iOS 15: Here are the new privacy and security upgrades you'll get

iOS 15 hidden features
(Image credit: Apple)

Apple has tossed a lot of privacy and security upgrades into iOS 15, including on-device speech recognition, a code generator for two-factor authentication and an email feature that masks your network location.

The Apple event yesterday (Sept. 14) spent only about 15 seconds on the new privacy features, mentioning the speech recognition, the email masking and some anti-tracking features. But there's a lot more coming with the iOS 15 update, which will be available to download this coming Monday (Sept. 20).

Here are some of the most significant iOS 15 privacy improvements slated for your iPhone.

On-device speech recognition

This really is a breakthrough. Speech normally has to be processed in the cloud, which means the phone (or a smart-home device) has to upload raw audio files to a battery of online servers for analysis and transcription. 

But the process can create a privacy risk on the server end. Amazon, Apple, Google and Microsoft got into hot water over this in 2019 because humans have to sometimes listen to the audio to improve the voice recognition. (Apple says this fine-tuning will now happen entirely on the device.) 

Apple is cutting the servers out of the equation. For certain widely spoken languages, all the analysis, transcription and response will be done right on the phone. Your question to Siri need never leave your iPhone. 

You will, however, have to download some language packs for this to happen. According to Apple, on-device speech recognition will be available on iOS 15 launch day, Sept. 20, "in German (Germany), English (Australia, Canada, India, UK, U.S.), Spanish (Spain, Mexico, U.S.), French (France), Japanese (Japan), Mandarin Chinese (China mainland), and Cantonese (Hong Kong)."

No word yet about other countries in which these languages are natively spoken, such as Austria, Belgium, Canada, Ireland, New Zealand, Singapore, Switzerland, Taiwan or most of the Americas.

As you'd imagine, on-device speech recognition takes some serious processing power, which is why it will work only on devices with an A12 Bionic chipset or better — i.e., the iPhone XS and XR or later. The language packs also will take up some space, although with a minimum of 128GB of storage on the iPhone 13, it shouldn't be a big problem. 

Mail Privacy Protection

Mail Privacy Protection, as Apple calls it, is an optional feature that neutralizes the tracking images that online marketers often place in richly formatted email messages. 

Normally, when you open one of those messages, it calls back to the marketer's servers to fetch the embedded images. This process gives the marketers your Internet Protocol (IP) address and tells them that you've opened the message. 

Specialized tracking pixels, invisible to the user, create links that can follow you around the web and tell the marketer what kind of device you're using and where you are geographically located.

Apple will negate this practice by first opening the message and pre-caching the images on its own servers, then forwarding you the message. When you open the message, it will call back to Apple's own servers for the images, not those of the marketers. 

The marketers will receive Apple's own randomized IP addresses instead of yours, and all email messages will be flagged as having been opened, poisoning the tracking data with a flood of useless information.

Naturally, email marketers are worried.

"People using email marketing tools should be prepared to rely less on email open data," said online-marketing giant Constant Contact in a blog post  updated yesterday. "Besides not knowing if, when, and how a subscriber opened your email, certain email marketing features that rely on this data, such as auto-sending a follow-up email to non-openers, will no longer be as reliable."

Upgraded Intelligent Tracking Prevention

Safari's Intelligent Tracking Prevention gets a similar upgrade so that it blocks web servers from seeing your IP address, removing the easiest method of tracking web users.

Two-factor authentication code generator

iOS 15 will be able to generate one-time passcodes for sites and services that require two-factor authentication (2FA). 

As with Authy, Google Authenticator or other authenticator apps, you'll be able to "register" with sites such as Facebook, Google, Dropbox and dozens of others and then have 30-second temporary 2FA codes generated right on your phone. (It's a lot safer to do it this way than to get one-time codes texted to you over open airwaves.)

The difference is that no third-party app will be needed, and you won't need to type anything in. 

As Apple says, "you can set up verification codes under Passwords in Settings — no need to download an additional app. Once set up, verification codes autofill when you sign in to the site."

App Privacy Report

An App Privacy Report will give you a snapshot of which apps have accessed your camera, your location, your contacts and your camera and microphone in the past week. It should also tell you something about which websites your apps are contacting in the background. 

This feature wasn't available on iOS 15's launch day, but has arrived via the iOS 15.2 update; here's our guide on how to set up and use the iOS 15 App Privacy Report.

Secure Paste

Secure Paste doesn't sound that significant, but when you're copying and pasting something from one app to another, the information is temporarily stored in unencrypted form in an operating system's "clipboard." Other apps can often access the contents of the clipboard. 

Apple added a warning in iOS 14 that told which apps were accessing the clipboard, but in iOS15, it's overhauling the process entirely. No app will be able to read what's in the clipboard unless you actively paste the clipboard contents into that specific app.

Location-share buttons

Temporary location-share buttons built into iOS 15 apps will let you "share your location just once, without further access after that session," according to Apple's iOS 15 documentation.

iCloud Plus features

Three more optional features aren't strictly part of iOS 15, but are coming to paid users of iCloud, or iCloud Plus as Apple is rebranding it. You'll have to pay extra for these.

iCloud Private Relay

iCloud Private Relay is a VPN-like proxy service that will encrypt your data and mask your IP address and DNS requests when you use Safari, allowing you to browse the web relatively anonymously and fairly securely. This feature will debut as a beta alongside iOS 15, so there may be some hiccups.

Private Relay is not a real VPN because it doesn't re-route all your network connections, just those made through Safari, but it will send all your Safari webpage requests to Apple first. Apple will then encrypt them and bounce them off at least two proxy servers before sending them to their final destination.

Intriguingly, Apple will be outsourcing your Safari DNS lookups to a third party, which will match your website requests with the actual IP addresses of your destination. In that way, as Macworld explains, only Apple will know your true IP address, and only the unnamed third party will know the true IP address of your destination.

Hide My Email

Hide My Email is easier to explain. As Apple says, it "allows you to create unique, random email addresses that forward to your personal inbox so you can send and receive email without having to share your real email address." 

Several third-party companies have been offering this service for a long time, but Apple is making it easily accessible to tens of millions of people who've never heard of it before. However, the Hide My Email feature won't be available in the Mail app until a later update.

HomeKit Secure Video

HomeKit Secure Video encrypts the video feed from your connected security cameras and baby monitors so that not even Apple can view it.

Apple ID privacy changes

Likewise, Apple ID is adding a couple of features borrowed from password managers and social-media accounts. These features are free.

Account Recovery Contacts

This feature lets you designate one or more individuals as trusted contacts who can verify your identity. If you lose your Apple password, then Apple can reach out to those people to help you reset the password. 

Most of the best password managers that have this feature require trusted contacts to also have accounts. We're pretty sure Apple will likewise require your trusted contacts to have Apple IDs.

Digital Legacy

Digital Legacy extends that trust to after your demise. Once again, you'll designate certain people as trusted contacts, but in this case Apple will grant them access to your Apple "account and personal information in the event of your death."

Password managers will trigger similar features not only when you're dead, but also appear to be incapacitated, such as when you haven't logged in for weeks. We'll see if Apple does that too, though we'll have to wait, as Digital Legacy is slated for a later update.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.