Security & Privacy

Apple gave its first public presentation on Monday about its flagship operating systems coming in 2021: iOS 15, iPadOS 15, and watchOS 8. In addition to some new features to increase productivity (see Apple Announces New Features in iOS 15, iPadOS 15, and macOS Monterey), there are many new privacy features that give users more control over their data. And Apple has announced iCloud+, a privacy-focused service available to all users who pay for additional iCloud storage.

Overview—including what wasn’t in the keynote

First, let’s summarize all the privacy-related announcements, including some things we’ll discuss in more detail below. For things that either weren’t announced in the Apple Event, or that many people missed or aren’t talking about, we’ve put them in bold in this list.

• Secure Paste in iOS and iPadOS 15 allows you to paste content from one app to another, without the second app being able to access the information on the clipboard until you paste it. This is a significant improvement over iOS 14, which would notify when an app took data from the clipboard, but did nothing to prevent it from occurring.
• Mail Privacy Protection, which hides your IP address when loading an e-mail, is off by default but included with macOS Monterey and iOS/iPadOS 15. This feature does not require an iCloud+ subscription.
• Apple’s iCloud+ Private Relay will not be available in at least 10 regions: Belarus, China, Colombia, Egypt, Kazakhstan, the Philippines, Saudi Arabia, South Africa, Turkmenistan and Uganda. In other countries, iCloud Private Relay (included with any iCloud+ paid subscription) masks your IP address when browsing with Safari.
• iOS 15 and iPadOS 15 are compatible with all devices that support iOS/iPadOS 14 (and 13). Nevertheless, Apple will release security-only updates for iOS/iPadOS 14. Apple has yet to reveal whether iOS 12, which supports older device models, will continue to get security updates.
• macOS Monterey (macOS 12) will terminate compatibility with several Mac models, which will now be stuck with macOS Big Sur:
  • iMac — Mid-2014, Late 2014, and Mid-2015
  • MacBook — Early 2015
  • MacBook Air — Mid-2013 and Early 2014
  • MacBook Pro — Late 2013 and Mid-2014
• Siri requests will be processed on-device for iOS and iPadOS 15 (as touted in the Apple Event); however, Apple doesn’t claim that Siri requests will be processed on-device in macOS Monterey.
• macOS Monterey adds a software “recording indicator” in Control Center for apps that can access your microphone (which augments the physical camera-indicator light built into Macs).
• macOS Monterey finally adds the “Erase all contents and settings” feature that has been available in iOS for years.
• iCloud+ e-mail can now use custom domains, which is a boon for people who care about privacy and are currently using Google’s Gmail (or another company’s service) as a back-end mail provider.
• Apple is introducing Account Recovery Contacts, to allow you to pre-authorize someone to help you if you forget your Apple ID password.
• Apple is also introducing a Digital Legacy program, to allow you to pre-authorize someone to access the information in your account if you pass away.
• Safari’s Intelligent Tracking Prevention feature now prevents trackers from using your IP address to profile you.
• Safari will also automatically upgrade connections to HTTPS where possible.
• iCloud Passwords (formerly iCloud Keychain) now includes a built-in authenticator will be able to generate codes for two-factor authentication. Additionally, iCloud Passwords is now also available for Windows via a Microsoft Edge browser extension; previously iCloud Keychain was only available on Apple devices.
• Apple is adding “Advanced Fraud Protection” to Apple Card, with a regularly changing security code.

Features only available in Macs running Apple Silicon

A number of features in macOS Monterey are only available in Macs running Apple’s own processors. This is likely because these features are not optimized for Intel processors, or they require certain processor enhancements. (Though it’s not clear why text to speech in certain languages is processor dependent.)

