iPhone privacy - rumors vs reality

treenutz68

After a fair amount of reading (both on this forum as well as reddit privacy and other random articles) as well as watching videos from folks like The Hated One, Techlore, etc... I am fairly confused about the privacy (or lack thereof) of my iPhone and I'm considering a move to Graphene OS.

I'll summarize my situation as currently using an iPhone with a physical SIM card along with a couple of VOIP options (mysudo and google voice throwaways) to try and segment my phone numbers similar to how people use email aliases. Practically all of my friends/family/coworkers use an iPhone and therefore iMessage is their preferred method of communication (which I understand is E2EE). A couple use Signal and Whatsapp, but the vast majority use iMessage.
I do not use iCloud at all, I leave location services turned off except when I need it, use Apple maps (not google maps), use the brave browser and minimize the apps on my phone. I do not use any apple apps for things like notes, podcasts, music, etc... but rather other apps from the app store.

Now to the crux of my question. My understanding is that Apple does collect a fair amount of telemetry that they allegedly only use for their internal advertisement network and for "improving the experience". I have also heard that they are tapped into the PRISM program (per snowden), have tried to (but ultimately did not) roll out photo scanning in the name of "CSAM prevention", along with countless other allegations such as they can track all your browsing activity, any devices within close proximity of your iphone, any devices on the same wifi as your phone, etc...

I don't know how believable all of this is and if it is reality or just fear mongering. I also assume since it is all closed source, there may not be an easy way for someone to verify the truth behind such allegations? Ultimately, if this is true, I can see the value in making the switch to GrapheneOS despite losing E2EE messaging with the vast majority of my contacts. My threat model is nothing extreme, but I don't like the idea of Apple (and their partners) getting access to so much of my intimate data. From what I understand, using a program like mysudo may also be challenging on grapheneos as it seems to require installing google play services if you want call/message notifications (which I would need) as well as a secondary ios/android device from which to make payments and maintain the account.

Thanks in advance for any guidance!

[deleted]

treenutz68
I can't speak to the crux of your question, I just know they take a lot of our data. I had IOS as well and switched. However with a low threat model apple isn't awful, you get pretty decent security, just not privacy.

If you are concerned about google services, with GOS it is sandboxed. Meaning it can be isolated from everything else. You could even put it in its own profile for even more isolation. So you don't have to give up mysudo or other things that can be found on google play. You can also look into Cheogram/jmp.chat for getting multiple numbers and see if it works for your needs. Though it is restrictive, FYI. Cheogram will let you make unlimited texts, but you are limited on your calls. If you can get friends and family to switch to something like signal you can make all the calls you want as long as you are on wifi or have the data for it.

N1b

treenutz68 I'm impressed with the knowledge/research in this thread, especially from OP themselves. In the end you'll of course have to make your own informed decision. No doubt GOS is both the most secure and private mobile OS out there, followed by iOS and Pixel OS which are just a little less secure and a lot less private. These 3 options are the only ones I could recommend for any threat model out there.

Personally with all the telemetry, limitations and monopolistic behavior Apple is pushing on it's customers (tightly controlled app store, anti right to repair practices, artificial barriers for third party accessories, price politics etc.) I could never imagine using an iPhone. I like the control and ownership I get from AOSP and especially GOS, and it's really convenient and user friendly for all the features it packs. It won't get you the all in one ecosystem, but that's a plus for privacy as you'll be forced to compartmentalize a bit more by default.

If you can afford it, I suggest making a step by step change. Buy a Pixel device that is comparable to your iPhone (e.g. if you use an iPhone 15 Pro Max, get the Pixel 8 Pro with the same amount of storage). Install GOS and use it alongside your iPhone, then use it more and more until you start leaving your iPhone at home. Don't try to go all in at once. Stay on the default settings at first, use one profile with Sandboxed Play Services installed and the Play Store to get your apps. You'll have a comparable user experience, with the exception of being in charge of your data. Now you can try things out. How about a user profile for Open Source apps without Play Services? Why not make use of that Contact and Storage Scopes and deny some apps network and sensor access if they don't require them? The more you use it, the more you'll feel limited and controlled on your iPhone, at least I assume it must feel like day and night... And drawbacks like not being able to use iMessage or Airplay anymore will just reinforce the golden cage image you gain from Apple, because they could release that for Android tomorrow if they wanted to.

