Better Securing Your Data, and Apple Account

This user tip describes how to increase the security of your data stored at Apple, and how to increase the security of your Apple Account (Apple ID).

🗝️ First, establish baseline security:

• Enable two-factor authentication on your Apple Account. Go enable this now. Two-factor authentication makes it more difficult for miscreants to gain access to your Apple Account. Depending on the Apple Account security questions is Not Sufficient.
• Do not re-use passwords. Server breaches are a thing. (Here is a list of exposed passwords.) This re-use is approximately time-released doom. Sooner or later, one password use will be exposed, and the ubiquitous and automated credential-stuffing attacks become effective. If you are re-using passwords, go fix that right now.
• Review security issues shown by Apple Security Recommendations too, and resolve as needed.

🔑 Second, establish or verify your account recovery processes.

Ensure your trusted devices are all recognized, and that your trusted telephone numbers are correct and current.

• Check your Apple Account device list to find where you’re signed in - Apple Support
• Add or remove trusted phone numbers on Mac - Apple Support

To verify settings particularly around location sharing, consider running Safety Check:

• Use Safety Check on iPhone to stop sharing and secure your account - Apple Support

🔐 Third, with the baseline now established and verified, consider upgrading your data security. This can include making access into your data by those with network access and access even by Apple themselves — and that attempted access to your data for whatever reason — far more difficult.

In particular, enabling Advanced Data Protection for iCloud reduces what parts of your data that Apple themselves can access:

• Advanced Data Protection for iCloud - Apple Support

To enable Advanced Data Protection, you’ll also need two-factor authentication enabled on your Apple Account. Which you should already have enabled, if you’ve read this far.

While Advanced Data Protection covers many common services, due to the way these specific network services inherently work, end-to-end encryption doesn’t cover iCloud Mail, Contacts, and Calendar services.

Advanced Data Protection requires iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, or later, and the latest version of iCloud for Windows.

👀 Enable and then review what data your installed apps are accessing, as well:

About App Privacy Report - Apple Support

📲 Hardware security can be a factor worth considering for some people. Pragmatically, any Apple devices that can’t run at least iOS 17 or iPadOS 17 can have other issues with device security. In particular, older Apple processors and related hardware can have security vulnerabilities, and these vulnerabilities can allow users with physical access to access the device and its contents.

If physical access is a concern, avoid Apple devices with A13, A12, and earlier processors when your data security is paramount.

🦟 While remotely-loaded iPhone and iPad exploits and malware are quite rare and targeted and expensive based on available reports, such exploits are possible. For those that might potentially be targeted by these exceedingly rare and expensive security exploits, consider enabling Lockdown Mode:

• About Lockdown Mode - Apple Support

🛟 To provide a means to recover access after access issues, consider adding a recovery contact, and a legacy contact, and reviewing any existing recovery or legacy contacts are still appropriate:

• Set up an account recovery contact - Apple Support
• How to add a Legacy Contact for your Apple ID - Apple Support

If you (unwisely) do not have two-factor authentication enabled, establish a rescue email address:

• About your Apple Account email addresses - Apple Support

✉️ Other potential security considerations: if you’re using a mail provider other than Apple¹, that provider will usually have access to their own infrastructure, and thus can potentially have the ability to access and request your Apple Account password be reset. This password reset path — Apple Account takeover path — can be blocked by enabling either a Recovery Key, or the use of hardware Security Keys on the Apple Account.

• Set up a recovery key for your Apple Account - Apple Support
• About Security Keys for Apple Account - Apple Support

🚫 If you enable either Recovery Key or switch to hardware token security keys, you must not lose these keys. Key loss renders the Apple Account inaccessible if the password is ever forgotten. Apple will not (cannot) reset those forgotten passwords.

〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️

¹ While self-hosting of mail services is possible, that path usually entails large deliveries of time, money, focus, patience, and effort.