Configuring Your iPhone for Maximum Privacy and Security: Web Browsing
How to protect your web browsing from privacy invasions and the surveillance state
During my 25-year career in the world of tech, I’ve worked as a systems administrator, overseeing software and hardware rollouts of Apple products. I was fortunate enough to do this incredibly detailed work at some of the largest nonprofits and Fortune 500 companies on the planet, including the Getty Center and Nike. Along the way, I also started writing about technology, but instead of writing about tech for other technologists, I became a columnist on tech security for regular folks.
In this article, it’s my goal to help you focus on security and privacy (two different but equally important matters) on the iPhone, specifically with regard to your phone’s data connection—the internet connection you use for surfing the web or using apps. (This article does not cover the issues of securing your text messages, phone calls, or data embedded in posts you make, or physically protecting your phone—those are topics we’ll cover in the future.)
I’ll start — as I usually do — with this caveat: there is no such thing as perfect security or perfect privacy online, only best practices and best tools. Anyone who promises you otherwise is lying or ignorant. Don’t buy their snake oil! Instead, arm yourself with knowledge backed by fact and personal discovery.
Browsing the web and using apps are two of the easiest ways to find information—but being online is also one of the easiest ways for your every digital move to be tracked. Every time you visit a website, a small army of cookies, trackers, and little pieces of embedded code watch what you do, follow you to other websites, and capture information about you to help serve you ads. Other information about us — data that perhaps we’d prefer not to share — is also available in those cookies, including our location, IP address, and computer platform or operating system.
I’m sorry, but I don’t want that information shared with the world — by default?!? — so I call BS. It’s time to arm ourselves with tools we can use to help set up and then automate a more secure internet experience. Here’s how to start.
Download and Use a Reputable and Safe VPN
I’ve written extensively about the need to use a VPN for a good reason: a VPN (or “virtual private network”) provides a secure connection to the internet by hiding your IP address — your unique identification number — and encrypting the data you send and receive while online.
That makes it the quickest, easiest, and most powerful tool to implement in your privacy and security arsenal.
Even as a law-abiding citizen in a democratic nation, I’m against AT&T, Verizon, Sprint, or any cellular network provider tracking where I surf online and when. That’s just creepy. Without a VPN, those companies have access to all of this information, they keep logs on it, and, if subpoenaed by federal agencies, they are mandated to surrender that information about me.
No thank you!
When using a VPN, that web-surfing information is hidden from them: instead, all they can see are the timestamps of your connections to the VPN provider. The VPN hides your IP no matter how you connect to the internet, whether it’s via a browser or via an app that accesses the web.
VPNs are useful in another way that you might find helpful if you travel. Your VPN app will give you a choice of servers to connect to the internet through. If you connect to a server in Los Angeles, you will appear to be connecting from Los Angeles … even if you’re sitting in Ghana or Mongolia. So if the website you’re using blocks you based on location, you can simply connect to a server somewhere else to get around it.
There are many VPN providers vying for your money, and it’s important that the one you choose actually be secure. I have ten strict guidelines for the VPN companies I recommend (which you can read in full here), but in summary, I only recommend VPN providers who:
- Are NOT headquartered in the US or other countries who are members of the 5-, 9-, or 14-eyes security agreements
- Keep no logs on users
- Offer fast servers in many countries
- Provide apps for mobile device access
- Use the OpenVPN standard
- Accept cryptocurrency
If you take the time to do the research, you’ll discover that only a few VPN companies actually provide all of those core services. I personally use NordVPN, which is headquartered in Panama and constantly ranked in most reviewers’ top 10 lists. Whether you choose this company or any of the other VPN providers I discuss in my longer article isn’t important. What is important is that you pick one that meets high security and privacy standards.
Using Your VPN
No matter which VPN provider you use, once you’ve downloaded and installed your VPN app, you should do the following:
- Consider activating the “kill switch.” This terminates your internet connection if your VPN connection is lost or dropped. That preference can mean the difference between remaining hidden online or having your IP address, location, and personal information be exposed. Kill switch technology differs from provider to provider. I use NordVPN, whose kill switch on iOS kills “system-wide Internet access” so that no unencrypted data from any app on your iPhone will be exposed, whether you’re surfing on WiFi or cellular. Again, that’s how the kill switch works on Nord. Other VPN providers may work differently, so be sure to read the fine print.
