This post was originally published on 2 OCT 2020; it has since been updated and revised.

Though Safari is a closed-source browser, some users may wish to use with their Apple devices.

This how-to guide will show you how to increase your data privacy and security while using Safari. This guide tries to balance of privacy and security versus convenience.

"Points of decision," exist in this guide, where users should choose between security/privacy and convenience at their own discretion. where you pretty much choose between security/privacy or convenience at your own discretion, throughout this guide.

Safari has a privacy "ceiling." Users seeking the most privacy possible in their browsers should consider installing and using a privacy-oriented browser for iOS.

Preface

Update Safari and iOS

One of the best ways to maintain security (and by extension, privacy) is to keep software like browsers updated to the latest stable version available.

Keeping Safari and the iOS operating system updated is an “easy” method to make sure you are at least protected from exploits of known vulnerabilities. For most users, it’s highly recommended to turn on automatic updates so future updates and be downloaded and installed when they’re released.

Consider using a different browser

While generally secure, browsers like Edge, Chrome, and Safari have an important matter in common: there’s a “ceiling” to how private you can configure them - especially when compared to privacy-oriented mobile browsers like Brave, Firefox Focus, and SnowHaze.

Therefore, users may want to consider using a privacy-oriented browser over using Safari if privacy is their main concern.

Siri and Search

To keep it short and simple: Siri can be a double-edged sword when it comes to maintaining privacy.

Apple has found itself in hot water of Siri “overstepping,” and consequently violating user privacy. For example, in 2019, Apple confirmed that Siri was recording confidential information from users. This confidential information was made available to the company’s contractors.

Now, Apple has since apologized and addressed those concerns with Siri, but the damage is done.

Ultimately, as the user, it’s up to you to decide how much you want Siri involved in your web habits. The settings here govern how Siri gathers information related to your search history, both online and off. Users should take a look at Apple’s “Safari Search and Privacy.”

Search

Safari uses Google as the default search engine, which is not at all a privacy-friendly search engine.

You should pick a default search engine that is more privacy friendly than Google or Bing. The options on iOS are limited, so users may want to consider bookmarking privacy-friendly search engine options, like Mojeek.

For better privacy, you should disable “Search Engine Suggestions” and “Safari Suggestions,” which helps to limit the data sent to the search engine itself and Apple.

You should also disable “Preload Top Hit.” When enabled, Safari will automatically load the top hit in the the Safari address bar. However, this can cause unwanted and and intended behavior, such as connecting to websites the user hasn’t actively clicked/tapped on.

General

You should enable the pop-up blocker (which is enabled by default.) Pop-ups can be woefully annoying and could cause you to accidentally click on something you did not intend to.

Autofill

Turn off autofill.

If you have any saved contact information or credit cards (that aren’t saved specifically in Apply Pay) on Safari, then you should delete them.

Autofill can easily make mistakes and potentially compromise your privacy in the process. For example, autofill might accidentally captured (and later paste) parts of your social security number, thinking it was part of a credit card number. It may also mistakenly paste saved credit card information into a field not designated for credit card information.

Keep in mind that some websites enable features/include code that can allow them to see what was typed/pasted into a firm field without the user ever hitting “submit.”

Malicious actors can “trick” Safari into divulging stored autofill contents with a variety of methods such as an XSS attack or any variety of phishing attacks. This could put your payment information and other personal identifiable information (PII), like full name and address at risk.

Privacy and Security

Generally, you should enable the fraud website warning and prevention of cross-site tracking here.

Blocking cookies

This is a point of decision.

Blocking cookies rejects “cookies” (bits of information) from being stored in the browser. Websites use cookies for a variety of things, such as session management (login) or as part of tracking mechanisms.

For example, if you enable blocking all cookies, log into a website, then close Safari and subsequently return to that same website, then you will have to login again. This could also apply to sites with personalization options.

If you don’t use Safari often, then it’s recommended to block all cookies so when you do use it, these bits of information are not stored.

Apply Pay

This is another point of decision.

When enabled, websites can check whether you have Apple Pay enabled. Apple Pay is fairly secure (and relatively privacy-friendly to boot), so the issue is not so much unknowingly giving out card/payment details.

The main issue is websites may use this information to fingerprint your device. Websites will now 1) you use Apple Pay (or at least have it enabled) and 2) can use this “known” for fingerprinting and/or tracking purposes.

However, Apply Pay is a more secure alternative to giving your card details directly to an online merchant.

Settings for websites

Most settings in this section are dedicated to accessibility. However, we can also modify content blockers, camera, microphone and location permissions in this section.

If you have any third-party content blockers integrated with Safari, then you should go ahead and enable them for all sites you visit.

Generally, it’s recommended to automatically deny any website access to your device’s camera and microphone by default.

With GPS location, we’ve encountered another point of decision.

More privacy-conscious users may want to err on the side of caution (rightfully so) and always deny location details to any website that asks.

However, some users who want to maintain a little bit of convenience, may want to set this to “ask.” There may be times where the user deems legitimate to grant a website access to their GPS-enabled location.

Advanced

JavaScript

This is a point of decision.

JavaScript is executed on the client (your) side, on your device. In most cases, there is no obvious notification to the user when JavaScript is executed; it can be executed “silently” and without direct user input.

While JavaScript can certainly be used for malicious and privacy-invasive purposes (such as pulling a user’s IP address from behind a VPN in the case of a WebRTC leak), many legit websites run legit scripts to function. As such, disabling JavaScript could break these websites and tank the user experience.

As a very general rule of thumb, users should consider disabling JavaScript only if they are “planning” to visit shadier/untrusted portions of the web.

Experimental Features

Most of the experimental webkit features are for developers. They also change frequently with different releases of iOS and updates to the Safari app. In most cases, “regular” users do not have to tamper with experimental features to configure Safari for better privacy.

Lockdown mode

The launch of iOS 16 saw the introduction of Lockdown Mode for the entire device on which it is enabled. Per Apple, “when Phone is in Lockdown Mode… apps, websites, and features will be strictly limited for security…”

According to Apple, Lockdown Mode is an “extreme” protection mechanism for iPhone that should only be used if the user thinks they may be targeted by a highly sophisticated cyberattack - think, an attack by an advanced persistent threat (APT) backed by a nation-state entity.

With Lockdown Mode enabled, some web technologies are automatically blocked. Some web fonts and images on websites may not display at all. users can configure apps or websites in Safari to be excluded from the limitations enforced by Lockdown Mode.

According to Cryptee’s proof-of-concept (PoC), Lockdown Mode may make users more susceptible to fingerprinting techniques - for example, Cryptee’s PoC can “tell” whether the user is using Safari in Lockdown Mode. Cryptee also believes apps can detect whether Lockdown Mode is enabled as well.

Should you use Lockdown Mode to harden Safari? It depends on the user. However, users should be aware that Lockdown Mode is a security feature versus a privacy one.

Final thoughts

While Safari can be configured to be reasonably privacy-oriented, it is ultimately a closed-source browser by a Big Tech entity. Safari also engages in telemetry on the “back-end,” which may transmit usage data to Apple.

Also like its competitors, Edge and Chrome, Safari suffers from a “privacy ceiling.” Other privacy-oriented browsers do a better job in respecting and improving user privacy. Users looking for "maximum" privacy from the browsers on their iOS devices should download a privacy-oriented browser.

With that said, stay safe out there!