SECURE NOTES

§ Security

The iPhone Privacy Checklist for 2026 (32 Things to Lock Down)

The iPhone privacy checklist for 2026: 32 specific settings, apps, and habits to lock down account, device, app, and network privacy on iOS in under an hour.

Secure Notes Team··10 min read
A neatly arranged checklist on aged parchment with brass-tipped fountain pen and glowing amber checkmarks.

Quick answer: The 2026 iPhone privacy checklistis 32 specific items across four layers: account, device, app, and network. The high-ROI subset — long passcode, Stolen Device Protection, Advanced Data Protection, hardware security keys, Lockdown Mode if you're a target — takes under an hour and prevents most realistic attacks. Set a calendar reminder for January 1 every year and rerun this list. iOS evolves; your defaults shouldn't calcify.

Account-level lockdown

Your Apple ID is the master key to everything iCloud-adjacent. If an attacker compromises it, every device, every backup, every synced note, every photo follows. Hardening the account is the highest-leverage move you can make.

  1. Set a long, unique Apple ID password. Not reused, not in any breach database. Use a password manager to generate and store it.
  2. Enable two-factor authenticationif it isn't already (it's default for new accounts but old ones may lag).
  3. Register a hardware security key (YubiKey, Titan) as a 2FA method. iOS 16.3+ supports FIDO2 security keys for Apple ID. Buy two, register both, keep one in a safe.
  4. Turn on Advanced Data Protection. This flips iCloud Backup, Photos, Notes, Drive, and 19 other categories to end-to-end encryption. Walk through our full ADP guide before enabling and set a recovery contact first.
  5. Set up Legacy Contact.Settings > Apple ID > Sign-In & Security > Legacy Contact. Pick one or two trusted people. See what happens to iCloud notes when you die for inheritance planning.
  6. Use Sign in with Apple where possible. It generates per-site relay email addresses and never shares your real address with third parties.
  7. Audit Apple ID device list.Settings > Apple ID > scroll down. Remove old devices, ex-partners' laptops, that iPad you sold three years ago.
  8. Review trusted phone numbers. SIM-swap attacks target these. Remove old numbers, ensure your primary is one you actually control.

Device-level lockdown

The device is the root of trust for every encryption key on iOS. Compromise the device and you compromise the keychain. The passcode is the load-bearing wall.

  1. Set a 10+ character alphanumeric passcode.Settings > Face ID & Passcode > Change Passcode > Passcode Options > Custom Alphanumeric Code. A 6-digit numeric falls to brute-force in days; alphanumeric pushes it past geological timescales.
  2. Enable Stolen Device Protection.Settings > Face ID & Passcode > Stolen Device Protection > On. Set the security delay to “Away from familiar locations.” Single most important iOS 17 setting.
  3. Disable Control Center on Lock Screen. Prevents a thief from toggling Airplane Mode to defeat Find My.
  4. Disable USB accessories when locked.Settings > Face ID & Passcode > Allow Access When Locked > USB Accessories: off. Blocks forensic-extraction hardware like GrayKey from working after one hour locked.
  5. Set Auto-Lock to 30 seconds or 1 minute. A device that auto-locks quickly is harder to grab-and-use.
  6. Hide message previews when locked.Notifications > Messages > Show Previews > When Unlocked. Stops shoulder-surfers from reading 2FA codes.
  7. Enable Lockdown Mode if you're a target.Settings > Privacy & Security > Lockdown Mode. Read Apple's warning carefully; it disables many features. For journalists, activists, executives, and anyone in a targeted threat profile, it's the single best mitigation.
  8. Configure Face ID with Attention Required.Settings > Face ID & Passcode > Require Attention for Face ID: on. Prevents unlock by sleeping face or photo. Pair with our deep-dive on Face ID for notes on iOS.
  9. Enable Erase Data after 10 failed passcode attempts. Combined with a long passcode, the risk of accidental erase is near zero and the protection against guessing attacks is real.

App-level lockdown

The default apps Apple ships are mostly fine. The third-party apps you've accumulated are where the leaks happen. This layer is where most users skip and most breaches start.

  1. Turn on App Tracking Transparency.Settings > Privacy & Security > Tracking > Allow Apps to Request to Track: off (or selectively approve). Blocks the cross-app advertising identifier that tracks you across the entire third-party ecosystem.
  2. Enable Mail Privacy Protection.Settings > Mail > Privacy Protection > Protect Mail Activity. Hides your IP and pre-loads tracking pixels in a privacy proxy.
  3. Use Hide My Email. Generate per-service relay addresses. Cuts off cross-service email correlation.
  4. Audit Location Services.Settings > Privacy & Security > Location Services. Set each app to While Using or Never. Map apps need Always; social and shopping apps do not.
  5. Audit Photos access. Many apps default to full library; switch to Selected Photos or None unless they need full access.
  6. Audit Microphone and Camera access.Revoke any app that has access but doesn't need it. iOS shows the orange and green dots when active, but preventive revocation beats post-hoc detection.
  7. Review App Privacy Report.Settings > Privacy & Security > App Privacy Report. Shows which apps contacted which domains. Useful for spotting unexpected backend phone-homes.
  8. Replace default apps for high-stakes content. Use a real E2EE notes app for passwords, recovery seeds, medical, legal — see best encrypted notes apps and Secure Notes for iPhone. For passwords specifically, a dedicated password manager beats putting them in any notes app — read storing passwords in a notes app.
  9. Lock sensitive folders with per-folder passwords. Apple Notes gives you one Locked folder; real E2EE apps give you per-folder granularity. See secure folder on iOS and how to lock notes on iPhone.

