Modern operating systems, both on the desktop and on mobile devices, include plenty of “stock apps”—apps provided by default so you can use your device without needing a lot of third-party software. You get an email app, a calendar, a web browser, a messaging app, and more. This wasn’t always the case; I remember when I needed to buy an email app for my Mac, and when I had to pay for a basic calendar app.
Apple includes thirty-six default apps on iOS (though the exact number may vary from one major iOS version to the next), and you can download another dozen Apple apps, such as the iWork apps (Pages, Numbers, and Keynote), GarageBand, and more.
While many of these apps are excellent, you may want to switch some of them to enhance your security and privacy.
Switching default apps
You can install anything you want on an iPad or iPhone—as long as it’s available from the App Store—but there are limitations as to what you can do with these apps.
Apple gives Mac users a way to set different apps as their default web browser and email client (though it can be hard to find where to make these changes: the setting for the former is in System Preferences > General, and the latter can be changed in Mail’s General preferences). When you make these changes, clicking on a link to a web page will open a page in your selected browser, and an email link will open in the mail client that you have set.
However, you can’t do this on an iOS or iPadOS device. While Apple started allowing users to remove some of the default apps they don’t use in iOS 13, there is still no system-wide support for using alternative apps. This means that if you tap a link in an email or a text message, it will open in Safari, even if you want to use another browser. And if you tap an email link on a web page, it will open in Mail. (Apple is reportedly considering changing this policy, but at this point it’s only a rumor, and likely wouldn’t happen until at least iOS 14 and iPadOS 14.)
Nevertheless, you can do much of your work with third-party apps, as long as you are aware of this limitation.
Although Google is not typically considered to be the most respectful company when it comes to end-user privacy, its Chrome browser for iOS does integrate with Google’s Gmail app, allowing you to set Chrome as the default browser specifically for links in Gmail email messages. Like most browsers, Chrome for iOS does, at least, have a “private browsing” mode.
We have an extensive article about which is the most private browser for iPhone and iPad, discussing alternative browsers and their advantages and disadvantages.
Email is inherently insecure. Messages are sent unencrypted, in plain text, and reside on remote servers. They can be intercepted at many points between the sender and recipient, and are no more secure than postcards, so if you need to send and receive confidential information, you should consider using an alternative email app (or, perhaps, some method of communication other than email).
How exactly is email like a postcard? Although most email servers support encryption between the device sending the email and the email server itself (similar to how HTTPS securely connects your browser to a web server), messages may be stored on mail servers in plaintext, or transmitted further down the line on the way to their destinations in plaintext (i.e. without encryption). This makes email servers a potentially interesting target for spy agencies and hackers alike. Furthermore, end users’ devices typically store emails in plaintext, too. If either an email recipient’s device or an email server gets hacked or becomes infected, an attacker could read the contents of unencrypted emails.
Mail on macOS allows you to digitally sign or encrypt emails, and you can do this on iOS if you’re working with Microsoft Exchange. But if you’re not using Exchange, then you need to look at other solutions. (There are some complex ways to work with encrypted email using Apple’s Mail on iOS, but they require a lot of steps to get them to work.)
To send and receive encrypted email, a simpler solution is to sign up with a company that provides such a service. You won’t use Apple’s Mail app for your email, but rather an app provided by such a company.
Tutanota provides secure email with end-to-end encryption and two-factor authentication. There is a free option, which offers up to 1 GB storage, and there are premium and pro plans that let you use a custom domain, add email aliases, increase storage, etc. The company’s email client is available for iOS and Android, and you can also use webmail.
You can send messages from Tutanota to people not using the service, and they are password protected. So even if you send an email to someone using, say, Gmail, they’ll only be able to read the message if they have the password, and the message’s content remains encrypted on Gmail’s servers.
ProtonMail is another secure email provider. It also offers end-to-end encryption, and boasts that its email servers, housed in Switzerland, reside in “Europe’s most secure datacenter, underneath 1000 meters of solid rock.” Available for iOS, Android, and via the web, and you can use it with your standard Mac email client if you install ProtonMail Bridge. You can send emails to people not using ProtonMail, and they can read your messages after entering a password. ProtonMail offers free and paid versions, the latter with more storage, custom domains, etc.
