Originally written for the iPod Touch in September 2015, updated August 2022
If you like this content, consider sending me an anonymous tip with Zcash:
This guide is aimed at providing a detailed method for maximizing security and privacy on an Apple iPad (non-cellular). This guide should be adapted to fit your threat model, including using this guide on iPad’s with cellular that support iPadOS 16 or iPhones that support iOS 16.
Legacy phone calling and texting (SMS, MMS) are inherently insecure. Communications content and metadata is collected and stored by various organizations and for many years. All people, but especially those in at-risk professions, have a responsibility to safeguard their communications with strong encryption technologies because only then will your coworkers, friends, and family be able to collectively defend your rights. In professions where privacy is expected between you and clients like law and journalism, policy should dictate to either communicate securely or not at all.
Encryption technology is not new but default strong encryption in mass-market devices is. The political cost of default privacy and security is at an all-time low while the social expectations of strong encryption are at an all-time high. Modern telecommunications largely depend on legacy and vulnerable communications infrastructure, which is by design:
- All cell phones (baseband processor) transmit insecure content and metadata because cell networks were designed for connectivity and surveillance of said connectivity.
- All cell phones (baseband processor) not broken, off, or in Airplane Mode can be easily tracked.
- The majority of SIM cards require registration using government-issued ID.
- Most Androids get slowly patched, if at all.
- Carrier modified versions of Android are poorly developed and maintained.
“Nobody is listening to your telephone calls” –President Obama, 2013
President Obama is not lying. It is not possible for the US government to “listen” to every phone call. However, the technical requirements for recording phone calls is more than feasible. It is cheaper and more effective to transcribe voice data to text, transcriptions that can be stored forever. The solution is easy: don’t give it to them.
What is bad for U.S. Intelligence is also bad for all other malicious actors. It is up to us to cause the social change that in turn lowers the personal costs of default privacy and security and the financial risk of businesses to support what we need.
The financial cost of surveillance equipment is also at an all-time low. Mobile IMSI catchers can be built and deployed by anyone technically savvy enough to learn how to build one, and law enforcement has large budgets for more feature rich devices. The most effective way to assure that you are not a victim of cell tracking or attack is to not use those systems.
Not the iPod anymore
Due to a massive lapse in judgement by Apple to put the A10 Fusion chip from 2016 in the 2019 iPod Touch, no version of iPod Touch is secure. Also, as of 2022, the iPod has been discontinued.
The Apple iPad, from a hardware point of view
The iPad fills a much needed space:
- Supports Wi-Fi only
- Supports >= A12 chip
- Supports wired headsets for audio and video calls, including 3.5mm ports, Lighting ports, or USB-C with a USB-C adapter. Not all iPads have the same port options, that’s important to double check.
- Supports >= iPadOS/iOS 16 as of writing (Aug 2022)
- Supports Signal
In order of security, then cost:
- M1 - iPad Air (5th gen, 2022) - spec
- M1 - iPad Pro 11-inch (3rd gen, 2021) - spec
- M1 - iPad Pro 12.9-inch (5th gen, 2021) - spec
- A15 - iPad mini (6th gen, 2021) - spec
- A14 - iPad Air 10.9” (4th gen, 2022) - spec
- A13 - iPad (9th gen, 2021) - spec
- A12Z - iPad Pro 11” (2nd gen, 2020) - spec
- A12Z - iPad Pro 12.9” (4th gen, 2020) - spec
- A12X - iPad Pro 11” (3rd gen, 2018) - spec
- A12X - iPad Pro 12.9” (3rd gen, 2018) - spec
- A12 - iPad 10.2” (8th gen, 2020) - spec
- A12 - iPad Mini 7.9” (5th gen, 2019) - spec
- A12 - iPad Air 10.5” (3rd gen, 2019) - spec
Keep in mind that the newer the chip, the longer that Apple will support it with security patches. Do not use a device no longer getting the latest version iPadOS/iOS.
Why is the A12 (or greater) chip so important?
Before the A12, Apple devices do not have these critical technologies:
- Page Protection Layer (PPL) “requires that the platform execute only signed and trusted code.”
- Pointer Authentication Codes (PAC) are “used to protect against exploitation of memory corruption bugs.”
See Apple’s high-level breakdown of SoC Security.
The thing that you need to know is that without these critical security technologies, Apple devices are vulnerable to easy-to-perform physical and remote exploits.
