In this Apple-user-oriented and safari-and-mail-centric guide to improve privacy, security, and speed for the Average Joe online experience, I suggest some extensions, applications, and components for both macOS an iOS. I don't pretend to be writing the perfect guide. I just want to share what I find useful from this perspective and hope that it can be helpful to someone else.

Premise

Internet privacy and online anonymity are extremely hard to achieve, if not impossible, because of increasingly pervasive and aggressive data mining practices and global mass surveillance programs. Truth be told, in most cases, we willingly give-up a lot of our data, personal life, and details in order to use convenient free services. Like social networks, email, DNS, blog engines, cool sites, communities, communication apps and so forth. Moreover, the use of services and software that one thought to be safe, private, and secure that ain't really so, give a false sense of security/privacy, and this is possibly even more dangerous. Because we all change our behavior if we are not being watched or, at least, we won't do socially unacceptable things if we know we are being watched. It's just our natural behavior.

Big data serving immoral marketing strategies isn't the only issue here. There are intrinsic serious privacy concerns and quite worrisome related potential dangers that people often don't take account of (or care about) whenever they share very personal data on these platforms. Most of us aren't even aware we leave a significant trail in everything we do, both online and offline, and that all of this contributes to very accurate profiling. In fact, even if you don't have any social network account or don't explicitly agree to be tracked and profiled, they (social networks or otherwise) do have a profile of you.

The broad invasion of privacy we're all subject to can have dire consequences. Take identity theft and all it can lead to as an example. What's worse, most of the time it's not entirely one's fault if some fall victim of identity theft because of data breaches caused by some companies negligence or mistakes in an ever more digital life.

So, should you be willing to learn how to protect yourself against unfair practices or at least mitigate them, Kevin Mitnick's "The Art of Invisibility" it's a good start. Mind, it is not the panacea. Most of the outlined technologies and techniques in the book are common knowledge and are easily feasible. On the other hand, the required care to fully achieve what's taught in the book demands a pretty serious commitment that most of us could not just be arsed to even think about it. In all fairness, it's close to impossible to keep up with those goals and be stealthy for the average Joe (including me). But that's ok, we are not Edward Snowden or Julian Assange after all. You might even argue that "I've nothing to hide..." Well... It. Ain't. Quite. So. I strongly advise that you read the book nonetheless. If anything, for general knowledge.

Having said that, while I personally couldn't take on Mitnick's precautions fully, the book got me thinking about how to mitigate, at the very least, some of the data mining and improve both my security and privacy in my day to day online presence whilst keep using the software I usually use (as opposed to switching to something else) and not compromising my online experience, in terms of usability, too much.

Disclaimer

The web is plastered with advertisements masked as unbiased articles and guides. Most of the times these rank high in search engines too, making it hard to discern what's legit from the crap. But there are plenty of good resources out there to help you understand them better. Some of these give you the tools to make an educated choice, some others give you precious advice on how to improve your situation.

However, as valid as these resources may be, most of them are centered around technologies I don't want to switch to. This post is a small and humble contribution to those and it aims to make it a little better/safer for Apple users who are using and love Safari and Mail. Be it on macOS or iOS.

Based on this preamble, I don't pretend to be writing the perfect guide. I just want to share what I find useful from this perspective and hope that it can be helpful to someone else. If you have better options and they are compatible with my premise I'd like to hear about them, if you please sharing them.

Again, I don't claim to have the definitive solution. There's is neither a single book nor a single product that can make you absolutely secure and, to that extent, grant you absolute privacy. Remember: security is not a product. It's a process.

Also, the reasons behind why using a VPN, end-to-end encryption communication tools, and what-have-you is a good idea, will not be discussed here and their benefits are taken for granted. I assume that you, the reader, know about them or are, at least, interested enough in finding out for yourself. There are already copious resources that take care of explaining why these tools are beneficial. Thus, I'll just point out the ones I use and unbiased websites to help you choose your very own favorite or get suggestions to improve your online privacy and security.