- Connect through a server that meets your needs in regards to speed, location, safety, and laws. When I want speed and privacy from the prying eyes of cellphone companies, I connect to servers in the US. When I want to stream the great content from the BBC’s iPlayer, I connect to a server in the UK. If I want to avoid the prying eyes of the US intelligence agencies and their global partners, I connect to servers in Costa Rica, Bulgaria, or other non-surveillance partner countries.
- Use your VPN all the time. Use your VPN all the time. Use your VPN all the time.
The biggest disadvantage to using a VPN is that your surfing speeds will be slower. The amount of slowdown you will experience depends on several factors, including speed of the VPN server, the time of day, the server traffic load, your normal surfing speed, and the country where the VPN server is located. In general, if you’re connecting to a server in a well-connected country — and as you can see in the screenshots below, I’m in the US and connecting to a VPN server that’s also in the US — you shouldn’t experience much slowdown, especially if you’re using a reputable VPN provider.
If you do run into issues of slowness when using a VPN app that previously worked, there are a few things you can try to fix it:
- Reconnect to a server in a different country. How you do that will differ on every VPN provider’s app. On Nord’s app, I just swipe up from the bottom of the app to access the list of alternate servers from which to choose.
- Choose a server with a much lower traffic load (some apps will display this).
- Quit and relaunch the application.
I personally keep my VPN on at all times. That keeps me safe and secure no matter what I’m doing online. However, if you’re experiencing slowdowns that you just can’t seem to fix, then at a minimum, endure it and use your VPN for any online transactions that you wouldn’t want to be published in national newspapers. For casual surfing that doesn’t include providing critical info such as usernames and passwords, Social Security numbers, or credit card or banking information, you can consider surfing without your VPN activated. But it’s almost impossible to always remember to switch back and forth, so this is risky.
Use a Faster, Safer Web Browser
Safari, by a long shot, is the most popular browser on the iPhone. But no matter how committed Apple is to promoting privacy and security in its ecosystem of hardware and software, it can’t make the entire internet safe because: #impossible.
Like most browsers, Safari still loads ads, trackers, and cookies, even in its awesome Reader Mode. Those extra pieces of code not only make websites slower to load but track us wherever we go online. They also use up data on our mobile data plans, so, uh, yeah: not cool.
The same goes for Google’s Chrome browser, even in its “incognito mode,” which — basically — purports to hide your browsing habits, account info, and passwords. But recently researchers found that there are serious leaks in this “privacy” feature.
I now almost exclusively use the Brave web browser on my iPhone, as well as on all of my other computers. Brave is 100% free and simple to use, and it offers the easy ability to block cookies, tracking software, and intrusive ads. As a result, it’s also blazingly fast compared to the competition.
After installing, tap the orange Brave logo in the upper-right corner of the app window to open the easy-to-use controls. I always have the “Block Ads & Tracking” and “Block Phishing” controls activated. When I need 100% blockage, I activate the other two blockers as well, but be warned: that forces some websites — usually the ones that have the most trackers — to either load differently or not load at all.
Most news websites — because of how many ads and trackers they all have — provide a great test of how applying Brave’s different settings affects what you see. Here are some examples of browsing CNN’s homepage on Brave with different levels of blocking enabled (settings on top row, results on the bottom):
In the first example on the left, you can see how CNN loads normally, including the truck advertisement. At center, you can see that I’ve tapped on the Brave logo and activated two blockers. When I do, Brave immediately reloads the webpage and shows me that 43 ads and trackers have been blocked. As a result, the website now loads without the truck ad. On the right, I’ve activated too many of Brave’s blockers, and you can see just how different the page looks—just a list of clickable category words. Given how nutty the news is these days … this might be an improvement for you. 👍
Three final notes on using Brave:
- First, because we cannot change the default browser on our iPhones (thanks, Apple!), I keep the Brave browser on my home screen for easy access.
- Second, because every website is programmed differently, with different priorities in mind, Brave is not a one-size-fits-all solution. You’ll probably need to alter Brave’s shields on some websites to get the desired mix of security and functionality you’d like for that site on your iPhone.
- Third, bookmark syncing in Brave is poor. Firefox and Chrome have bookmark syncing, making it super easy to sync bookmarks from the desktop versions of their apps to the iOS versions. Brave doesn’t have that … yet. There is a beta version of Brave with the bookmark syncing tool, but it hasn’t hit primetime yet.
Use a Slower, Much Safer Web Browser
In 2002, the nonprofit Tor Project created a unique network along with a companion web browser for surfing the web via that network. The Onion Router (or “Tor”) is a complex system of computer relays and encryption schemes that creates many layers (like an onion!) of obfuscation that make it nearly impossible to track someone using it.
