-
Apple (macOS)
When it comes to privacy, you often hear Apple fans jumping in first with:
“what happens on my iPhone stays on my iPhone”
Sure, except that it does not stay on your iPhone!
An easy approach would be to install Linux on your Mac (if you can) and move on...
Chapter closed and done? Nah, let’s not ignore the fact that Apple has countless users and, of course, that you'll be in the Apple Garden (locked into their universe), but you can still have a pretty good setup together.
Stay Private, create yourself!
To do so, follow the Identity Preservation Page
Boot up your Mac
After you've booted up your Mac, go to privacy.sexy (fully open-source) and configure the Mac in the way that fits you best. I recommend every point of the options, as it almost takes your Mac to where it is supposed to be in the first place.
Now click:
Settings → Security & Privacy → FileVaultEncrypt your hard disk
Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory
sudo pmset -a destroyfvkeyonstandby 1sudo pmset -a hibernatemode 25If you choose to evict FileVault keys into standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key
sudo pmset -a powernap 0sudo pmset -a standby 0
sudo pmset -a standbydelay 0sudo pmset -a autopoweroff 0The next part (Firewall) should be covered on privacy.sexy, but it won't hurt to double-check:
Click Firewall → Turn on Firewall → Block all incoming connections and enable stealth mode
You can also do this via the terminal:
Enable the firewall (State = 1)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate onTurning on log mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode onEnable Stealth mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode onTo prevent built-in software as well as code-signed, downloaded software from being whitelisted automatically:
Disabled allow signed built-in applications automatically
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned offDisabled allow signed downloaded applications automatically
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp offClick Privacy and go over every point as you think it fits you best. Switch off all location services, Camera and Microphone, Bluetooth, Speech recognition and go over every point, and select the best fitting options. Apple Advertising turns off Personalised Ads. Analytics & Improvements make sure everything is off!
Jump over to your terminal again:
sudo sh -c 'echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts'This adds OCSP to your hostfile and blocks telemetry to Apple.
Enable Firmware password
https://support.apple.com/en-us/HT204455
Randomizing your MAC address is not automatically possible on macOS, you can, however, do this manually after each reboot
Go to the terminal
(Turn the Wi-Fi off)
networksetup -setairportpower en0 off(Change the MAC Address)
sudo ifconfig en0 ether 88:63:11:11:11:11(Turn the Wi-Fi back on)
networksetup -setairportpower en0 onSo let's now get some apps that will make your browsing and working experience more "fruitful" but less "appley".
On a Mac, you actually already have some excellent options to lock things down.
Firewall
First things first, Mac comes with a built-in firewall. However, Mac's firewall is switched off - by default!
System Preferences —> Security & Privacy —> Firewall and turn it ON
—> Firewall Options
Check 'Block all incoming connections'
Options
Lulu is an open-source firewall that can even block Apple trackers, and it's 100% open-source (did I say that already?:-)). Once you enable Lulu, you get pop-up notifications, and can block or allow connections. You can also delete rules or add domains or ports to the rules.
Lulu has a built-in host file that makes blocking domains easy.
Another great, maybe even more powerful solution, is called Little Snitch.
Little Snitch is not open-source, but has had a few audits and built up a great reputation over a number of years. You can get a 30-day free demo, and a single licence will set you back $45.
In conclusion, Little Snitch can do a lot and gives you multiple options. However, it can be a little overwhelming at first, and might not be everyone's cup of tea because of the price tag.
Radio Silent is another simple, powerful, and hassle-free option. In fact, it is absolutely beginner-friendly and protects your privacy. You won't have any pop-ups, you set it all up in the settings and forget about it. It is dead simple to allow or deny an app going online. The app gives you a 24 hours trial version and costs $9 as a one-off charge thereafter.
Between the three options, pick the one that feels best for you, perhaps take the time and try all three. However, the only free and fully open-source solution, Lulu, would be my personal pick, I can recommend it!
DNS
The next step is blocking domains at DNS level. Oh yes, DNS again, I know it is my personal agenda to make DNS a thing in everyone's mind.
Options
We have some great solutions for Apple, which all work hand in hand with the firewalls!
The first, and my personally recommended solution, is AdGuard for Mac. Although this solution is not free, it is worth every penny spent on it.
It is not just an easy switch between DNS servers, but is also great for 'on the fly' blocking of domains. It has pre-selected hostfiles, and it lets you add more by just adding the URLs off a hostfile, for example, the always excellent SteveBlack blocklist.
AdGuard blocks system-wide, so you can also add Apple domains to it.
Another great option, would be to use DeCloudUs which can block all Apple domains. I, personally, would suggest you use it in combination with AdGuard and really lock Apple out of your system!
NextDNS is another good way to lockdown your Mac, you'll need to use the NextDNS Command-Line Client to get it set up.
Fine Tuning
For a browser, don’t just rely on Safari but have one browser for private stuff and one for business etc. I recommend LibreWolf.
