iOS 15 new and improved security/privacy features


iOS 15 introduces several privacy features that all are not enabled by default and are worth trying out. Many settings are contextual to iCloud or individual app preferences and not consolidated into the Privacy subsetting, so it may take a little hunting to find them all. Some also require an iCloud subscription (starting at $0.99 per month), expanding Apple's premium services offerings.

Perhaps my favorite is the Hide My Email feature (Settings/Apple ID/iCloud), part of the iCloud premium service. Hide My Email is an email forwarding service, which is not a new thing, but Apple makes it very easy to use. The concept is iCloud will generate a random email address to use in place of your actual email address when signing up to an email list or an account. This service appears to be an extension of Apple's Sign In with Apple feature, which offers a similar privacy buffer when using Apple as an authenticator. You can control these addresses within this setting menu. So rather than trying fighting to unsubscribe from spammers, you can delete the email account.

Hide My Email also makes it simple to know who has sold your email address or exposed it in a data breach. It also provides an extra layer of security, making it harder for someone to access your account since they cannot know your email address to log in or recover a password. The downside is you're probably locking yourself into iCloud or else be willing to redo all those accounts to a new email address or start over. I wouldn't use this service for important accounts.

Inside the same menu is the currently beta Private Relay. This feature obscures your IP address when using Safari and encrypts unencrypted traffic. You can set whether to use a location near you for more accurate geo-services such as weather or simply your country and time zone. This is a great feature for most people who don't use a VPN. It's important to note that this doesn't eliminate the need for a VPN, but most people don't pay for one or use it all the time. The key difference here is that a VPN will protect all your traffic, including other apps, and not just Safari.

App Privacy Report (Settings/Privacy) will generate a 7-day report of privacy-related activities on your phone. This report is an excellent way to periodically monitor and review what your apps are doing and whether you want to adjust privacy settings or remove some apps.

Protect Mail Activity looks to shield your email from snooping eyes. Often, marketers use images and other elements as a way to track activity with email. For example, an image may have a unique parameter recording when you open and load that image. The same if you click on something. Other information can be revealed like IP address with a location and perhaps cross-referenced with other activity.

Interestingly, Apple isn't just blocking these elements. Apple says they are loading them for you in the background using network proxies. This activity is happening even if you never open the email. The result is email should open instantly like normal, but no trackers have phoned home about your activity.

Apple says it doesn't access your IP address but doesn't say much else about what Apple sees. Presumably, email content is amassed in aggregate, and Apple isn't tracking where it came from. The choice here is whether you trust Apple enough to download and anonymize your email for you.

Apple also refined location controls by allowing the location to be used only once. This is a common-sense feature as Apple increases the granularity of location controls. If the requests are annoying, you can grant more blanket access to your location, but otherwise, I appreciate the option to make an app check each time.

Apple also has built-in a Two-Factor/Multi-Factor authentication to Keychain passwords. This is a reasonably slick system that should make using MFA codes more convenient. Essentially, you can set up MFA alongside your account password for easier submission.

SMS codes are popular, better than nothing, but not nearly as safe as an app or hardware token. I prefer to use 1Password for my passwords rather than Apple as I can use 1Password on multiple platforms, including the web, and easily share account credentials with family members. This is another situation where you can get locked into Apple's system because rebuilding a password database can be a real pain. 1Password also offers MFA support, but I think a dedicated app like Authy, Google Authenticator, or Microsoft Authenticator is a safer choice. Having a token separate from the password database requires access to two systems rather than one.

Generally, MFA/2FA is underutilized and one of the best things you can do to protect your account. I have reservations about the system, but Apple is making MFA easier for the mass market, and that's a good thing.

In summary, for most consumers, Apple is making it much easier to protect their privacy and data. However, they may not appeal to everyone, particularly privacy enthusiasts with existing solutions or those less trusting with their privacy and data. The features consolidate a lot of data with Apple, requiring a high level of trust and putting many eggs in one basket. Additionally, as noted, some of these features may make it challenging to change platforms or use multiple platforms if fully utilized.