But either way, you'll end up preferring one device and experience over the other, which you can now reset and sell to get some money back. If you end up staying on the iPhone, that's great too. Now you know what you appreciate and have first hand experience to base your decision on.

If you need any more evidence to try GOS, you should (re)watch the great video from The Hated One on this topic. But given your research and educated thoughts, I guess you already decided to give it a shot. If you do, please let us know and don't hesitate to ask more questions. The only thing I regret is not reaching out on this forum earlier since a lot of very smart and good people on here want to help.

Oh and welcome to the community.

[deleted]

treenutz68 Should You Trust Apple? by Naomi Brockwell is a good video on this topic.

[deleted]

treenutz68 Pretty much everything TheHatedOne says is supported by his research, and sources he links in the description. On the other hand, Techlore has made a video, something along the lines of: "leaving custom ROMs" and that video pretty much describes his lack of understanding of privacy/security. His recommandation to use Firefox based browsers is also telling. Very often what he says is proven to be wrong, or its outlandish in the first place. I don't recommend their work, as a source for knowledge.

Eury

This research paper was the foundation for my reason to use GrapheneOS instead of iOS for my phone OS

"Mobile Handset Privacy: Measuring The Data iOS
and Android Send to Apple And Google"
Douglas J. Leith
https://www.scss.tcd.ie/doug.leith/
https://www.scss.tcd.ie/doug.leith/apple_google.pdf

Eury

another key reason for me:

VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher ['22 Aug 18]
https://forums.macrumors.com/threads/vpns-for-ios-are-broken-and-apple-knows-it-says-security-researcher.2355121/

https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php

treenutz68

Eury

Thanks - that doesn't sound good!

On a related note, wasn't there an issue with mullvad VPN and/or Android raised recently?
https://grapheneos.social/@GrapheneOS/112316307560525598

While I don't like it, my threat model doesn't really include hiding my IP address from apple via VPN, apple already has quite a bit of my information from my purchase of the phone, IMEI/SIM info, and probably a lot more that I don't even know about!

treenutz68

This is an incredibly helpful response! Thanks for taking so much time to spell this out as I think your plan of gradually easing into GrapheneOS while keeping my old iPhone sounds much less scary than jumping in all the way.

I did enjoy the video you linked to there and it does really highlight the value of open source systems particularly in hostile environments like the ppl in Hong Kong faced. It is sometimes hard to relate to in western countries that are relatively free, but the point that this can change at anytime is not lost upon me.

One question for you (or anyone else), do you worry about keeping the number of your SIM card private and then utilize VOIP applications to make/receive legacy calls and sms? I read a portion of Bazzel's guide to mobile privacy and I know that he harps on that as being very important to reduce the chances of both SIM swapping and linkage of your constant location (via cell tower pings) to your publicly known phone number(s).

spiral

treenutz68 keeping the number of your SIM card private and then utilize VOIP applications to make/receive legacy calls and sms?

I do this. I've ported my long-term known number to jmp.chat and my eSIM number is totally unknown to anyone.

N1b

treenutz68 do you worry about keeping the number of your SIM card private and then utilize VOIP applications to make/receive legacy calls and sms?

This is actually the hardest part for me, I don't like the invasive practices of mobile carriers and the fact that the mobile network is inherently a tracking network (it has to be in order to locate and direct your calls). Security is out of the window as well on regular cell phone calls and SMS, plus the recent discoveries about all US carriers selling location data even when opted out of data collection just reinforce my aversion...

And yet, it's just way too practical to have internet access wherever I go. A lot of services I use (e.g. Signal) require a true cell number and working around that (secondary device, many cell numbers, opsec with airplane mode and where to carry which device) can be inconvenient and expensive.

My solution so far is to have 3 different cell phone numbers (business, private and for invasive apps like WhatsApp where I require them). The number for invasive services was bought via silent.link with XMR so it's not directly linked to my identity, the other numbers require KYC where I'm living which is unfortunate. I have a VOIP number as fallback solution, but it doesn't work reliably for me and won't help much if I show my real number anyway through some apps (Signal just recently introduced usernames to hide your real number, but it's not my only leak). I also use 2 devices and have all phone numbers registered on one device which makes use of different user profiles. I disable the eSIMs when I don't actively use them. The other device is WiFi only and used for my private conversations (Signal etc. is installed there, but not the eSIM I registered the account with). This is already too much effort, given that I can't control that most people in my network will just let Facebook, Google, Apple etc. read their phone book and profile me this way. But it's a good foundation in case I'm willing to take things to the next level, and it feels good to at least know my limits and circumstances.