Tor evolved from research at the United States Research Laboratory in the 1990s for use by US intelligence agencies. In fact, according to the nonprofit, “a branch of the U.S. Navy uses Tor for open source intelligence gathering.” Perhaps that’s why the National Security Agency — an agency known for hacking every system and platform on the planet — considers Tor “the king of high-secure, low-latency internet anonymity.” Translation: It’s a super effective tool that citizens can also use to help protect their privacy while online.
There’s only one authorized Tor client for iOS: the Onion Browser. There are other Tor browsers available, of course, some of which have even been well reviewed. However, none of those have the stamp of approval from the Tor Project. But no matter which Tor client you end up choosing, expect to surf much more slowly.
Tor’s greatest asset — bouncing through various relay servers to hide your identity and location — is also its greatest liability: surfing the web will be slower. But that’s a worthwhile trade-off if you are engaged in important private or secret communication and research on the web. Better slow than sorry.
Below you can see the homepage for Tor (left), viewing the NYTimes .onion page along with its page stats (center), and how Tor keeps you safe by disconnecting you if you stop browsing for a few moments (right).
What’s Safer: Tor or VPN? How About … BOTH
Although Tor is secure enough for the US government to use, security professionals rightly point out that even Tor has caveats, just like any other platform or technology. The two most glaring are:
- The first Tor node gets your real IP address.
- The last or “exit” node decrypts your data before passing it on to its final destination.
This is why some people who prefer extreme privacy or security choose to combine BOTH Tor and VPN at the same time.
In the Tor-over-VPN strategy, users first connect to their VPN provider and then to the Tor network. This approach, shown below, is often thought to provide better security because no one — except the VPN provider — knows your actual IP address or that you’re even connecting to the Tor network. (And remember, a good VPN provider keeps no logs on users.)
In the VPN-over-Tor approach, the setup is the opposite: users first connect to the Tor network and then to their VPN. That solution is often thought to provide better anonymity.
A small group of VPN providers — NordVPN among them — have the ability to route your data directly to the Tor network via their VPN servers, as shown. Because those VPN servers use a different IP address than your personal computer, your Tor entry node is blocked from knowing your IP, eliminating one of the two security holes in Tor.
This approach is also thought to provide better anonymity because all data — even data coming out of the Tor network — remains encrypted because of your VPN provider.
Decrypted data can lead to big losses. One notable example: In 2007, a Swedish computer security expert set up five Tor exit nodes in various locations around the globe as an experiment and then used them to intercept and harvest usernames and passwords for email accounts, private emails from those accounts, and more. What this researcher pointed out was how easy it was to hack even the notoriously secure Tor network.
If you’re using Tor with a VPN for better security, you should take two more steps to lock things down. The first requires you to adopt one tool, and the second to change one behavior:
- The tool is the free Https Everywhere plug-in (developed in partnership with the Tor Project), which forces your browser to surf to secure websites — those encrypted with SSL — sometimes identified by their “https://” prefix.
- The behavior change is learning to stop the kinds of online behavior that can expose your identity, location, IP address, and more. When on Tor, don’t log into your webmail and send emails to lots of people. Also, don’t log onto social media and post a bunch of random crap. Engaging in these kinds of online behaviors can expose you to those who may be snooping around and watching for you.
Using the “Onion Over VPN” feature of Nord is simple: launch the app, slide up the server list from the bottom of the screen, tap “Specialty Servers,” and then tap “Onion Over VPN.”
Once connected, fire up your favorite browser to surf the “normal” web or fire up the Onion Browser for super safe surfing.
Use a Safer Search Engine
It’s no secret that Google’s core services are free because you, my dear friend, are the company’s product. Google collects data about you and then uses that data to charge others to show you specific ads.
The way I prevent this is to use other search engines that don’t track me.
Which ones don’t track users, you ask? On my iPhone and computers, I now exclusively use DuckDuckGo as my search engine. I also use its app on my iPhone because it’s not only a simple portal into the search engine but also a fairly great web browser with some pretty kickass tracker blocking.
Your history is saved in the app, but if you just click on the fire icon at the bottom center of the app, it will erase your browsing history.
There are other alternative search engines. Tech experts and cybersecurity fans alike each have their own take on which search engine to use, and, frankly, it’s a worthwhile debate.