Librewolf
This project is an independent fork of Firefox, with the primary goals of privacy, security and user freedom.
Every Firefox extension works, but then it is a Firefox fork after all. Privacy focused and secure, without all the commerce of a Firefox. I love the fact that I can add my own DNS server, just like on Firefox.
LibreWolf is designed to minimize data collection and telemetry as much as possible. This is achieved through hundreds of privacy, security, and performance settings and patches. Intrusive integrated add-ons including updater, crash reporter, and pocket are removed too.
Open-SourceLinux WindowsmacOSHighly RecommendedIf you do so, an essential add-on would be LibRedirect:
With this add-on, you can redirect traffic to more privacy protected frontends, so Twitter to Nitter, YouTube to Piped etc... and it lets you send the traffic over Tor.
Another great add-on is NoScript and/or uBlock Origin.
If you want to stick with Safari, you can also use the paid app, Privacy Redirect, which automatically can redirect your browser to Nitter, Piped etc.
Privacy Redirect
A configurable web extension that redirects Twitter, YouTube, Reddit, Google Maps, Google Search, and Google Translate to privacy-friendly alternatives.
Not FreeiOSiPadOSmacOSAnd even though this might sound like a small thing to do, if you are using Safari, change your search engine to DuckDuckGo. If you leave the search engine on Google, it will continue to receive metadata from you.
Apple also connects to
token.safebrowsing.apple, so block this domain with your firewall and/or AdGuard. This domain is basically Google Safe Browsing (Apple proxied). Block safebrowsing.googleapis.com as well.Click Safari → Preferences → Security
And disable fraudulent sites, while this is optional, it is Google Safe Browsing, and I just don't recommend Google knowing anything about your browsing.
Click Safari → Preferences → Privacy
Switch off Web advertising and Apple Pay and Apple Card
Even though I prefer LibreWolf, keep in mind that Safari (except the Google Safe Browsing) is a decent and privacy-friendly browser that does not connect to too many intrusive services (except Google Safe Browsing). I would use a combination between LibreWolf and Safari. Keep in mind that Safari is used by most Apple users, so your fingerprinting will be unique to Apple, but not to many other companies. So, this is an advantage to using it as your main browser.
For your most private browser experience, you can install the Tor Browser:
https://www.torproject.org/download/
As with any OS I do recommend using a password manager. You have a great option with Bitwarden, which works on any device, regardless of if it's Mac, Android, Windows or a browser. Chose it over the built-in Apple Keychain, you don't want your keychain backup running over iCloud, even if Apple claims they can't read it. Additionally, you will be able to keep your password manager if you ever decide to leave Apple.
Keep in mind, Bitwarden also works on iOS, so you do not need to pay per subscription on iOS and macOS. Bitwarden works with Firefox and any other browser as well.
Another great Apple only password manager is Strongbox which is not free (as with most great apps on Apple). Strongbox, however, is compatible with Keepass, so you can use that on other devices, and if you ever switch from Apple, you are good to go with a backup.
Strongbox works 'out of the box' with Safari. It also has a separate (subscription-based) iOS version.
Overall, macOS will never be as private and free (as in freedom) as Linux is. But if you use Apple because you need to, for example FaceTime and iMessaging (with colleagues), or you have any other reason to stick with Apple, video editing etc. or just being heavily invested in Apple already, you can get some privacy out of the devices.
iCloud
I would not use iCloud if you don't need it for any specific reason!? If you need a cloud, use Nextcloud and host it yourself. If you use iCloud, use Cryptomator to encrypt your files.
Attempt to block as many unnecessary connections as possible with your firewall. This will be a challenge at the beginning, as you will have many pop-ups. But over time, the firewall won't bother you too many times. And you'll have an experience that you can enjoy.
Stay safe (even when on an Apple device ;).
iOS
The newest iPhones and iPads contian a chip that submits your location to Apple every time you switch off your phone, even if you have location services switched off! And it will pinpoint your whereabouts even if you are using a VPN or have airplane mode on!DNS & blocking bad traffic ⁄
DNSCloak is like NextDNS and is an app which runs as a VPN protocol (but only on iOS).
DNSCloak (iOS) — DNS & blocking bad trafficPassword Manager
Bitwarden works with almost any device and browser you can mention: Windows, Mac, Linux; iOS and Android; Chrome, Firefox, Safari, Edge, and many more niche browsers.2FA - Authentication
A Password Manager is a must in today's world, but if you can protect yourself further with more than just a password, like two-factor (step) authentication (2FA), then do so. That said, do not use SMS based 2FAs, if you can avoid them.Secure Messengers
When it comes to messengers we have Meta (Facebook) with the largest hand in the cookie jar, WhatsApp and Messenger are sadly used by many people, some with excuses like everyone else uses it. When it comes to privacy, these are the worst choices you can make.Useful Links
This reference section is designed to provide you with links and resources available elsewhere on the internet centered on the subject of privacy. These include links into our social media network, other privacy sites plus bloggers, vloggers and podcasts that we follow and appreciate.