• Portrait Mode blurred backgrounds in FaceTime videos
• Live Text for copying and pasting, looking up, or translating text within photos
• An interactive 3D globe of Earth in the Maps app
• More detailed maps in cities like San Francisco, Los Angeles, New York, and London in the Maps app
• Text-to-speech in more languages, including Swedish, Danish, Norwegian, and Finnish
• On-device keyboard dictation that performs all processing completely offline
• Unlimited keyboard dictation (previously limited to 60 seconds)

Mail improvements: Mail Privacy Protection, iCloud+ Hide My Email

Apple has announced several useful features to protect privacy in emails. Hide My Email, available as part of the forthcoming iCloud+ service, works like Sign In with Apple, allowing users with iCloud email accounts to route certain emails through Apple’s proxy servers. When you use Sign In with Apple, you can choose to have your email visible to the site or service where you sign in, or it can be obfuscated, with a unique, random email address. Those emails are forwarded to you, and you can easily turn off that email address. Hide My Email works the same way. If you sign up for, say, a newsletter on a website, and use Hide My Email, your personal email address stays private, and you can easily delete the email addresses used by the website if you can’t unsubscribe from the newsletter. Read more about Hide My Email and how it works.

Invisible pixels have long been a way for advertisers and mass emailers to track users. One tiny pixel that you can’t see, that loads from a server, sending information about you to the server, indicates whether you’ve opened an email, and provides information such as your IP address. Apple’s Mail Privacy Protection blocks invisible pixels and prevents senders from collecting data. The feature is off by default, so you have to manually choose to enable it.

Safari improvements

In addition to the visual changes to Safari—notably the new tab bar—the app’s Intelligent Tracking Prevention feature now prevents trackers from getting your IP address. This address can be used to build a detailed profile of your activity and your personal preferences, so preventing advertisers from accessing this information will enhance your privacy.

Safari will also automatically convert less secure HTTP web addresses to the more secure HTTPS, when sites support it. This is especially useful when following old links on websites, created before HTTPS was common, that may send you to HTTP versions of sites.

iOS enhancements

You already have control over which apps can access your location, photos, camera, microphone, and contacts. The new iOS App Privacy Report will provide data that you can audit at any time to see how often apps have accessed this personal information.

Users have long worried about Siri recordings being uploaded to Apple, and listened to by teams trying to improve the Siri experience. In iOS and iPadOS 15, Siri requests will be processed on your devices, so you won’t have to worry about unwanted recordings being stored by Apple. This also means that you can make Siri requests without internet access. Interestingly, Apple doesn’t claim that Siri requests will be processed on-device in macOS Monterey.

iCloud+: iCloud paid subscribers get new privacy features

One of the big features that Apple announced is iCloud+. This expansion of additional services and functionality is all “free,” assuming you already pay for additional iCloud storage, which starts at U.S. $0.99 per month for 50 GB. While Apple hasn’t upped the default (actually free) 5 GB of iCloud storage, that buck a month now looks like a really good deal for everything you will get.

As mentioned above, Hide My Email lets you use email addresses that forward to yours, so you can cut down on spam and other unwanted email.

iCloud Private Relay is a proxy service that encrypts all the traffic when you browse with Safari, and passes it through two proxies. The first assigns an anonymous IP address that indicates the region where you are, but not your precise location. The second proxy decrypts the address of the website you want to visit and forwards your request to that site. This separates user information from web traffic, and greatly enhances privacy.

Notably, iCloud Private Relay is not a VPN (Apple doesn’t claim that it is, but some news outlets have erroneously reported this). First, it only works with Safari, and doesn’t protect all of your device’s traffic, while a true VPN ensures that all your Internet traffic—from every app—is encrypted. Second, iCloud Private Relay doesn’t allow you to choose a server in a specific country, which can be useful to access geo-restricted content. Read more about iCloud Private Relay, and read why it is not a replacement for a VPN.