Lastly, should you be surprised by the fact that some of the services mentioned here require a payment, I'd like you to know that I'm in no way affiliated with any of them. Part of the reason you should pay for them is that of "if something is free, then you are the product". No matter how many arguments are brought against this mantra, it's still very valid and, besides the usual suspects, there have been cases of free plugins exploiting and selling your data to companies that their product should protect you from in the first place. This is why I'll try to suggest alternatives following a more ethical approach, a transparent philosophy and are open source, whenever possible.

Email Tracking

To both make a point of how simple it can be to mitigate risks, and to encourage you to continue reading this post, I'll start with the one regarding Mail and requiring the least effort: email tracking. It is a sneaky and deceitful practice that went from sacrilegious to an unnoticed, widespread, and abused practice, easily accessible to everyone. It's also very hard to effectively defeat. The only effective method to mitigate it today, according to the conclusion of Englehart in this article, is to disable remote content from automatically loading in your emails. The only downside is that you get uglier emails but they would be safer. It's a good compromise and you still retain the choice to view the email in your web browser, should you want to. So, go to Mail preferences and disable remote content, on both macOS and iOS.

To prevent macOS Mail from downloading remote content:

  1. Select Mail > Preferences
  2. Select the Viewing tab.
  3. Make sure "Load remote content in messages" is not selected.
  4. Close the Preferences window.

To prevent iOS Mail from downloading remote content:

  1. Open the Settings app.
  2. Tap the Mail section.
  3. Scroll down to the "Messages" area.
  4. Disable the "Load Remote Images" option.
  5. Close the Settings app.

"It's that easy..."

Search Engine

Another easy expedient is to switch to a more privacy oriented search engine than Google. Safari offers DuckDuckGo by default, use it.

However, I find StartPage to be closer to my needs. Technically, it's Google without the annoyances and privacy invasion!!! The search results are better than DuckDuckGo and, most importantly, it offers to click on anonymized proxy links right beside the search results.

  • To use StartPage, install the official Safari extension, from here: "Add to Safari".

Of course, there are more privacy-oriented search engines you could use, but I prefer to only list the most famous DuckDuckGo and my favorite alternative.

The only thing I dislike about StartPage is that it won't integrate into Safari as a selectable search engine in the "Search" preferences tab, but probably this is not entirely StartPage's fault. Perhaps if we ask Apple nicely for it to be integrated as a selectable search engine from the "Search Engine" menu, it will happen as it did with DuckDuckGo in OS X Yosemite and iOS 8.

Safari Extensions

There are a plethora of extensions available for Firefox and Chrome, perhaps far too many. In comparison, Safari extensions are little. Worry not, most of the needs discussed in this post are very well covered by them. The missing EFF extensions are certainly a minus, but we can live without them until the technical reasons why these are missing will be addressed. You should note that EFF applauds new Apple privacy technologies implemented in Safari, so we are a little safer than before.

Nevertheless, I do encourage lobbying for changes in Safari to enable things like HTTPS Everywhere and hardware and biometric authentication standards like Fido U2F and UAF. Especially because Apple does already care about their users' privacy and integrates biometrics in their products. Perhaps if we ask Apple nicely, again, we might see those implemented soon enough.

Now, although Apple continuous efforts and EFF praises are encouraging, this is the list of extensions I suggest you'd use (yes, all of them):

  • TrafficLight: a helpful extension that points out threatening sites (for malware and phishing attempts) each and every time you access them. A simple semaphore metaphor will help you discern those sites right within the search results as well.

  • uBlock Origin: the best ad blocker and filtering extension. It's open source. It's effective. It's customizable. It doesn't spy on you. It doesn't sell your data. You should enable all of the lists in the "3rd-party filters", with the exception of languages you don't care about and experimental ones. Especially enable the "Social" filtering ones. With the latter enabled, you won't have social buttons to click on to share on social networks, but at least you can mitigate very accurate profiling, which by the way affects even people who don't have any social networks account.