DuckDuckGo provides increased privacy from overreaching companies like Google, but not security protection from the US government. DuckDuckGo is a US company, so both the company and its servers are subject to US law. They must therefore provide any data they have to the government if asked. That might cause some of you to seek another search engine, and if that’s the case, I don’t blame you. Not wanting your government to have records of every online search you make is a legitimate concern, even for law-abiding citizens.
If you do prefer your search results free from US government oversight, then the current frontrunner is StartPage, based in the Netherlands. What’s curious is that this company pays Google for its search results: it submits your search queries anonymously minus any metadata — including your IP address — and then serves them to you. Neato!
Prove It: How to Ensure You’re Protected
So you’ve taken some of the steps that I’ve outlined. Good. But you shouldn’t trust me: I’m a stranger, and, as your parents already taught you, never trust a stranger. Instead, learn how to prove that what I’ve recommended is actually working!
To do that, you’ll need your IP address. On your iPhone, tap through to Settings -> WiFi and then tap once on the name of the network to which you’re currently connected. Find your IP address listed there. In my case, you can see that my WiFi network name is “secret garden” and my IP address is 192.168.2.104. For the moment, we’ll refer to this as our “private” IP address.
Clearly, we don’t want the rest of the world to know our private information, so let’s open our VPN app, connect to a server of our choice, and see what happens. In my case, I’ll open NordVPN and connect to a US server. Once I’m connected, my app shows a green color at the top, along with the name of the country/server to which I’ve connected. If I tap on that server, my new “public IP” is revealed. In this case: 126.96.36.199. We say “public” IP because — once your VPN is active — no one should see your actual IP address.
Now let’s see what the rest of the world sees when you’re surfing the web. Once your VPN is active, go to https://ipleak.net/.
Things you’ll want to check when you visit this testing website include:
- Is your public or private IP address showing?
- Is your location revealed to be where you currently are or where your VPN server currently is?
If your public IP address is showing and your geolocation is tagged as where your VPN server is located, you’re being protected in ways that you weren’t without your VPN! It’s also worth noting how much OTHER information can be gleaned about you just by surfing online: the web browser you’re using, the operating system you’re using, information about the computer/phone you’re using, and more. So you see: even just casual surfing online reveals a lot of information about your location, your computer, and — if your browser history is available — you as a person.
Fun, bonus assignment: What happens if you choose to connect to Nord’s “Onion Over VPN” server option? Notice any differences as to the information that gets revealed? Now what if you run the same tests via the Onion Browser? You’ll notice that every layer of protection that you add — VPN, Onion Over VPN, Onion Browser — provides you with additional layers of privacy.
So that’s the scoop on data privacy. I’m a big fan of Coach Tony’s philosophy of configuring the iPhone’s home screen for optimal focus. Here’s what mine looks like now. You’ll notice that I keep my VPN, browser, and search engine apps front and center:
There’s a reason for that: I want a visual reminder at all times that my privacy and security come first. Until Apple allows users to set browsers other than Safari as the default web browser on iOS — and it currently does not — this is what I do to put security and privacy first on my pocket computer.
My recommendations are as follows:
- Everybody should acquire and use a VPN service at all times. Just turn it on and use it. It will provide you a layer of protection that you don’t already have, and it’s easy to automate.
- Same for using the Brave web browser. It’s a simple no-brainer for those who’d prefer to surf the web without being tracked or bombarded by ads. Put it on your iPhone homepage and remove Safari and Chrome from your homepage.
- Most of you will want to start moving away from the Google platform of services, including search, and instead begin to use DuckDuckGo and StartPage for your searching needs.
- For those wanting maximum security — political dissidents, whistleblowers, reporters, and those whose very lives require the utmost privacy — I’d recommend getting a VPN that specifically offers an Onion Over VPN server and then using both it AND the Onion Browser for any online work you do, no exceptions. (And if this is you, let me be clear: you should take additional precautions for email, texting, phone calls, and posts that can include identifying information—issues not covered in this article.) [Editor’s note: a good starting point for information on other online security concerns is the Surveillance Self-Defense guide created by the Electronic Frontier Foundation.]
Start implementing some of the changes we discussed above and let me know what works/doesn’t work for you. I always try to respond to every comment, so if you’ve got a favorite security or privacy hack, please share: we always learn better, faster, and more efficiently as a community.
In my next deep dive, I’ll take a look at another group of privacy- and security-minded changes, including Robocalls, more secure email/calendaring, secure messaging, 2FA/U2F setup and usage, and my best practices for using Twitter, Facebook, Snapchat, and Instagram as securely as possible. Until then …