One reason why Tor is so valuable compared to any for-profit VPN provider is that you blend in with everyone else using Tor. Don’t stick out. Using “un-hackable phones” or hardware-modded devices sticks out. Using commodity hardware like an Apple iPad does not. This has important value for both physical surveillance and network surveillance.
Why not use a phone in Airplane Mode? Why does it need to be a Wi-Fi-only device?
- In modern cell phones (devices with cellular baseband processors), the baseband is an isolated computer within your phone, with its own power controller, CPU, memory, firmware, and operating system. When a phone boots up, the initialization sequence of the phone includes the boot up of the baseband. This means that the baseband is initialized, before and in parallel to, the phone’s main operating system. This is done for power-saving and security reasons. It means that when you put a phone into Airplane Mode, all you’re doing is turning your phone’s operating system’s access to the baseband off. Airplane Mode does not mean that the baseband hardware, firmware, or software stack is turned off.
- Even without a SIM card, a baseband processor can and does connect to cell towers, including the disclosure of the device’s IMEI along with “when” and “where” metadata. This is how a SIM-less phone can call 911. It’s impossible to mitigate cellular communications without resorting to Faraday cages.
Apple, the National Security Agency, and Data Link-Ability
Apple is an American company that works with the NSA and is part of the PRISM program. If you are, or ever could be a target of U.S. intelligence or U.S. military organizations, you are already playing difficult game by choosing an Apple product.
Just turning on an Apple product, the device is working against you by collecting WiFi and Bluetooth network information in order to attempt to “streamline” a user’s setup experience. Some of that data is uploaded to Apple’s servers as soon as the device is connected to the internet. Every Apple device, especially new ones, upload its unique hardware identifiers to Apple, along with network metadata that can disclose physical location information to Apple.
- Your device’s hardware identifiers.
- Your public IP address used to connect to *.apple.com services.
- All other information that you input into the device for device setup and account sign-in, which are both required in order to access the Apple Store.
If Apple, or any of the U.S. intelligence or military organizations, have any other data that links anything about you to the this Apple device, your identity can be tracked by these organizations.
- Your credit card or debit card used to make the purchase.
- Your physical address for device delivery.
- Your car license plate seen by Automatic License Plate Readers (ALPR) going to pick up the device.
Also, when you’re using Signal, this requires use of Apple Push Notification Service (APNs). This means that Apple has a metadata record of when, where, and what service you’re using.
- The date and time you send or receive messages.
- The network metadata associated with the receiving or delivering of messages.
- Your messaging application, Signal.
There are ways to deal with this, but it is not for the average user. I’ll go into more detail in the DEFCON ONE section below.
iOS Updates Warnings
- Update iOS always. Update as soon as possible. Every update comes with very important security patches.
- Be aware that privacy settings may be reconfigured without your knowledge when you perform iOS updates. Review all settings after every update.
- Airplane Mode gets disabled automatically after every iOS update. This “feature” is great for idiots, but terrible for operational security. Presume that after every iOS update + reboot, Airplane Mode will be disabled upon startup until you reactive Airplane Mode. See my DEFCON ONE section below if this matters to your threat model.
Wi-Fi iPad + Signal Advantages
- Wi-Fi iPads do not have baseband processors, SIM cards, or SIM card port insecurities.
- You can control which Wi-Fi networks to expose your device to, if you choose to use Wi-Fi.
- Wi-Fi iPads employs default Full Disk Encryption that is dependent on hardware and firmware cryptographic integrity controls.
- Apple publishes security patches quickly and are not dependent on carrier restrictions.
- Signal uses only modern, always-on, end-to-end cryptography.
- Signal allows users to verify encryption key fingerprints.
- Signal is free, open source, and has public security audits.
- Signal supports interoperability, meaning that other people can use Signal on iOS or Android devices.
- The default settings for iOS devices are bad for operational security. To use Signal anonymously or pseudo-anonymously requires great effort.
- Wired or Wi-Fi internet access is not as abundant as cellular internet access. These days, people depend heavily on having an always-connected device to function.
- iOS requires an AppleID to download and update apps.
Set up a new or recently wiped device
- Create a >= 12 digit PIN or alpha-numeric passphrase
- Click “Forgot password or don’t have an Apple ID?”
