Apple does not hide its best security features, but it does not turn them on for you either. Lockdown Mode, Stolen Device Protection, Advanced Data Protection, passkeys, and Safety Check all ship in a default-off state because each one trades a little convenience for a lot of protection. The result is that the average iPhone, including the newest models, runs with a fraction of the security it is capable of.
This guide walks through every major protection in iOS, explains what each one actually defends against, and is honest about the tradeoffs. Some of these settings are worth enabling on every phone today. Others, like Lockdown Mode, are designed for a small group of high-risk people and will frustrate everyone else. Knowing which is which is the whole game.
What is Stolen Device Protection and should you enable it?
Stolen Device Protection exists because of a specific, well-documented crime pattern. A thief watches you type your passcode in a bar or on a train, then grabs the phone. With the passcode alone, they could historically change your Apple ID password, disable Find My, lock you out of your own account, and drain anything connected to your wallet, all within minutes.
Stolen Device Protection breaks that playbook in two ways:
- Biometric-only actions. When your iPhone is away from familiar locations like home or work, sensitive actions such as viewing saved passwords or erasing the device require Face ID or Touch ID. The passcode is no longer an accepted fallback, so a stolen passcode is no longer a master key.
- The security delay. The most dangerous actions, like changing your Apple ID password or turning off Stolen Device Protection itself, require a one-hour wait followed by a second biometric check. That hour is usually enough for you to mark the phone lost from another device.
You will find it under Settings, then Face ID and Passcode, then Stolen Device Protection. There is also an option to require the security delay everywhere, not just away from familiar locations, which is the stronger choice if you can live with it. The honest tradeoff: if your face or fingerprint stops being recognized while you are traveling, some account changes will take an hour. For almost everyone, that is a price worth paying. We recommend enabling it on every iPhone that supports it.
What does Lockdown Mode actually do?
Lockdown Mode is the feature that generates the most headlines and the most confusion. It is Apple's defense against mercenary spyware, the commercial-grade tools sold to governments that can sometimes compromise a phone with no clicks from the victim at all. Lockdown Mode works by aggressively shrinking the attack surface those tools rely on:
- Most message attachment types are blocked, and link previews are disabled.
- Complex web technologies, including some just-in-time JavaScript compilation, are switched off unless you exclude a trusted site.
- Incoming FaceTime calls from people you have never called are blocked.
- Wired connections to computers and accessories are blocked while the phone is locked.
- Configuration profiles cannot be installed, and the device cannot be enrolled in remote management.
Each of those categories has been used in real attacks. Each of them is also something normal users rely on every day, which is why Lockdown Mode is genuinely disruptive. Some websites render strangely, some images do not arrive, and some accessories stop working.
So who should use it? Apple is explicit that it is for people who believe they may be personally targeted: journalists, activists, dissidents, executives handling sensitive deals, people leaving abusive relationships with technically capable ex-partners, and anyone who has already found evidence of sophisticated compromise. If that describes you, turn it on under Settings, then Privacy and Security, then Lockdown Mode, and treat the inconvenience as the cost of safety. If it does not describe you, the features in the rest of this article will do far more for your actual risk profile.
Is Advanced Data Protection worth turning on?
By default, Apple end-to-end encrypts a core set of iCloud data, including passwords, health data, and messages stored in iCloud under most configurations. But several large categories, most notably full iCloud device backups, photos, and notes, are encrypted with keys Apple holds. That means Apple can technically access them, and so can anyone who successfully compels or compromises Apple, or who takes over your account through a weak recovery path.
Advanced Data Protection extends end-to-end encryption to almost everything in iCloud, including backups and photos. Once enabled, the keys exist only on your trusted devices. Apple cannot read the data, and crucially, Apple cannot recover it for you either.
That is the tradeoff to take seriously. Before iOS lets you enable it, you must set up at least one recovery method: a recovery contact, a printed 28-character recovery key, or both. If you lose access to all your trusted devices and your recovery methods, the data is gone. Not delayed, not escrowed. Gone.
Our practical advice: enable Advanced Data Protection if you are organized enough to print the recovery key and store it somewhere physically safe, and ideally to add a recovery contact you trust. If you are the kind of person who has been locked out of accounts before because of lost credentials, fix your recovery hygiene first. An honest assessment of your own habits matters more here than the feature itself.
Why are passkeys safer than passwords?
Passkeys are the quiet revolution in this list. A passkey is a cryptographic credential stored in your iCloud Keychain and unlocked with Face ID or Touch ID. When you sign in to a site that supports passkeys, your phone proves it holds the right key without ever transmitting a secret that can be stolen.
That design kills the two most common ways accounts actually get hijacked:
- Phishing. A passkey is bound to the real website's domain. A fake login page on a lookalike domain simply cannot ask for it. The attack that fools even careful people, the pixel-perfect fake login form, stops working.
- Database breaches. The server stores only a public key. When that site is breached, there is no password hash to crack and no credential to replay against your other accounts.
Major platforms including Google, Microsoft, Amazon, PayPal, and Apple itself now support passkeys. Start with your email account, because email is the recovery hub for everything else, then add passkeys to financial accounts as they offer them. You do not have to abandon passwords overnight; every account you move to a passkey is one less account that can be phished away from you.
How does Safety Check protect you?
