How attackers target iOS devices and what defences actually matter.
iPhones have a tighter security model than Android — Apple's control over the App Store, mandatory app sandboxing, hardware-backed secure enclave for credentials, and consistent OS update distribution all reduce the attack surface meaningfully compared to Android in typical use. This is real and worth the credit it gets. It does not mean iPhones are invulnerable; it means the realistic attack patterns are different.
For typical users, the realistic threats are: phishing (mostly working at the account-level rather than the device-level), iCloud account compromise (which exposes much of what is on the device), stalkerware via shared Apple IDs in family situations, lost or stolen devices with weak passcodes, and exposure of session tokens and credentials in iOS apps with weaker security implementations.
For high-profile users, the threat model expands significantly. Pegasus and other commercial surveillance spyware specifically target iPhones — they are valuable targets because of who carries them (executives, journalists, activists, government officials). Defending against state-grade targeted attacks requires more than typical-user protections; Apple has built Lockdown Mode specifically for this scenario.
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Most common iPhone-related compromise. Fake "your Apple ID has been locked", "verify your account", "your iCloud is full" emails and SMS lead to fake Apple login pages. Compromised Apple ID grants access to iCloud (photos, files, contacts, location), Find My (potential abuse), iMessage history, and the ability to lock the device remotely.
iPhones with 4-digit numeric passcodes are vulnerable to brute force on devices, particularly older iPhones with longer passcode-attempt windows. Stolen devices with no passcode at all give immediate access to everything. Modern iPhones with strong passcodes and Face ID/Touch ID are well protected; older devices and weak passcodes are not.
Family Sharing or shared Apple ID allows account holder to see device location, sometimes messages, photo library. In intimate-partner-abuse situations, abusers may have set up shared Apple IDs that grant ongoing surveillance capability even after physical separation. Less obvious than installed stalkerware but functionally similar surveillance.
Apple ID is the master account for iPhone — controls iCloud backup access, Find My, iMessage, app purchases, payment methods. iCloud backups (if not E2E encrypted via Advanced Data Protection) include photos, messages, app data — accessible to attackers with iCloud account access without needing the physical device.
NSO Group's Pegasus and similar commercial spyware (Predator, FinSpy variants, others) specifically target iPhones via zero-click exploitation chains. Used against journalists, activists, government officials, business executives. Each successful attack costs $100K+ to develop, so deployment is targeted not mass. Apple's Lockdown Mode is specifically designed to disrupt these attack chains.
iOS configuration profiles can grant deep device access — used legitimately for enterprise device management. Malicious profiles installed via social engineering ("install this profile to use this WiFi") can route traffic through attacker-controlled servers, install root certificates enabling traffic interception, change device settings.
iMessage has been a recurring target for sophisticated zero-click exploitation — attacker sends a crafted message that exploits iOS without user interaction. Apple patches these as discovered; period between vulnerability discovery and patch is the window of exposure. Lockdown Mode disables features (link previews, certain attachment types) that have been exploit vectors.
Same considerations as Android — captive portal phishing, traffic interception on hostile WiFi, malicious WiFi networks. iPhone is reasonably resilient but not immune. Apps with weak certificate validation or non-HTTPS traffic are exposed.
Signs that your iphones may have been compromised:
Background processes from spyware consume battery and produce heat. Sustained unexplained battery drain or heat when device should be idle warrants investigation. Settings → Battery shows app-by-app battery usage; unusual entries are suspicious.
Settings → [your name] → see signed-in devices. Any device you do not recognise is suspicious. Apple sends emails for new device sign-ins; respond to these promptly.
If you receive password change confirmation for changes you did not make, your Apple ID is being compromised. Act within minutes — change password, enable additional protections, audit account.
Settings → General → VPN & Device Management. Any profiles you did not install or do not recognise should be removed. Profile install is a common stalkerware/abuse pattern.
Settings → [your name] → Family Sharing. Anyone you do not expect should be removed. Particularly important after relationship changes — partners with Family Sharing access retain visibility into device usage and location until removed.
Slowness, crashes, unexpected restarts that began after specific events (clicking suspicious link, installing profile, connecting to unusual WiFi) suggest investigation.
Apple notifies users believed to be targets of state-sponsored attacks. This notification is the most direct possible signal. If you receive it, take it seriously — enable Lockdown Mode, contact Citizen Lab or similar organisations for forensic analysis.
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Settings → Face ID & Passcode. 6-digit numeric minimum; alphanumeric passcode for highest security. Face ID/Touch ID as convenience for unlock; passcode required after restart, software update, or extended idle. Strong passcode is fundamental — without it, physical device security is compromised.
Apple ID supports hardware security keys (recommended) or app-based 2FA. Settings → [your name] → Sign-In & Security → Two-Factor Authentication. Defeats most Apple ID compromise attempts. SMS-based 2FA on Apple ID is not Apple's default approach; modern Apple 2FA uses trusted devices generating codes locally.
Settings → [your name] → iCloud → Advanced Data Protection. Encrypts iCloud data (photos, backups, notes, etc.) end-to-end so even Apple cannot decrypt. Requires recovery key or recovery contact setup. Eliminates one of the largest attack surfaces (iCloud account compromise leading to data exposure).
Settings → General → Software Update → Automatic Updates. Apple distributes security patches consistently across supported devices; install promptly. Most successful iPhone exploitation targets known vulnerabilities patched in recent updates the user has not installed.
Settings → Privacy & Security → Lockdown Mode. Disables certain features that have been exploit vectors (link previews, some attachment types, JavaScript JIT). Some compatibility tradeoffs (some websites/apps work less well). Worth enabling for journalists, activists, executives, government officials, and anyone receiving Apple's state-sponsored-attack warning.
Settings → [your name] → Family Sharing. Settings → [your name] → see device list. Remove anything unexpected. Particularly important after relationship changes (partners, family members) or device upgrades (old devices forgotten on the account).
Never install profiles from untrusted sources. Audit installed profiles periodically (Settings → General → VPN & Device Management). Legitimate use cases: enterprise MDM, specific WiFi networks (universities, conferences). Anything else: investigate before installing.
iOS App Store has imperfect but meaningful review. Jailbroken iPhones lose much of the security model that protects from malicious apps. The customisation benefits rarely justify the security cost for most users.
Settings → Face ID & Passcode → Stolen Device Protection. Requires biometric (not just passcode) for sensitive actions when device is in unfamiliar location, plus delay before some changes can take effect. Major improvement against stolen-device-with-known-passcode scenarios (where thief observed passcode and stole device).
Apple has resources specifically for journalists, activists, and others with elevated threat models. Apple Threat Notification Program, Citizen Lab consultation, EFF guides. Targeted threat models deserve targeted defensive expertise rather than relying on consumer-level guidance.