. Changing it to All Browsing extends that protection to your standard tabs too.

To update this:

1. Open the Settings app.
2. Tap Apps, then tap Safari.
3. Scroll down and tap Advanced.
4. Tap Advanced Tracking and Fingerprinting Protection.
5. Select All Browsing.

Fig 7. Switching on Advanced Tracking Protection for All Browsing.

Mail Privacy Protection

Where to find it: Settings > Apps > Mail > Privacy Protection

When you open an email, senders can sometimes tell you’ve opened it, and where you are. This works through invisible tracking pixels: tiny, invisible images embedded in emails that “phone home” to the sender’s server the moment you load them.

Mail Privacy Protection blocks this in two ways:

• It hides your IP address, so senders can’t determine your general location.
• It pre-loads remote content in the background, masking whether (or when) you actually opened the email.

For most people, this is an easy yes. It makes email marketing tracking less accurate, but it means your location and read behavior aren’t silently reported back to every company whose email lands in your inbox.

To check it’s enabled:

1. Open the Settings app.
2. Tap Apps, then tap Mail.
3. Tap Privacy Protection.
4. Make sure Protect Mail Activity is toggled on.

Fig 8. Turning on Mail Privacy Protection.

Two-Factor Code Cleanup

Where to find it: Settings > General > AutoFill & Passwords

When you log into an account with two-factor authentication, you often get a verification code sent by text or email.

These codes are single-use and once you’ve entered them, they serve no purpose. But they stick around in your Messages and Mail apps, where anyone browsing your phone could use them to access your accounts.

iOS can automatically delete these codes once they’ve been used. It’s a small setting, but a meaningful one.

To enable automatic cleanup:

1. Open the Settings app.
2. Tap General.
3. Tap AutoFill & Passwords.
4. Under Verification Codes, toggle on Delete After Use.

Fig 9. Turning on Delete After Use.

Significant Locations

Where to find it: Settings > Privacy & Security > Location Services > System Services > Significant Locations & Routes

Your iPhone quietly keeps a log of the places you visit most often — your home, your workplace, the gym, the school run. Apple uses this to power features like predictive suggestions in Maps and Calendar.

This data is stored on-device and encrypted, so Apple doesn’t have direct access to it. But if someone else picks up your phone and knows where to look, they can browse a fairly detailed history of your movements.

To turn it off:

1. Open the Settings app.
2. Tap Privacy & Security.
3. Tap Location Services.
4. Scroll to the bottom and tap System Services.
5. Tap Significant Locations & Routes.
6. Toggle it off (and tap Clear History if you want to wipe what’s already there).

If you’re concerned about a partner, family member, or anyone else with physical access to your phone reviewing your location history, turning this off is a sensible precaution.

Fig 10. Turning off and clearing Significant Locations.

Lockdown Mode

Where to find it: Settings > Privacy & Security > Lockdown Mode

Lockdown Mode is Apple’s highest level of device security, and it’s deliberately extreme. It was introduced to protect against the kind of sophisticated, nation-state-level spyware attacks (like Pegasus) that target journalists, human rights activists, politicians, and executives.

When enabled, it places restrictions on some iOS features that could be exploited as attack vectors:

• Most message attachment types are blocked.
• Some advanced web features are disabled in Safari.
• Incoming FaceTime calls and invitations from unknown contacts are blocked.
• Wired connections to computers or accessories require the device to be unlocked.

For most people, everyday use — calls, messaging, apps, photos — continues as normal. But depending on how you use your phone, you may notice some limitations, particularly around web browsing and receiving files.

If you have reason to believe you may be a target of sophisticated surveillance — or if you’re in a high-risk profession — it’s worth turning on Lockdown Mode.

To enable Lockdown Mode:

1. Open the Settings app.
2. Tap Privacy & Security.
3. Scroll down to Lockdown Mode and tap it.
4. Tap Turn On Lockdown Mode and follow the instructions on screen.

Fig 11. Turning on Lockdown Mode.

Go Deeper Than Settings

Adjusting your settings is a great start, but settings alone can’t detect spyware that’s already on your device. If someone has had physical access to your iPhone, or if you’ve clicked a link you shouldn’t have, there may be threats that no amount of toggling will surface.

That’s where Certo AntiSpy comes in. Unlike App Store apps, which are limited by Apple’s sandboxing (meaning they can only see a small part of what’s on your device), Certo AntiSpy uses a computer-assisted scan that goes much deeper.

Connect your iPhone to your computer via USB, and Certo can analyze your device at a level no phone-only app can reach — detecting hidden spyware, jailbreaking, suspicious apps, and security vulnerabilities.

In 2024 alone, we performed nearly 700,000 scans and found that 6.26% of devices had medium or high-severity security threats. Many of those users had no idea that their device was compromised.

Fig 12. Certo AntiSpy detecting spyware.

Wrapping Up

Most of these settings take less than a minute to change, and you only need to do it once. But the difference they make adds up, turning a phone that’s convenient by default into one that’s genuinely locked down.

Start with Advanced Data Protection and Stolen Device Protection if you haven’t already. They’re the highest-impact changes with the widest range of real-world threats they defend against. Then work through the rest at your own pace.

Your iPhone is only as secure as the settings inside it. Now you know where they all are.

Frequently Asked Questions

Are iPhone security settings enough to protect against spyware?

Your built-in settings are a strong first layer of defense, but they have limits. Features like App Privacy Report can help you spot suspicious behavior and Lockdown Mode can limit the attack surface.

But they won’t detect spyware that’s already installed, particularly if someone has physically accessed your phone. For a more comprehensive check, run a deep spyware scan.

Does enabling Lockdown Mode delete data or remove my apps?

No. Enabling Lockdown Mode doesn’t delete any data or uninstall any apps. It restricts how certain features work — especially web browsing, message attachments, and incoming connections — but everything on your device remains intact. You can turn it off at any time.

Will turning off “Allow Apps to Request to Track” stop all tracking?

It stops cross-app tracking by third-party apps. But other forms of data collection, like an app tracking your behavior within its own platform, aren’t covered by this setting. Combining it with App Privacy Report gives you the best visibility into what’s actually happening.

What’s the difference between iCloud encryption and Advanced Data Protection?

Standard iCloud encryption protects your data in transit, and Apple applies encryption at rest for most categories, but Apple holds the decryption keys. With Advanced Data Protection enabled, your data is end-to-end encrypted: only your trusted devices can decrypt it. Even Apple can’t access it.

How do I know if someone has already been in my iPhone settings?

Check for signs like unfamiliar Face IDs added to your device (Settings > Face ID & Passcode), unknown device profiles (Settings > General > VPN & Device Management), and unexpected changes to app permissions.