Safety Check, under Settings, then Privacy and Security, answers a question most people cannot answer about their own phone: who can see my data right now? It was built primarily for people leaving abusive relationships, where a partner may have been granted location sharing, photo access, or even full account access during the relationship, but it is useful for everyone.
It offers two modes:
- Manage Sharing and Access walks you through every person you share data with and every app with significant permissions, letting you review and revoke item by item.
- Emergency Reset immediately stops sharing everything with everyone, signs out your Apple ID on your other devices, and resets app privacy permissions in one action.
If you have ever shared a location with an ex, lent your phone to someone for a setup, or simply accumulated years of permission grants, run Safety Check once. It takes ten minutes and frequently surfaces sharing arrangements people had completely forgotten about. If you are in a situation where someone may be monitoring your phone, this is the first tool to reach for, and the warning signs are worth knowing too; we cover them in detail in our guide to how to tell if your iPhone is being tracked.
Do iOS updates really matter for security?
Yes, more than any single setting in this article. The majority of real-world iPhone compromises exploit vulnerabilities that Apple has already patched. When you see an iOS update note that says it addresses an issue that "may have been actively exploited," that is Apple telling you attackers were using the flaw before the fix shipped. Delaying that update keeps the door open on your device specifically.
Three habits close the gap:
- Turn on automatic updates under Settings, then General, then Software Update, including the Security Responses and System Files toggle. Rapid Security Responses let Apple push critical fixes between full releases.
- Do not sit on major version updates for months. Older iOS versions stop receiving the full set of fixes.
- Restart your phone every few days. It is a low-cost habit that disrupts certain classes of non-persistent spyware, which must reinfect after a reboot.
Update hygiene also matters because attackers increasingly do not need to touch your device at all. Many phone takeovers happen through accounts, carriers, and social engineering rather than exploits, and we break those down in our overview of the five most common phone hacking methods.
The supporting cast: passcode, two-factor, and Mail Privacy
A few smaller settings round out a hardened iPhone:
- Use a six-digit or alphanumeric passcode. Four digits can be shoulder-surfed and brute-forced far more easily.
- Two-factor authentication on your Apple ID is non-negotiable. Every protection above assumes your Apple ID itself is not trivially stealable.
- Review trusted devices under Settings, then your name. Remove anything you do not recognize or no longer own.
- Check for unknown configuration profiles under Settings, then General, then VPN and Device Management. Profiles are a legitimate enterprise tool that stalkerware abuses.
- Mail Privacy Protection hides your IP and stops senders learning when you open email, which reduces the intelligence available to anyone profiling you.
And one warning while you are securing things: if your search for iPhone security ever leads you toward services offering to "test" or "monitor" someone else's phone, walk away. Accessing a device you do not own is a crime in nearly every jurisdiction, and the people selling it are usually scamming the buyer anyway. We have written about how those offers actually play out in our piece on hackers for hire on classifieds sites.
A realistic setup order for most people
- Today: turn on automatic updates, confirm two-factor authentication on your Apple ID, and enable Stolen Device Protection.
- This week: run Safety Check, audit trusted devices and configuration profiles, and upgrade your passcode.
- This month: create passkeys for your email and main accounts, and enable Advanced Data Protection once your recovery key is printed and stored.
- Only if you are genuinely high-risk: enable Lockdown Mode and accept the friction.
If you work through that list, your iPhone will be more resistant to theft, phishing, account takeover, and surveillance than the vast majority of devices in circulation. And if you believe your Apple ID or accounts have already been compromised, do not wait to harden a device that is already breached. Our account recovery service helps people regain control of hijacked Apple IDs, email, and connected accounts and then lock them down properly.
Frequently asked questions
Can someone hack my iPhone with just my phone number?
No legitimate capability lets a random person silently take over an iPhone from a phone number alone. Realistic risks tied to your number are SIM swapping at your carrier and phishing messages sent to it. Protect the number with a carrier PIN and treat unexpected login or verification texts as red flags.
Does Lockdown Mode slow down my iPhone?
It does not meaningfully affect performance, but it does limit functionality. Some websites, message attachments, FaceTime calls from strangers, and wired accessories will not work normally. That is by design, and it is why Lockdown Mode is recommended only for people at elevated risk of targeted attacks.
What happens if I lose my recovery key with Advanced Data Protection on?
If you lose access to all trusted devices, your recovery key, and any recovery contact, Apple cannot restore your data. End-to-end encryption means Apple never holds the keys. Print the recovery key, store it somewhere physically secure, and consider adding a trusted recovery contact before enabling the feature.
Are passkeys safe if someone steals my iPhone?
Yes, because passkeys only release with Face ID or Touch ID, and with Stolen Device Protection enabled the passcode cannot substitute for biometrics away from familiar locations. A thief holding your phone still cannot use your passkeys without your face or fingerprint.
How do I know if my iPhone already has spyware on it?
Common signs include rapid battery drain, unexpected data use, unfamiliar configuration profiles, and Apple ID sessions on devices you do not recognize. Run Safety Check, review trusted devices, update iOS, and restart the phone. If signs persist or accounts have been taken over, get professional help rather than guessing.
Is the iPhone more secure than Android?
Both platforms are strong when kept updated and configured well. The honest answer is that configuration matters more than brand. An iPhone with the features in this guide enabled is extremely hard to compromise; an iPhone with none of them enabled is only as safe as its passcode.
Related service
Regain access to your own hacked email, social, and website accounts.
Account Recovery