But... I'm not glad with this solution, it's not fulfilling my threat model, I just have to pick my battles and compromise where it's not worth the time and effort to find better solutions. I also appreciate how privileged I am to even being able to afford such solutions that involves multiple devices and subscriptions, so I don't want to complain too much.

If you are less depending on true cellular numbers than me, a VOIP solution just as jmp.chat and compartmentalization over different social and professional circles might make a lot of sense. If I were you, it would be one of my later to-dos as I can be much more effective with less effort elsewhere. Using GOS will have the biggest impact, alongside password managers, mail aliases and simply getting rid of apps and services I don't need anymore. Then I'd get familiar with fine tuning my experience as described in my last post. Only after that is all cleared I'd dive into the world of mobile networks, anonymous/pseudonymous payment, proxy services (e.g. Matrix bridges for Discord/WhatsApp etc. if you couldn't get rid of these in Step 1) etc. Or in short: Make your life easy at first and incrementally step up your game in the more complex environments. That won't work on high threat models of course, in case the context changes...

Last but not least: Since you mentioned some sources for your education, I want to once again encourage you to use this forum. The mods and some users here have been amazing experts with very good intentions for me. Other than that I can in general recommend subscribing to The Hated One, Side of Burritos, the Closed Network Privacy Podcast and of course Michael Bazzels PDFs for easily understandable content. Mullvad, IVPN, privacyguides.org and Tuta have good blogs and articles. I don't trust Techlore or All Things Secured much as they make more mistakes and are often sponsored. From people like Rob Braxman and Tom Sparks I stay away as far as I can, because I just feel like I'm getting dumber and more misinformed by the second. Over time you'll find the right sources for you by cross checking everything. This is also true for this very post: Don't trust me! Verify and get a good feeling for who is out there to help and to misinform you. There are lots of snake oil salesmen in the privacy world...

treenutz68

I appreciate all the thoughtful responses.

brightjob4495 I don't think I will go through the work of hacking a way to continue using iMessage if I make this transition, but nice to know there are ways for the truly committed to do so!

spiral I like the idea of porting my long term known number to jmp.chat, think I will look into doing this should I make the transition as well. Do you also utilize more voip numbers or just that one in jmp.chat? Also, do you have any experience with reliability of jmp when using an always on VPN?

N1b Agreed, the invasive tendencies of mobile carriers (and home ISPs) is not pleasant. I don't think I could live with a 3 phone setup like you though! I think 1 is the most I'm willing to deal with, but can appreciate the opsec process you go through :) I like your order of operations of focusing on the main elements first that give you the most bang for your buck vs jumping all the way down the rabbit hole. Honestly, it is all very overwhelming when thinking of all the steps to go through to achieve even a semi-private solution.

One thing back to my original post that I am still a little hazy on. Does anyone have a more nuanced about what apple collects from an iPhone (particularly one w/o icloud or location services switched on)? Most of the sources I read seem very binary, either stating that apple is the privacy savior that is fighting for your rights or that apple is the devil collecting anything and everything they can off your phone. One thing I did recently was connect my iPhone to nextdns and the number of pings to random apple servers all day and night is crazy. Now, I have no clue what it is doing. Is it simply checking for updates or syncing things or something harmless like that? Or is it uploading my days browsing history and photos I've taken and locations I've visited etc...?

brightjob4495

Regarding the having to use unencrypted SMS to text with the people that refuse to install an E2EE messaging app, you can self-host a Matrix server and iMessage bridge and use a Matrix client in your GOS phone to iMessage with your iMessage contacts. That's what I do with the people I have on WhatsApp and it's functional. I wouldn't say it's a great experience, but gets the job done.