Network-level lockdown

Once data leaves your device, the network determines who sees the metadata. Even with end-to-end encryption on the content, traffic patterns leak who you talk to, when, and from where. This is the layer most people misunderstand.

  1. Enable iCloud Private Relay.Settings > Apple ID > iCloud > Private Relay. Anonymizes Safari traffic with a two-hop proxy. Not a VPN — it covers Safari and unencrypted HTTP only — but free and frictionless.
  2. Set custom encrypted DNS. Use Cloudflare 1.1.1.1, Quad9 (9.9.9.9), or NextDNS via a DNS-over-HTTPS profile. Stops your ISP from logging every domain you visit.
  3. Forget public WiFi networks after use.Settings > Wi-Fi > tap the network > Forget. Stops your phone from auto-rejoining a spoofed network with the same SSID.
  4. Disable Wi-Fi Auto-Join on untrusted networks. Hotels, airports, cafes — turn Auto-Join off after use.
  5. Understand what a VPN actually does.A VPN shifts trust from your ISP to the VPN provider. It does not make you anonymous. It does not bypass app-level tracking. Use one when you don't trust the network you're on (hotel WiFi, traveling abroad). Pay for it; free VPNs sell your data.
  6. Turn off Bluetooth and AirDrop when not in use. Both have been attack surfaces in the past. AirDrop in particular: set Receiving to Contacts Only or Receiving Off when in a public space.

The annual review

The list above is a snapshot of 2026. The principle is permanent; the specifics will drift. Every January, set aside 30 minutes and rerun this list. Specifically:

  • Reread the iOS What's New page for the year. New privacy settings ship in roughly half of every major iOS release.
  • Re-audit your App Privacy Report. Apps you trusted last year may have shifted ownership or telemetry posture.
  • Re-verify your Legacy Contact is still someone you trust. Relationships change; so should your contacts.
  • Re-check your Apple ID device list. Devices you no longer own should not have persistent access to your data.
  • Re-verify your recovery seed for any E2EE app you use is still in the location you wrote down. Test the recovery flow without actually triggering it.
  • Re-confirm your hardware security keys still authenticate. Keys can be lost, damaged, or invalidated by firmware updates.
  • Reread is iCloud safe for sensitive notes and the Apple Notes E2EE status — the answers shift as Apple ships features.

Privacy isn't a one-time configuration; it's a maintenance habit. The attackers don't take a year off. Neither should your defaults. If you've made it through this list, you've done more than 95% of iPhone users — and that's most of what privacy on consumer hardware looks like in 2026: not perfect, but the steepest part of the curve already climbed.

Frequently asked: iPhone privacy in 2026

What is the most important iPhone privacy setting?

A long alphanumeric passcode (not 6 digits) combined with Stolen Device Protection enabled. Passcode is the root of trust for every encryption key on the device; a 6-digit numeric passcode falls to a determined attacker, a 10+ character alphanumeric passcode does not. Stolen Device Protection adds a Face ID requirement and a 1-hour delay for security-sensitive changes when you're away from familiar locations.

Should I use Lockdown Mode?

Only if you're a journalist, activist, executive, or anyone with a credible targeted-threat profile. Lockdown Mode disables a wide range of attack surfaces — link previews, certain message attachments, FaceTime from unknown contacts, configuration profiles, JIT JavaScript — at the cost of meaningful daily-life friction. For most users it's overkill. For at-risk users it's the single best mitigation Apple ships.

What is Stolen Device Protection?

Stolen Device Protection, introduced in iOS 17.3, blocks an attacker who knows your passcode from rapidly draining your accounts. When enabled, sensitive actions (changing your Apple ID password, disabling Find My, accessing stored passwords, factory resetting) require Face ID or Touch ID with no passcode fallback, plus a 1-hour security delay when you're not at familiar locations. It's the single highest-ROI setting added to iOS in the last three years.

Is iCloud Private Relay a VPN?

No. iCloud Private Relay is a two-hop encrypted proxy for Safari traffic only — it hides your IP from sites and your browsing destinations from Apple. It does not protect non-Safari traffic, doesn't let you pick exit countries, and doesn't unblock geo-restricted content. A real VPN protects all device traffic and lets you choose endpoints; Private Relay is privacy-focused but narrower.

How often should I audit my iPhone privacy settings?

Once a year minimum, ideally in January. iOS gets two major releases plus security updates throughout the year, and new privacy controls land regularly (Stolen Device Protection, Lockdown Mode, ADP, App Privacy Report all arrived in iOS 15-17). A 30-minute annual review catches drift in app permissions, expired Legacy Contacts, and new defaults you should opt into or out of.

What apps should I replace for better privacy?

Default Safari is actually good — keep it but tune Privacy & Security settings. Default Mail leaks your IP through tracking pixels; replace with Mail Privacy Protection on or a privacy-focused client. Default Notes for sensitive content; replace with a real E2EE notes app. Default Calendar synced to a non-Apple server; consider Proton or Fastmail. Default keyboard if you've installed a third-party keyboard with full access; remove it.

Keep reading

Related guides

Privacy

Secure folder on iOS

How per-folder locks work and which apps offer them.

Read article

Privacy

Face ID for notes on iOS

Biometric unlock for sensitive content done right.

Read article

Security

Storing passwords in a notes app

What belongs in a notes app and what doesn't.

Read article
● TRANSMISSION END

Your notes,
locked for good.

Free on iPhone and iPad. In-app PRO unlocks unlimited folders and premium themes. AES-256, end-to-end, on-device. Face ID. A 12-word recovery seed.

Download on theApp Store
// END OF DOCUMENTSHA-256: a3f9…b421● VERIFIED