  • Wipr: lightweight and efficient ad, tracker and many other annoyances blocker.

  • Better: ethical and effective content blocker.

  • UntrackMe: while it's not perfect as it doesn't catch them all, it removes the tracking tags from (e.g.) articles you may open with an RSS reader.

  • JS Blocker: if you've ever used NoScript for Firefox or ScriptSafe for Chrome, it's time you rejoice! JS Blocker is amazing, effective and not as intrusive as the afore-mentioned ones. It even helps to prevent canvas fingerprinting. (Update: JS Blocker won't work with Safari 12 and above, as the developer doesn't have the resources to adapt his extension to the new App Store specifics).

  • Syndicate: should you be still using an RSS reader and have uBlock Origin blocking social buttons (which blocks RSS icons too), you need this to subscribe to RSS from Safari directly.

  • CheckShortURL: the last one here is not an extension but a very useful tool you should bookmark and make it an habit to use. Why? briefly, shortened URLs could link to potentially dangerous site or pages without you knowing until you actually click on them. This tool expands it for you safely and give you the opportunity to check for the destination link (it also provides ways to check the final URL reputation and for viruses). As you'll see in my next post, my network blocks short URLs unless I whitelist them on my router so I'm kind of forced to use such service. You'll get used to it quickly and it can save you some hassles.

External Apps

So far we've improved our browsing and email privacy a little (more on emails later), but you should also take care to improve your security as well. If the many and ever-growing data breaches taught us anything, is that people are very careless when it comes to Internet security. These dumps demonstrate that this is especially true with password security: most of the times using very simple to crack passwords and, what's worse, using the same passwords all over the place. Besides passwords, there are many other computer security aspects that you should be aware of and should be taking care of, but this is beyond the scope of this section. So, without further ado, these are the external apps I use and recommend you'd use too:

  • 1Password: a password manager is a must. Full stop. The one I like and find most convenient is 1Password. There are many out there and you are free to choose the one you want beyond this recommendation, but do use one. Also, there have been developments in password security, so choose one that allows different kind of passwords to be generated and kept safe.

  • Cookie 5: cookies are one of the tools in the arsenal of marketers, data miners, and, believe it or not, crackers. It doesn't take much effort to be a little safer. Cookie 5 is a good app toward that goal that is very set-and-forget like.

  • Wifi Spoof: spoofing your MAC address it's going to help your identity masking and possibly save you from some hassles, however small. It is a good practice to follow and it's also one of the things suggested by Kevin Mitnick in his book.

  • BitDefender Antivirus: yes I know... you think Mac is intrinsically safe from, and there are no such things as viruses and malware for Mac. Well, long story short: that's simply not true. In fact, even Apple has a brief official page about it. Albeit the number of existing macOS malware are risible in comparison with that other operating system, and many argue against antivirus in general, I strongly suggest you use anti-virus and anti-malware (but avoid the crap!!!). Again, it's your choice to either install one or not. Especially, it's your choice which one to use. I like BitDefender. Remember, there's no perfect product. Choose the one you think it's best but avoid freeware and adware.

  • Cryptomator: should you be using a public cloud file service like Dropbox, it's best if you add an extra layer of protection (both for privacy and security). Cryptomator is open source, it's pay-what-you-want and it's fairly easy to use. It will improve your privacy against surveillance and render file leaks less effective. I haven't tested it on iCloud but it doesn't sound like a bad idea. Remember the fappening? While it's true that it was a phishing attack (as opposed to an iCloud fallacy), it is also likely true that if an additional layer of encryption would have been in place, it would have probably been harder to get those files in the clear.

  • Syncthing: better still, if you need a cloud file syncing/sharing service there are better options https://www.privacytools.io/#cloud alternative to Dropbox. Syncthing is one of them.

  • GPG Suite: the suite to manage and use GPG on Mac. This will be very useful with encrypted emails and data encryption. You can even go to parties!