Steer away from hosted iMessage bridges, as they'll have your Apple credentials, and hosted Matrix servers, as they need to collect a lot of metadata in order to work. So I think only self hosting is an acceptable solution for this problem. For your case of iMessage, you'll need a MacOS constantly running, so maybe you can look for a used M1 Mac Mini to use as your server, as it's small, quiet and has low power consumption.

treenutz68

[deleted]

Yeah, I enjoyed his videos about apple and graphene. I wonder though when he speaks about apple device privacy, if he is talking about using it in the way most people do (with icloud, location services always on, bluetooth and wifi always on, etc...) or how that may be different if you follow some privacy best practices with an iPhone. I imagine you could mitigate a lot of the telemetry collected by apple by toggling several of those things off, but I can't verify this myself.

spiral

treenutz68

I use multiple jmp.chat numbers across different user profiles and they are all always behind an always-on VPN, it works great.

treenutz68

spiral

Thanks. Do you leave all of these profiles 'running' all the time so you're notified if you get calls to any of the numbers? If so, does that eat up your battery significantly or does it run ok?

Blastoidea

If you think about these things all the time, you will drive yourself crazy.

I just do the best I can, and am thankful that no one is after me. I try not to be my own worst enemy.

I just hate being snooped on.

treenutz68

Blastoidea

I agree, this is my general feeling as well, not enjoying feeling snooped on. That is the crux of my dilemma, trying to figure out if there truly is snooping going on via my iPhone (with no icloud and no location services enabled) or if this is just folks fear mongering. Ultimately, I don't have the technical ability to figure this out on my own. I did see a study that showed all the data and stock iphones and androids capture and it seemed to be a lot. I guess I'm not sure if that applies when removing things like icloud and location services or not.

But ultimately, since stock android and iphone are closed source, perhaps it is just too difficult to verify what is happening behind the scenes and the only true privacy answer is to go open source with something like graphene. It's one of the reasons I moved to linux on both my computers years ago, I got tired of the telemetry that windows captures (I assume macs do the same).

tango

You have already received some sound advice here regarding privacy so i wont add to that at moment. What i would suggest is that you get yourself a Pixel and install GrapheneOS. I dont believe you will ever look back or regret it if you do. There are a lot of clever people on here and you will always get sound technical advice providing you respect others on here, which from your replies you clearly do. Good luck with what you decide.

spiral

treenutz68

Some of the profiles are usually open all of the time, it just depends. I don't find that it impacts my battery life too terribly - I think having 5G running impacts it much more.

[deleted]

treenutz68 THO on his patreon talks about iOS a fair bit. You can listen to it using unofficial means and if you end up findig the information valuable, make sure to support him with a few bucks.

N1b

treenutz68 I wonder though when he speaks about apple device privacy, if he is talking about using it in the way most people do (with icloud, location services always on, bluetooth and wifi always on, etc...) or how that may be different if you follow some privacy best practices with an iPhone

He somewhat addresses that with a few sentences, because the gist of it is that Apple controls the hardware, OS, core apps and access to everything. You simply can't escape Apple on an iPhone without bricking it. Their practices of tracking you in their own apps despite you revoking consent, or that they just redefine the dictionary meaning of "tracking" so they can claim to let you disable tracking of third party apps, are very deceiving. Those facts plus the Hong Kong example plus many other actions (e.g. anti right to repair practices, standard setups of iCloud etc.) are more than enough for me to not trust Apple. I don't need to go into conspiracy theories in order to get a pretty solid impression on Apple being in it for the money and only for the money (like every other big tech company). They will not hesitate to monetize you wherever they can get away with it, no matter what they tell in their very well crafted marketing material.

Google is by no means better when it comes to privacy, but Google only controls their Play Services since they needed a quick answer to the iPhone and opted for the readily available AOSP instead of building from scratch. It just happens to be a lucky situation for us that it's more profitable for Google to work with an open system and invite other developers and vendors to change things and support their OS, which is where great teams like the GOS developers can chime in. Could you imagine Apple allowing the GOS team to improve their system and remove all Apple telemetry?

To put it in one sentence: Using Apple products (or unmodified Google products) to me is living in a hostile relationship with a narcissist that exploits me whenever possible, but gives me nice things and experiences here and there to bind me.

The greatest power we have is educating ourselves and making informed decisions based on our threat models. I'm not saying you shouldn't use Apple products, they can be a great fit, but don't get fooled by their privacy campaigns. Like any other investor money driven company, they would throw you in front of a bus if it means profit to them. Make use of the powers you have (education and choice) and you'll be back in control of your individual privacy fulfillment.