An upcoming article here on The Mac Security Blog will further address the distinctions between iCloud+ Private Relay, Safari and Mail’s IP address masking, and and how these new Apple features compare with the vast capabilities of full-fledged VPN service.

iCloud+ will also allow users to map custom domains to their iCloud email accounts, and share them with their family (if they have family sharing set up). This could finally be a way to get robust email without having to use a provide such as Google. It’s not clear, but presumably you’ll be able to benefit from Hide My Email with a custom domain.

iCloud+ also includes expanded HomeKit support, including the ability to use your iCloud storage to securely store recordings from a HomeKit-enabled security camera. (If you have more than one HomeKit Secure Video camera, you’ll have to pay for a higher tier than the base $0.99/mo. plan; for two to five cameras Apple requires you to be on the 200 GB plan for $2.99/mo., and for six or more cameras you must be on the 2 TB plan for $9.99/mo.)

Extended security updates for last year’s iOS 14

Currently, 85% of iPhone users and 79% of iPad users are running iOS 14 or iPadOS 14, and this rises to 90% and 91% of those users with devices released in the past four years. Since all devices running iOS/iPadOS 14 will be able to upgrade to iOS 15, this means that all these users should potentially upgrade.

Those who don’t upgrade right away, however, will still get security updates. This is especially a good thing for enterprises who may have large numbers of devices and can’t update because of the use of in-house apps or other device management requirements or logistical challenges.

This is a bit of a shift in position for Apple. The company has maintained the same system requirements from iOS/iPadOS 13 through iOS/iPadOS 14 and now the upcoming iOS/iPadOS 15, so it’s interesting that Apple will continue releasing updates for 14 in spite of 15 having the same hardware requirements. Last year, Apple required all iOS 13 users to upgrade to iOS 14 in order to receive security updates.

Apple has not yet revealed whether iOS 12 will continue to get security updates. Since the release of iOS 13 (which dropped support for a number of iPhone and iPad models) and throughout iOS 14’s tenure, Apple has continued to release some security-only updates for devices that cannot be upgraded beyond iOS 12. We will update this article if Apple responds to our inquiries to clarify whether iOS 12 will continue to get security updates after the release of iOS 15.

Password improvements: iCloud Keychain is now iCloud Passwords

Apple didn’t discuss improvements to password management in their WWDC event, but there are some major changes coming. In macOS, passwords will now be managed in System Preferences, just as they are in Settings on iOS and iPadOS. The iCloud Keychain is being rebranded as iCloud Passwords, and will now be available for Windows, with an extension to use them in Microsoft Edge. Previously, iCloud Keychain was only available for Apple devices.

A built-in authenticator will be able to generate codes for two-factor authentication, bringing Apple’s password feature up to par with many password managers. And with this in mind, you’ll be able to import or export passwords to and from other password managers.

The expansion into non-Apple devices for iCloud Passwords and the inclusion of built-in authenticator app functionality both demonstrate that Apple is getting serious about being in the password manager space.

And more: Account Recovery, Digital Legacy, and Secure Paste

Apple is introducing Account Recovery Contacts, to allow you to nominate people who can approve you if you forget your Apple ID password. And Apple is also introducing a Digital Legacy program, through which you can select Digital Legacy Contacts who can access the information in your account if you pass away.

On iOS and iPadOS, Secure Paste allows you to paste content from one app to another, without the second app being able to access the information on the pasteboard until you paste it. This means that if you copy something from app A, then open app B, that app won’t be able to parse what’s on the pasteboard. You can then switch to app C to paste that data. This is a major improvement over iOS 14, which simply notifies you when an app takes data from the clipboard (which could mean that a password or other sensitive data on your clipboard could be sent to an app developer without your consent) but doesn’t actually stop it from happening.

There are lots of useful privacy features in this year’s operating systems, further cementing Apple’s position as a leader in this area. These upgrades will be welcomed by all those concerned about their personal data and privacy.

How can I learn more?

In an upcoming article, we’ll address the important distinctions between Safari and Mail’s IP address masking and iCloud+ Private Relay, and how they compare with the vast capabilities of VPN software. Stay tuned to The Mac Security Blog for more about this.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We discussed these new privacy features in episode 191 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.

About Kirk McElhearn