Safer DNS

If you don't know what a DNS is and why it's crucial to the Internet, just think about it as a taxi you jump on every time you want to be taken to a website. Every single time you digit an address into your browser, there's a DNS doing the hard work for you (taking you to that address with its taxi). Because of this, a DNS knows a lot about your online activity. There are many free DNS services out there and most of them promise to be anonymous or not to spy you. I don't really trust them. There are some exceptions though. Like hackers' collective run DNS and privacy advocates run DNS. However, as you'll see later, a good enough DNS to use is the one provided by your VPN service. But what if you do not have a VPN? Which one to use, among the many freely available? Well, it's a compromise. My favorite one, besides the one provided by my VPN when I'm not connected to it, is Quad9. For a few simple and solid reasons you can read about on their site: security, performance, and privacy.

Quad9 has a very simple to follow DNS configuration guide, so I won't repeat it here.

Encrypted DNS

One more piece of advice on DNS, for completeness sake, is DNS Crypt. More info on Wikipedia. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks and helps to prevent DNS spoofing. This falls more into DNS security than privacy, and I'm not entirely sure how good DNS Crypt usage is, in this context, after all. Feel free to explore and use it though, but keep in mind that Quad9 is enough to the main point discussed here.

Good VPN

As anticipated in the disclaimer, I won't go over the reasons why using a VPN is a good thing. However, I don't want you to fall for advertisements articles and videos in your web search, so I've picked these three random videos among the most neutral I could find: 1, 2 and 3, and this very good article to make you understand some of the benefits and the reasons why using a VPN is a must nowadays. I strongly recommend reading the article, since it also discusses proxies, TOR, and the combined use of VPN and TOR together.

Now, a VPN is only as good as its privacy and logging policies and the legislation it falls into. You should be checking with the resources at the bottom of this page and choose for yourself. Again, there's no perfect product, and this is true for VPNs too. I personally use Mullvad VPN and this is what I'd advise you'd use too. Even if Sweden is probably going to implement harsher laws against this kind of services very soon. Yes, Mullvad is Swedish for mole.

There are a few good reasons and features why I like Mullvad, among them: they don't ask for your identity when you create an account, they have a zero logging policy, they accept Bitcoin payments, their articles and guides are very good, and they already support and implement Wireguard for both macOS and iOS.

Encrypted Emails

You'd be flabbergasted if you'd know that email was never meant to be secure and private, how easy is to read your emails for somebody eavesdropping or how high are the risks involved in sending personal details over email. These are the reasons why you should use encryption at all times in all of your communications, not just emails, and take some precautions when sending emails. Better still, use a privacy-oriented email service. Like for VPNs, I encourage you to check with the resources at the bottom of this page and choose for yourself. I do use a specific one but I might change it soon, therefore I won't spend much time talking about it here2.

Having said that, I'd like to give you some hints:

Choosing the email provider is important, of course. Once you have one, you should also know how to use encrypted emails though. You should know that using GPGMail with Mail is a breeze, once you have created your GPG key-pair and have taught yourself how to do this whole encryption business. Luckily for us, GPG Suite offers a very well detailed and easy to understand how-to. Easy peasy.

As a last note, I'd like you to know about DarkMail. It is very promising, but far from to be deployed anytime soon (if it's still alive at all). Keep an eye on it nonetheless.

Secure Communication

One thing should be clear by now: you should not be using Skype, WhatsApp, Messenger or any not so safe and pretty much entangled with data mining and in the mass surveillance circle instant messaging app. Perhaps you think you are safe because you are using Telegram, Signal3, WhatsApp4 or even ChatSecure and XMPP5. While the latter is better than the former, they are not quite it. I personally use and strongly advise you to switch to Wire6. It's open source, it's reliable, it has a strong security argument, great features and its security it's regularly and independently audited. It also compares favorably with all of them. Besides, it's also cross-platform: it is available for iOS, Android, Linux, Windows, macOS and Web browser clients. You can use it to make voice and video calls; send text messages, files, images, videos, audio files and user drawings depending on the clients used. It is hosted within the European Union and protected by European Union laws.