- Click “Set Up Later in Settings” then “Don’t Use”
- Click “Customize Settings”
- Location Services: Disable
- Siri: Set Up Later in Settings
- Screen Time: Set Up Later in Settings
- iPad Analytics: Don’t Share
iOS configuration of a new or recently wiped device
Do this all before setting up your AppleID, and before connecting to any network of any kind. Again: DO NOT connect to any network - Bluetooth or Wi-Fi unless steps 1-5 are complete.
Note: if you are adapting this guide using an iPhone or iPad with cellular, remove the SIM card before powering on the device. Ideally this would be a brand new device having never been connected to a network.
Disable the Network
- Settings > Airplane Mode: Enabled
- Settings > Wi-Fi: Off
- Settings > Bluetooth: Off
Enable Lockdown Mode
- Settings > Privacy & Security > Lockdown Mode > Turn On Lockdown Mode, then immediately restart.
- Notifications - Show Previews: Never
- General - AirDrop: Off
- General - AirPlay and Handoff - Automatically AirPlay to TVs: Never
- General - AirPlay and Handoff - Handoff: Off
- General - Background App Refresh: Turn every app off independently because you will want background refresh on once Signal is installed
- Control Center - Remove all controls
- Siri & Search - Siri Suggestions: Disable all
- Touch ID & Passcode - Allow Access When Locked: Disable all
- Privacy - Tracking: Disable
- Privacy - Motion & Fitness: Disable
- Privacy - Apple Advertising - Personalized Ads: Disable
Delete all apps, except maybe Notes and Contacts.
Swipe left from the home screen to see the default widgets, and delete them all. Do everything that you can to remind yourself that this device cannot be used for anything other than using Signal as securely and privately as possible.
AppleID setup and configuration
Before you can setup your AppleID, you need to create a new email address that:
- Has no ties to your identity. Don’t use any names, pseudonyms, passwords, or anchor points that you’ve ever used.
- Supports two-factor authentication (2FA).
- Is created and only accessed via Tor Browser; ideally, Tails Linux. In other words, don’t add this email address to your iPad— a secured iPad should not be used for any other purpose other than Signal, but this depends on your threat model.
- Open the App Store app on your iPad.
- Click the Profile icon in the top-right corner.
- Create a New AppleID.
Signing into the App Store only is important. Signing into the App Store will not automatically sign into iCloud. Never sign into iCloud.
Thoughts on iPadOS/iOS 16 “Lockdown Mode” (LDM)
LDM isn’t perfect, but it’s a huge help. Here are some of the areas where LDM does not help (as of writing).
- LDM should be enabled before your device is ever networked. Particularly, if you are using an iPad with cellular or an iPhone, and your SIM card is inserted, malicious SMS messages or maybe even iMessages can be received by your device before LDM is enabled, potentially opening up your device to remote exploitation. Even SIM-less devices, like a Wi-Fi iPad that this guide focuses on, malicious actors might be able to perform remote or local network attacks (Wi-Fi or Bluetooth), or physical attacks if threat actors have physical access to your device, that could otherwise be mitigated by LDM.
- A modern exploit mitigation technology called Memory Tagging Extension (MTE) still has not been enabled.
- Media decoding, like the automatic processing of images and video when your device receives these things, is performed by the main SOC. Ideally (not for performance but for security) media would be decoded at the application layer, or Apple would have to build a new isolated processor for offloading media decoding.
Contacts, Calendars, and Notes data security
You have two choices when it comes to managing your contacts list, calendars, and notes data. There are many pros and cons with these two options and will depend on your threat model, so please think very carefully about your operational security practices.
- Offline data: Since you are not signed into iCloud, you cannot risk disclosing your contacts, calendars, and notes data to Apple or your local government willingly (if your government has forced Apple to host iCloud data in your country instead of, or in addition to, the USA). This means it is relatively safe to use the Contacts, Calendar, and Notes apps, depending on your threat model. Using Apple’s Contacts app is seamless since you can safely grant Signal access to contacts.
- You have to trust Signal to continue to implement trustworthy cryptographic security mechanisms that continue to prevent themselves from ever having cleartext access to your contacts. This risk is low, since you are already trusting Signal with the confidentiality and integrity of the content of your communications and whom you communicate with via Signal. This risk is also low because Signal does not have any financial motivation to collect your contacts in any way. In fact, data storage is expensive, and responding to government requests for users data is expensive, so it is cheaper for Signal to never have this data.
