The Complete iPhone Privacy Guide: What Apple Protects and What It Doesn’t

Apple has built the strongest consumer privacy system of any major phone platform. That sentence is true, and it matters. It also does not mean your iPhone is private by default.

The gap between Apple's marketing and the actual technical reality is not a scandal — it is a nuance. But it is a nuance that affects every iPhone user, and most people who buy an iPhone because they care about privacy do not fully understand where the protections end.

This guide covers what Apple genuinely protects, what it does not, and the specific steps you can take — right now, in Settings — to cover the gaps.

What Apple Genuinely Protects

App Tracking Transparency

Introduced in April 2021 with iOS 14.5, App Tracking Transparency (ATT) requires apps to ask your permission before tracking your activity across other companies' apps and websites. The primary mechanism is the IDFA — a device-level identifier advertisers used to link your behavior across different apps. When you decline the prompt, the IDFA returns zeroed-out data. The app gets nothing.

This works. Worldwide, roughly 75% of users either decline tracking when prompted or disable the prompt entirely. Meta estimated it lost $12.8 billion in revenue in 2022 as a direct result. That number tells you something real was disrupted.

What ATT does not do: it does not stop any company from tracking what you do inside their own app. Facebook knows every post you paused on, every search you ran, every button you tapped inside Facebook — regardless of whether you declined ATT. Apple says explicitly in its own documentation: ATT "does not affect apps' ability to collect and use first-party data." The wall ATT built stops data sharing between companies. It does not touch what any single company collects from its own users.

It also does not prevent fingerprinting — building a profile of your device from characteristics like screen resolution, installed fonts, audio processing signatures, and other signals that do not require your IDFA. Research from Oxford University published in the ACM FAccT proceedings found that after ATT launched, the number of active tracking libraries in apps remained essentially unchanged, and the number of tracking domains contacted by apps before any consent was given actually increased.

ATT matters. It is not sufficient on its own.

Mail Privacy Protection

Mail Privacy Protection, introduced with iOS 15, does two specific things: it hides your IP address from email senders by routing remote content through Apple's proxy servers, and it pre-loads all email content — including invisible tracking pixels — in the background when a message arrives, not when you open it.

The result is that senders cannot tell whether you opened their email, when you opened it, or how many times. Industry data suggests that roughly 80% of all email open events tracked by marketing platforms are now Apple-generated false positives. This is a genuine and meaningful privacy protection.

It applies only to the Apple Mail app. If you use Gmail, Outlook, or any other email client on your iPhone, Mail Privacy Protection does nothing for those accounts. And while it blocks open tracking, click tracking — what links you actually tap — remains fully functional.

Safari Intelligent Tracking Prevention

Since 2020, Safari has blocked all third-party cookies by default with no exceptions. Intelligent Tracking Prevention uses on-device machine learning to classify domains that track across sites, and applies additional restrictions: cookies created by JavaScript are capped at seven days, links from known tracker domains cap cookies to 24 hours, and bounce tracking — where a site briefly redirects you through a tracker before sending you to your destination — is actively mitigated.

Because Apple requires all iOS browsers to use the WebKit engine, these protections apply to Chrome, Firefox, and every other browser on your iPhone. This is not widely understood.

What ITP does not fully prevent is fingerprinting. Safari adds noise to certain browser signals, but researchers have demonstrated ways to average out that noise and recover a consistent device identifier. Fingerprinting does not require cookies and does not require your permission.

iCloud Private Relay

iCloud Private Relay, available to iCloud+ subscribers, routes your Safari browsing through two separate relay servers. The first relay, operated by Apple, sees your IP address but not the site you're visiting. The second relay, operated by a third-party provider, sees the destination but not your IP. The design means no single party — including Apple — has the complete picture.

Private Relay is real, and the architecture is thoughtful. It is also not a VPN, and Apple does not call it one. It protects only Safari browsing and system DNS queries. It does not encrypt all traffic leaving your device. It does not work in Chrome, Firefox, or any non-Safari browser. It is unavailable in roughly a dozen countries including China, Russia, and Saudi Arabia. Enterprise networks can block it by returning a failure response for Apple's relay domains.

If you pay for iCloud+ and use Safari, enable it. Just understand what you are enabling.

What Apple Does Not Protect

Your ISP can still see your non-Safari traffic

Even with every Apple privacy feature enabled, your internet service provider retains visibility into your DNS queries, the destination IP addresses your device connects to, the domain names sent in plaintext during the TLS handshake, and connection metadata — which sites you visit, when, and for how long — for all traffic outside Safari.

Private Relay covers Safari and system DNS. Everything else — third-party apps making network requests, browsers other than Safari, background activity — goes through your ISP without the relay layer.

Facebook tracks you inside Facebook, regardless of ATT

Declining the ATT prompt tells Facebook's ad network it cannot link your in-app data with data from other companies. It does not restrict what Facebook collects from you inside its own ecosystem.

Security researcher Felix Krause documented in 2022 that the Facebook and Instagram iOS apps inject JavaScript code into every external website you visit through their in-app browsers, enabling tracking of taps, text input, and form fields including passwords. This behavior is not blocked by ATT. It is not blocked by any Apple feature. The only mitigation is to avoid using in-app browsers entirely: when a link opens inside a social media app, tap the option to open in Safari instead.

Your IP address is exposed in every browser except Safari

iCloud Private Relay protects Safari. Every other browser on your iPhone — Chrome, Firefox, Brave, Edge — connects directly to websites, exposing your real IP address. Apple cannot protect what routes outside its own browser.