Avoid These

If you have read the disclaimer, you can recall that the web is plastered with advertisements masked as unbiased articles and guides. Besides paid articles written only to promote certain services, one particular category of shitty malware disguised as useful software you must avoid at all costs is the "scammy cleaning family". Yes, I'm referring to all of the infamous Mac cleaning utilities, whatever their names are and whatever they claim to be doing for your own good: do not trust them and do not ever install them. They will either install malware or be malware themselves, infesting your Mac and making your life worse. Furthermore, they are a pain to eradicate.

There is a lot more software that will install or integrate malware, adware, and tracking within its app, like uTorrent for example, but I cannot list them all. Not to mention all of the tricky malware you might incautiously install if you visit porn sites or free streaming sites. Just beware of what gets in your Mac. By the way, should you be doing torrents, use qBittorrent.

Another important piece of advice is that you should also avoid software cracking. As you may have guessed, it's not free. The cracked software it's very likely to be infected with any kind of malware. That's often the payoff for their efforts. If you really want free, then use Free, Libre and Open Source Software available for the Mac platform. Most of it is available via Homebrew and very easily installable.

The above is only a brief representative example of dangerous sites, mischievous articles, not-so-great services, and dangerous software habits. I can't know about all of them but I brought up these examples also to take us a step back: malware does exist on Mac and you do need to protect against it.

About iOS

So far we've mainly discussed macOS. This is partly because iOS doesn't really allow the same level of sophistication, so the iOS part is going to be shorter. However, since Apple introduced content blocking on iOS, it is a good idea to take full advantage of this as much as we possibly can. The other reason is that some of the software and extensions I introduced earlier will be used for iOS as well. We can take advantage of VPN and encryption, as well as using our favorite DNS and most of the things we've discussed so far. Now, I won't go over the topics again and I'll just list components and apps you should be using on iOS, with some additions:

  • DuckDuckGo: you should use Safari with DuckDuckGo on iOS too.

  • Purify: uBlock Origin and JS Blocker are not available for iOS. Purify is the best option to blocks many annoyances in one small and easy to use application.

  • Wipr: lightweight and efficient ad, tracker and many other annoyances blocker.

  • Better: ethical and effective content blocker.

  • 1Password: also available for iOS and very well integrated too. This is also why I prefer 1Password over other password managers.

  • Onion Browser: today's best option for a TOR Browser for iOS.

  • If you happen to use Mullvad VPN, use Wireguard on iOS too. Otherwise, use the official OpenVPN client.

  • OpenVPN Connect: the official OpenVPN client. Look no further. Here's how to use it with Mullvad VPN. You should always use a VPN when connected to a public wifi. To be even safer, use a VPN even when you are on your cellular network as well.

  • DNS Override: if you want to take advantage of using a safer DNS on iOS as well, DNS Override is the app you are looking for. I haven't found anything better than this so far, so this is it for now. It's extremely configurable and very well-thought. You can set your rules per network and forget about it.

  • iPGMail: this is kind of the best equivalent to GPG Suite I could find for iOS. iPGMail integrates with the iOS Mail application and makes the process of sending or receiving secure private messages simple. Your best bet for encrypted emails on iOS so far.

  • iOS Antivirus?: the way that iOS works make it so that antivirus is not needed, at all. Perhaps one day we'll get the same level of sandboxing and security for macOS too.

Resources

Related Videos

These are some must watch videos about the topics we've discussed in this post.