- Apple native apps are the default places to look for this data if you ever are stopped and searched by government or private security agents. If this risk applies to you, store your data in a trustworthy offline password manager that supports a “key file” like Strongbox. Strongbox is like KeypassXC but for iOS, where the database is encrypted in addition to iOS disk encryption, but you can use a key file to make bruteforcing of this database impossible. Keep your key file online somewhere so you can remotely download it when you need access to your Strongbox database contents. Like your passphrase to the database, the key file should never be shared.
- Online data: If you are technically savvy, or have access to trustworthy technical friends or coworkers, you can self host your contacts, calendars, and notes. I use Mail-in-a-Box to self host these things, but there are many open source, self-host solutions out there.
- Since data is remotely available, you can easily wipe your phone when crossing security check points, including regional borders like at airports, and re-setup your device and re-download your data from anywhere in the world after you have safely cross these types of high-risk areas.
- Since data is remotely available, it may be possible for your adversaries to know of the existence of where your data is stored online. In my example of using Mail-in-a-Box, this setup requires a public domain name that is registered to my name. Government and private entities can buy full access to domain registry data. Online storage is a risk for remote exploitation by way of illegal or legal (government warrant) means.
- Running your own Tor hidden service, like from a Raspberry Pi hosted in a secure location, means that you can use Onion Browser by Mike Tigas to safely and privately access or download remote data.
DEFCON ONE configuration
There are two options that can be used independently, or combined, to enhance operational security.
Why DEFCON ONE might be critical for you
Are you worried about, or have you ever experienced, attackers physically stalking, harassing, or assaulting you? If the answer is yes, then you have a high risk of those same abusers conducting wireless attacks against your wireless device.
Wireless (Wi-Fi or Bluetooth) attacks are “physical” attacks. They require an attacker to be physically near and aim to:
- Capture your wireless packets in order to conduct surveillance. Your abusers might be trying to determine:
- Are you nearby?
- When are you online and active?
- How long are your conversations?
- How often do you have conversations?
- Capture your wireless packets in order to attempt to hack the security vulnerabilities in wireless protocols. Your abusers might be trying to determine:
- What type of device are you using?
- What methods are you using in order to communicate with others?
- Are there any vulnerabilities that could be taken advantage of?
- DoS (Denial of Service) your device to prevent you from being able to communicate.
- Hack the wireless protocols allowing active surveillance of wireless transmissions or to hack the device through protocol, driver, or operating system vulnerabilities. Your abusers might be trying to determine:
- What apps are you using?
- Do those apps have any vulnerabilities?
- Hack the wireless device directly through unknown or unpatched vulnerabilities in the wireless service, driver, and/or operating system. Your abusers might be trying to:
- Have complete access to your device, including apps like Signal.
DEFCON ONE directions
The GL-iNet Beryl is a router that supports some outstanding features:
- Wi-Fi can be disabled
- Supports a WAN port and LAN port for wired-only networking
- Supports transparent Tor proxying
The Belkin USB-C to Gigabit Ethernet Adapter or Belkin Ethernet + Power Adapter with Lightning Connector allows you to mitigate all wireless attacks when the iPad is in persistant Airplane Mode.
- Connect an ethernet cable to the ethernet adapter.
- Connect the ethernet adapter to a new, out-of-box iPad without turning the iPad on.
- Power on the iPad for the firs time
Following steps 1-3, upon iPad boot-up, the iPad will not go searching for Wi-Fi access points and will automatically use the wired connection.
Combine the GL-iNet Beryl with a wired ethernet adapter, and you can then Torify the iPad initialization and all future use, in effect never disclosing your physical location metadata to Apple or Signal.
DEFCON ONE Notes
- If you do this, be sure that the wired ethernet connection is always active before, during, and after all iOS updates because of the unfortunate automatic disabling of Airplane Mode after iOS updates.
- The Belkin USB-C adapter does not support USB-C charging. You will not be able to leave the iPad with an always-on internet connection, but this is not necessarily a bad thing.
- Assure that Airplane Mode is enabled immediately after setting up the iPad for the first time. Assure that Airplane Mode is always enabled. Assure that you never connect to any Wi-Fi access point, ever, so that if Airplane Mode ever becomes disabled accidentally, it will not broadcast any Wi-Fi connect packets.
- If you are not worried about physical wireless attacks (attackers who physically stalk you and try to break into your iPad via wireless hacks), then you can use the GL-iNet Beryl as a wireless device while leveraging the transparent Tor proxy.