It’s clear that most people won’t need to encrypt all their emails, so you can use Tutanota or ProtonMail for sensitive messages, and use Mail or another client for the rest of your email. Secure email systems are most efficient if both senders and recipients are using the same service, such as in a company or other organization, for example.
Secure messaging and phone calls
Apple’s iMessage and FaceTime services offer end-to-end encryption, meaning Apple cannot tap into your live conversations. However, iMessage is only available for messaging between two or more Apple devices, so its end-to-end encryption unfortunately doesn’t apply to messages exchanged with users of Android smartphones or other phones. (You’ll know you’re using iMessage, as opposed to an SMS or MMS text message, if you see a “blue bubble” instead of a “green bubble” when sending messages to the recipient.) If you need to send secure messages to people on other platforms, you have a lot of options.
In spite of offering end-to-end encryption, some other concerns about iMessage have come to light in recent years. Trustjacking can make it possible for an attacker to obtain your iMessages from local backups, unbeknownst to you. Furthermore, iMessages can (optionally) be backed up to iCloud servers, and iCloud backups are accessible to select Apple employees—i.e. they’re not stored encrypted in such a way that you’re the only one who can access them. That could potentially mean your messages might fall into the hands of government entities who request that data, rogue Apple employees, or attackers who either compromise an authorized Apple employee’s account or iCloud servers. For iCloud users in mainland China, messages backed up to iCloud are actually stored on servers operated by the Chinese government.
Unlike web and email links, iOS doesn’t open a messaging app by default. You can use as many messaging apps as you want, as many people do. The list is long: WeChat, WhatsApp, Facebook Messenger, Viber, Line, Slack, Google Hangouts, and many more. Most of these apps offer end-to-end encryption, but some provide more security than others.
Signal offers text, voice, video, group chats, and document sharing, with full end-to-end encryption, and you can even set your messages to self-destruct. It is free and open source. Journalism and privacy organizations recommend Signal because of its security and the fact that the service does not store metadata, information about who you communicate with. You can send standard SMS messages to non-Signal users, and they are not encrypted, so you can (in a sense) use Signal as your default messaging app.
Telegram is another secure messaging app, that is similar to Signal, but some cyber-security experts claim that its in-house encryption protocol is untested and cannot be assumed to be secure.
WhatsApp offers secure messaging and calling, and it uses Signal’s protocol, but the fact that it is owned by Facebook makes some people uncomfortable (Facebook, like Google, has a poor reputation when it comes to respecting end-user privacy). There are particularly issues with WhatsApp and the way messages can be forwarded, leading to the distribution of fake news. And reportedly most WhatsApp messages are stored unencrypted.
One essential element of security is ensuring that you have strong passwords to protect your accounts. iOS includes iCloud Keychain, which allows you to store, sync, and generate passwords on iOS devices and Macs. While there’s nothing wrong with iCloud Keychain’s security, it is limited. It only works on Apple devices, obviously, limiting your access to passwords should you need to work with other platforms.
It’s a good idea to consider a dedicated password manager, which is more flexible, compatible, and feature-rich. While password managers cannot directly integrate with browsers other than Safari on iOS, some password management apps have a built-in browser that will pre-fill your login information. In addition, it’s a lot easier to find and copy a password from a password manager than it is to go into iOS’s Settings and do the same. You need to go to Settings > Passwords & Accounts > Website & App Passwords, authenticate, search, then copy a password. With some password managers, you can set up a list of favorites to have quick access to the passwords you need most as soon as you launch the app.
Convenience often trumps security, and it is convenient to use the built-in apps on iOS, as it is on other platforms. There is more friction on iOS, however, when you want to use alternatives. But there are plenty of options for the apps you need to be most secure. Take some time to try out some of these apps and see if they work for you.
How can I learn more?
Also subscribe to Intego’s e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple, security, and privacy news.