One More Thing

One last piece of advice is about common computer security knowledge. Albeit being common knowledge, it's neglected by most people more often than you think. It's for this reason that most universities have dedicated pages. You'd think that higher education students would be educated enough and blah... nope! I find the Berkeley resources to be very valid, informative and easy for anyone to understand. You should browse around. Also, I'm going to reiterate some of these common best practices concepts here, again:

  • password protect your account.
  • don't give your passwords away.
  • use a password manager.
  • always use two-factor authentication.
  • better if you use hardware keys based on Fido, like the NitroKey and Ledger Nano S
  • should other people need to use your Mac, always allow them in from the guest account only.
  • always do software updates. especially security ones.
  • use the integrated firewall. it's a wonderful tool and it must be taken advantage of.
  • if possible, use FileVault. The only reason not to use it is if you have some third-party tracking software (other than Find My Mac) that cannot work with FileVault.
  • be a careful and a very skeptic cybernaut: most scams and malware can get into your Mac because most people just click and accept blindly.
  • again, practice cyber hygiene.
  • regularly audit installed software and declutter your system when possible.
  • do not use Flash, Java or Silverlight. They are dead and dangerous technologies. Sites using them should die along with them.
  • be very restrictive with what you allow/install on your system.
  • don't give anything away. ever.
  • keep your data safe and use Time Machine.
  • use a VPN.
  • use encryption.
  • use secure tools.
  • use secure communication tools.

I think that's enough for a sample of the common best practices. Should you be thinking I'm being paranoid, this is a good time to suggest to browse around the valid Berkeley resources once more, to remind that marketers steal your credentials when you are visiting websites, and to suggest a couple of more books read:

  • Kevin Mitnick's "The Art of Deception: Controlling the Human Element of Security."
  • Kevin Mitnick's "The Art Of Intrusion: The Real Stories Behind The Exploits Of Hackers, Intruders, And Deceivers."
  • Kevin Paulsen's "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground."
  • Christopher Hadnagy's "Social Engineering: The Art of Human Hacking."

I can guarantee you'll be both surprised, astounded and gobsmacked to learn what is even remotely possible for crackers to do with the right motivation.

Until Next Time

In my next post, I'll be sharing my LEDE configuration and considerations. It will not be too technical but it's going to definitely aim at a slightly geekier Joe. In that post, I'll point out what extra components I've installed and what kind of configuration made my home wi-fi a little safer for all the family members to use, just by connecting to it and with zero-knowledge of anything discussed in this very post or in the next one. I'll also share my scripts to automate custom builds. Stay tuned.


  1. DuckDuckGo footnote: DDG has updated and improved their browser plugin and iOS browser, worth checking out as a viable all-in-one search and plugin solution: https://spreadprivacy.com/privacy-simplified/

  2. Mailfence footnote: this is the one I use. After I published this post, they have published an interesting article on privacy and security and how they go about them. Worth a read: https://blog.mailfence.com/security-privacy-anonymity/

  3. Signal footnote: as far features go, Signal and Wire are pretty much equivalent. However, Signal wants to know more about you than Wire (e.g: phone number) making it more intrusive than Wire. Also, continuing the parallel with Wire, Signal hasn't been independently audited in a long while and it doesn't offer 2FA either. Not to mention that Signal uses the same underlining technology as WhatsApp, making it as unsafe.

  4. Signal and WhatsApp are vulnerable to the same attacks because they use the same underline technology: https://www.schneier.com/blog/archives/2018/01/darkcaracalgl.html & https://www.schneier.com/blog/archives/2018/01/whatsapp_vulner.html

  5. XMPP, OTR, ChatSecure footnote: XMPP+OTR (which is used by ChatSecure as well) is no longer a safe option.

  6. Wire footnote: the Wire site has changed a lot since I originally wrote about it. It seems that they are solely focusing on the 'Team' features all around the site nowadays. Not that this makes it any less valid as a software but it's very confusing for new people. It is hard for newcomers to understand that is also available for personal use (and free as in freedom and beer). Besides removing any info for "personal use" (WTF!?!?), they've also removed the comparison chart I mention in the post. I just hope that they won't shoot themselves in the foot with this change of direction.