Checklist 188: Don’t Let Your iPhone Give You Away

This week’s Checklist is all about staying safe in an unsafe world:

• Mitigating mobile privacy threats in public
• Preventing unauthorized access to your device
• Important updates from Apple

Digital privacy in public places

There are times when you want to be anonymous: when you want to go outside without tech companies, online advertisers, or anyone else tracking your every move. You may be traveling in a country known for its digital snooping; you may be a journalist or activist in a physically dangerous situation; you may simply be a concerned citizen exercising your right to peaceful protest. Whatever your reasons, you don’t want to be tracked or identified while out and about — but unfortunately, that little mobile device in your pocket makes this very, very difficult.

Both iOS and Android mobile devices share an alarming amount of data with third parties, and in the right hands, this data can be used to tie a given device back to a specific person. Even more worrying is the fact that much of this information is not collected by Apple and Google themselves, but by countless advertising and analytics companies whose raison dêtre is monetizing your data. And while law enforcement and other parties may need court orders to obtain your information from tech companies and ISPs, they can simply buy it from third-party data collection services.

So what should you do if you’re going to be in a crowded public place and you don’t want your iPhone to tell anyone else about it?

The first option — and maybe the easiest one — is simply to leave it at home. Failing that, you can also buy a “burner” phone (a cheap prepaid mobile that can be tossed out after use). But these measures aren’t practical or desirable for everyone. So is there anything that can be done to better secure an iOS or Android device?

You bet. Here are some things you can do to make your devices a little more private … even in public:

1. Disable location and Bluetooth

Maybe it goes without saying, but the biggest privacy leaks on your phone are the features specifically designed to pinpoint your physical location and connect to nearby devices. Disable location services before you leave home, and turn off Bluetooth as well (the ad hoc connections it makes to other people’s devices can be used to infer your location, a technique frequently used by Facebook and others).

2. Reset or wipe your adID

Every mobile device has an adID, a short piece of code used to tie your activities to your mobile device. Normally, this data is just collected by advertisers and used to create a marketing profile for serving targeted ads to your device — supposedly anonymously — but with the proper know-how, adIDs can also be used to associate your device with you, specifically, or to determine your precise location. To reset your iOS device’s adID, go to Settings > Privacy > Advertising, and tap Reset Advertising Identifier. Make sure you log out of any social media apps before doing this, as your mobile logins can be associated with your computer logins and used to tie both devices together — and back to you. This will, in effect, give you a “new” identity when you go out, without any link to your past activities. On an iOS 10 or later device, you can wipe your adID and prevent a new one from being generated by going to Settings > Privacy > Advertising and using the Limit Ad Tracking toggle (this will set your device’s adID to a string of 0s). 

3. Put Android in airplane mode

Because Android phones come linked to a Google account — and because Google’s business is heavily dependent on advertising — it’s much harder to disable your adID on an Android device. The best option here is pretty extreme: factory reset your phone and set it up with a clean Google account. If you don’t want to do that, you should put your device in airplane mode for as long as you need to be anonymous in public. Google can still track you, but third parties can’t. Given the tech behemoth’s extremely high profile, they’ll be far less likely to attempt data sharing shenanigans than, say, some shady digital marketer would be.

4. Log out of Google on iOS

Let’s not mince words: Apple is better on user privacy than Google. If you’ve used your iOS device to log into a Google account or one of their apps (Gmail, Drive, Calendar), then you could be leaking data to Google. Log out of those accounts for as long as you want to stay under the radar, or consider deleting apps and reinstalling them later for even more security.

5. Reset your adID before going home

If you’ve chosen to reset your iOS adID before leaving the house, remember to reset it again before you get home. When devices are in close proximity, they will “ping” one another — and this interaction is recorded. By resetting your adID before you arrive home, you prevent the new adID generated for your mobile device while you were out from ever being associated with your home computer, smart TV, or other devices in your house (devices that are definitely tied to you personally).

6. Turn off your device on public transit

If you’re riding the bus or subway to get around town, be aware that digital billboards and screens with ads can detect your device. If you’re really concerned about your privacy, consider turning your phone off for the duration of your commute (or at least putting it in airplane mode).