Public WiFi surveillance is a network problem, not a device problem

Apple's privacy features are implemented at the device level. They do not protect against surveillance at the network level. On a public WiFi network, even with every iOS privacy feature enabled, the network operator can see which domains you visit through DNS queries, observe your connection metadata, and potentially intercept unencrypted traffic. Apple's protections stop at the edge of your device. What happens on the network itself is outside their scope.

What a VPN Actually Adds

A VPN does something none of Apple's built-in features do: it encrypts all traffic leaving your device — not just Safari, not just DNS, but everything — and routes it through a server that separates your IP address from your activity.

Specifically, a VPN covers the gaps that Apple leaves open. It encrypts your DNS queries so your ISP cannot see which domains you visit. It hides your IP address from every app and website, not just Safari. It protects traffic on public WiFi at the network level, not just the device level. It works across every browser and every app.

There are important things a VPN does not do. It does not stop in-app tracking by companies like Meta. It does not replace ATT. It does not make you anonymous — if you are logged into Google, Google knows who you are regardless of what IP address you are connecting from. A VPN changes what your ISP and the network see. It does not change what you voluntarily hand to the platforms you use every day.

For the network-level layer, PlanckVPN's free tier covers the gap without requiring a subscription.

Six iOS Settings to Change Right Now

These are the most impactful privacy settings in iOS 18, with exact paths.

1. Disable cross-app tracking globally

Settings > Privacy & Security > Tracking — toggle off "Allow Apps to Request to Track." This prevents any app from even presenting the ATT prompt. The IDFA is zeroed out system-wide.

2. Audit location permissions per app

Settings > Privacy & Security > Location Services > [App Name] — review each app individually. Set to "Never" for any app that has no legitimate need for your location. Toggle off "Precise Location" for apps where an approximate location would suffice.

3. Enable App Privacy Report

Settings > Privacy & Security > App Privacy Report > Turn On App Privacy Report. This shows you how often each app accesses your camera, microphone, contacts, and location — and which network domains each app is contacting in the background. Worth looking at once before deciding what to trust.

4. Disable analytics sharing

Settings > Privacy & Security > Analytics & Improvements — toggle off "Share iPhone Analytics," "Share with App Developers," and "Share iCloud Analytics." Research from Aalto University's CHI 2024 study found that Apple's default apps collect data even when these settings are off, but disabling them removes any consent Apple could claim for the practice.

5. Disable Apple's personalized ads

Settings > Privacy & Security > Apple Advertising — toggle off "Personalized Ads." This limits ad targeting in the App Store, Apple News, and related Apple properties. It does not affect ad tracking by third-party apps.

6. Clear Significant Locations

Settings > Privacy & Security > Location Services > System Services > Significant Locations. Apple uses this to track places you visit frequently for Maps and Calendar predictions. Clear the history and disable the feature unless you actively use that functionality.

The Honest Summary

Apple does more for user privacy than any other major phone manufacturer. ATT disrupted the cross-app tracking industry in ways that are still being felt. Mail Privacy Protection eliminated an entire category of surveillance. Safari's cookie blocking and ITP represent years of engineering work against a determined tracking ecosystem.

None of that means iOS is private by default. Apple's features are mostly device-level, mostly browser-specific, and entirely dependent on what you enable. First-party tracking inside apps is untouched. ISP visibility into non-Safari traffic is untouched. Network-level surveillance on public WiFi is untouched.

A thoughtful combination of iOS privacy settings plus a trusted VPN for network-level protection covers most realistic threat models for most people. Neither alone is enough. Together, they close most of the gaps that actually matter in everyday use.

Sources

• — Apple Developer Documentation — App Tracking Transparency framework
• — Apple Privacy Whitepaper — "Mobile Advertising and the Impact of Apple's App Tracking Transparency Policy" (April 2022)
• — Flurry Analytics — App Tracking Transparency Opt-In Rate, Monthly Updates
• — 9to5Mac — "Apple introduced App Tracking Transparency four years ago: Here's how it's going" (May 2025)
• — Meta Q4 2021 Earnings — estimated $12.8 billion revenue loss due to ATT
• — Kollnig et al., "Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels" — ACM FAccT 2022
• — Lockdown Privacy — "Study: Effectiveness of Apple's App Tracking Transparency" (September 2021)
• — Aridor et al., "Evaluating the Impact of Privacy Regulation on E-Commerce Firms" — Management Science (November 2025)
• — Apple Support — "Use Mail Privacy Protection on iPhone"
• — Validity — "A Deep Dive into Apple's Link Tracking Protection"
• — WebKit — "Tracking Prevention in WebKit" (official documentation)
• — Apple Developer Documentation — WebKit requirement for iOS browsers
• — Fingerprint.com — "Bypassing Safari 17 Audio Fingerprinting Protection"
• — Apple Support — "About iCloud Private Relay"
• — Apple WWDC21 Session 10096 — "Get ready for iCloud Private Relay"
• — AppleInsider — "Apple's iCloud Private Relay feature not available in Belarus, China, Uganda, other countries"
• — Upturn — "What ISPs Can See"
• — Felix Krause — Meta in-app browser tracking research (August 2022)
• — TechCrunch — "Facebook users sue Meta, accusing the company of tracking on iOS through a loophole" (September 2022)
• — Bourdoucen & Lindqvist, "Privacy of Default Apps in Apple's Mobile Ecosystem" — ACM CHI 2024
• — Gizmodo — "Apple Faces Fourth iPhone Privacy Lawsuit After Gizmodo Story" (January 2023)
• — HTTP Archive / Web Almanac 2025 — Security chapter
• — Google Transparency Report — HTTPS encryption on the web