7. Don’t wear wearables

Most of our advice so far has focused on phones, but don’t forget that wearable electronics like smart watches can also be used to gather information about you. Best advice? Just leave your Apple Watch on the bedside table. Yes, you’ll have to guesstimate how many steps you took while out on the town, but you’ll have one less thing to worry about as you try to keep your data private.

Lastly, remember that all of the above advice is about making your device safer — but not completely safe. Other apps on your phone may have privacy issues, and unforeseen security vulnerabilities do occur, even at Apple. Of course, all decisions about personal privacy and security have to be considered in their wider context. Mobile devices are much more than just tracking devices for advertisers — they can be used to facilitate lifesaving communications, create a video record of events, and mobilize large groups of people under chaotic conditions. In the end, every user will have to decide for themselves if the benefits of carrying a mobile device outweigh the privacy risks that this brings — but hopefully, the advice above will help to mitigate those risks somewhat.  

Disabling biometrics in a hurry

Biometric authentication — on iOS, this means Face ID and Touch ID — is a powerful security tool under normal conditions. But if you’re in a situation where physical coercion is likely, biometrics have a serious weakness: They can easily be used to force you to unlock your device. While no one can compel you to tell them your numeric passcode (short of intimidation tactics), it would be very simple for someone to unlock your iPhone by pressing your finger to your device’s fingerprint sensor or by holding your phone up to your face.

If you feel that there is an imminent danger of something like this happening, you can quickly disable your iPhone’s biometrics by using Emergency SOS.

Emergency SOS is meant to offer users a fast way to call for help in an emergency. But an interesting feature of Emergency SOS is that it also automatically disables your device’s biometric authentication as soon as it is invoked — even if you don’t actually place a call to emergency services.

Here’s how it works. On iPhone 8 or later, press and hold the side button and one of your Volume buttons until you see the SOS slider appear. If you swipe on this, it will automatically dial emergency services in your area (or, in some regions, give you a choice of which emergency service you want to call). On iPhone 7 or earlier, you just press the side or top button 5 times in rapid succession to make the slider appear. Again, even if you don’t actually go ahead and make an emergency call, your biometrics will be disabled until you re-enable them with your passcode.

It’s worth mentioning here that your iOS device has a feature called Auto Call that can be turned on or off depending on your preference. If Auto Call is on, when you pull up that Emergency SOS slider, your device will begin a countdown and then (you guessed it) automatically call emergency services whether you swipe the slider or not. You can see the option to enable or disable Auto Call by going to Settings > Emergency SOS > Auto Call.

Two important security fixes

Last week, Apple released a number of OS updates:

• macOS Catalina 10.15.5 Supplemental Update
• iOS and iPadOS 13.5.1
• tvOS 13.4.6 
• watchOS 6.2.6
• HomePod Software 13.4.6
• Security Update 2020-003 for High Sierra 

These updates address the serious kernel vulnerability that led to the unc0ver jailbreak, which affected all modern iOS devices up to and including those running iOS 13.5. Jailbreaks are not threats to iOS security per se, but they do indicate a serious security issue, because their very existence means that someone was able to exploit an iOS vulnerability and gain administrative privileges. For one thing, that’s something that is definitely not supposed to happen, and unpredictable behavior is almost always bad news when you’re dealing with computers. But even more significantly, if the jailbreak community can exploit a vulnerability to create their customizable iPhones or run non-standard apps, then a bad actor could potentially exploit the same flaw to engage in malicious activity. So if you haven’t updated your devices yet, please do so now.

Apple has also patched a vulnerability in Sign in with Apple, the privacy-friendly sign in tool which we discussed on a recent Checklist. It seems that some third-party apps (including such famous names as Dropbox and Airbnb) had enabled Sign in with Apple as a login option but had failed to implement additional security measures. The issue in Sign in with Apple could have allowed an attacker to take over some of their users’ accounts.

Luckily, the flaw was spotted by security researcher Bhavuk Jain and promptly reported to Apple. Apple patched its sign-in tool, and conducted an investigation to determine whether or not any users had been affected. Fortunately, no one’s account was compromised. Jain was awarded $100,000 for his discovery — a well-deserved reward for catching a bug that could have affected so many users.

That brings us to the end of another Checklist, but if you’d like to keep learning about security and privacy issues, be sure to check out our archives, where you’ll find full show notes along with the audio for all past episodes of the podcast. And as always, be sure to let us know if you have a security question or a topic that you’d like for us to address on a future edition of The Checklist.