How to Tell If Your iPhone Has Been Hacked or Tracked (2026 Guide)

A reader emailed me last month with a screenshot. Her battery had dropped 18% overnight. Her phone was warm in the morning. A friend had received a text from her number that she swore she hadn't sent. She'd Googled "how to tell if iPhone is hacked," landed on a listicle that told her to check for "unfamiliar apps," panicked when she saw a system app called "Feedback Assistant" she didn't recognize, and was about to factory reset a four-year-old iPhone with photos she hadn't backed up.

The phone wasn't hacked. Feedback Assistant ships with iOS. The warm battery was a stuck background refresh on a podcast app she'd opened the night before. The text was a number-spoofing scam — her number had been spoofed, not her phone. She lost an evening to fear, almost lost three years of family photos, and the actual answer took me about ten minutes to find by going through the same five settings I'll walk you through here.

I've spent the last several months reading Citizen Lab's Pegasus reports, the Apple Platform Security Guide, and the EFF's Surveillance Self-Defense library, and I've helped roughly two dozen friends and readers diagnose phones they thought were compromised. This is what I've learned about how to tell if your iPhone is hacked, and what to do if it actually is.

The Honest Truth Most Guides Won't Tell You

Most people who think their iPhone is hacked are wrong. I want to say that gently, because the fear is real and the symptoms feel obvious from the inside. But the base rate matters.

Targeted iPhone malware that actually compromises the operating system is rare. Citizen Lab, which has done more iPhone forensics than almost anyone outside Apple, has publicly identified hundreds of confirmed Pegasus victims across nearly a decade of investigations, and Apple has sent threat notifications to users in over 150 countries since 2021. Pegasus is the most widely deployed commercial iPhone spyware on the planet. The people on the confirmed-victim lists are overwhelmingly journalists, dissidents, lawyers representing dissidents, senior government officials, and a small number of executives. If you are not one of those people, the probability that a nation-state has deployed a multi-million-dollar zero-click exploit against your phone is approximately zero.

What's far more common are three other things, and almost every "is my iPhone tracked" panic I've helped diagnose has turned out to be one of them:

1. Account compromise, not device compromise. Someone has your iCloud password — usually because you reused it on a site that got breached, or because they phished you. They're reading your iMessages on their own Mac. The phone is fine.
2. Physical access by someone you know. A partner, parent, or ex who knew your passcode and installed a configuration profile, or set up Family Sharing, or quietly added themselves to Find My. This is the most common "iPhone spyware" case I see, and it's not really spyware — it's stalkerware enabled by trust.
3. Normal phone behavior misread as compromise. A hot battery is almost always a runaway app, a degraded battery, or a charging cable problem. Strange ad behavior is almost always a tracking SDK in an app you installed on purpose. A friend "knowing things" is almost always a shared calendar, a tagged photo, or a mutual acquaintance.

The reason this matters is that the remediation playbook is completely different for each. Factory-resetting your phone does nothing if the attacker has your iCloud password. Changing your iCloud password does nothing if your ex installed a configuration profile on the device itself. Diagnose first. Reset last.

The Actual Signs That Mean Something

Here's the ranked list I use when someone sends me the panicked text. I've ordered them by how informative the signal is — meaning, how unlikely the symptom is to be benign and how likely it is to indicate a real problem.

1. An unfamiliar configuration profile installed

This is the single most useful signal on iOS, and almost no consumer guide mentions it. Configuration profiles were designed for IT departments to manage corporate iPhones. They can route your traffic through a VPN, install root certificates that let someone decrypt your HTTPS connections, force you to use a specific DNS server, and silently install monitoring apps. Most consumer stalkerware on iOS works through configuration profiles, because the App Store doesn't allow real spyware.

If you didn't install one on purpose, and you don't work for an employer that gave you the phone, there should be nothing here.

Where to look: Settings > General > VPN & Device Management. If that menu item doesn't exist, you have no profiles installed and you can stop worrying about this one.

2. Unknown devices on your Apple ID

If someone has your iCloud password, this is where they show up — as a "MacBook Pro" or "iPhone" in your device list that you don't recognize. They don't need your phone to read your iMessages and your iCloud photos; they just need your account.

This is a near-binary signal. Devices on your Apple ID list that you don't own are almost always real evidence of an account compromise.

3. An Apple threat notification

If you receive an Apple threat notification — delivered as an iMessage and email to your Apple ID, plus a banner at the top of appleid.apple.com when you sign in — take it seriously. Apple sends these only when their internal threat intelligence has high confidence that a state-sponsored attacker has targeted your account specifically. They don't send them speculatively, and they don't depend on Lockdown Mode being enabled. If you get one, contact Citizen Lab or Access Now's digital security helpline before you do anything to the phone.

4. Unexpected password reset emails or 2FA prompts

Someone is trying your password, or they have it and are trying to bypass 2FA. Either way it's an account-side problem, not a device problem. The phone is the messenger.

5. Strange purchases on your Apple ID

Same category. Account compromise, not device compromise.

6. Battery draining unusually fast or running hot when idle

This is the symptom that drives the most panic, and it's the symptom that almost always turns out to be benign. Apple's batteries degrade significantly after 500 cycles. A two-year-old iPhone losing 30% overnight is almost always a chemistry problem, not a spyware problem. A hot phone is almost always a stuck background refresh, a buggy app, or a poor-quality charging cable.

It can be a sign of compromise — surveillance software does have to do work, and work generates heat. But it's so far down the list of likely causes that you should rule out the boring explanations first. Open: Settings > Battery and look at the per-app breakdown. If a single app you don't use much is responsible for 40% of your battery, the answer is "delete that app," not "wipe the phone."

7. Unexpected "Allow [App] to use your data" prompts

If you're suddenly getting permission prompts you didn't ask for, an app you have installed has updated and is asking for new permissions. That's not a hack. That's the iOS permission system doing exactly what it's designed to do: making the app ask in the open instead of taking silently. Deny the prompt and ask whether you still trust the app.

The 5-Minute Self-Audit (iOS 26)

Walk through these in order. On a normal, uncompromised iPhone, every one of these checks should come back clean in well under five minutes. If something is off, it'll surface here.

Step 1: Configuration profiles

Open: Settings > General > VPN & Device Management

If the "VPN & Device Management" row doesn't appear, you have no profiles installed. That's the answer you want.

If it does appear, tap it. Anything under "Configuration Profile" or "Mobile Device Management" that you didn't install on purpose — and that wasn't installed by an employer that issued you the phone — should be removed. Tap the profile, then tap Remove Profile. You'll need your passcode.

Step 2: Your Apple ID device list

Open: Settings > [Your Name], then scroll to the bottom

You'll see every device currently signed in to your Apple ID. Each one can read your iMessages, your iCloud photos, and your iCloud Drive. Tap any device you don't recognize, then tap Remove from Account. Then change your Apple ID password from a device you trust.

Step 3: App Privacy Report

Open: Settings > Privacy & Security > App Privacy Report

If this is your first time looking, Turn ON ON ON App Privacy Report and give it a week of normal use to populate. Then come back. The report shows you every time an app accessed your camera, microphone, location, contacts, or photos, plus every internet domain each app contacted in the background.

You're looking for two things. First, apps accessing sensors they shouldn't need — a flashlight utility hitting your microphone, a calculator pulling your contacts. Second, apps phoning home to advertising and analytics domains at a volume that suggests the app's main job is collecting data, not whatever you installed it for.

Step 4: Safety Check

Open: Settings > Privacy & Security > Safety Check

Apple built Safety Check for people leaving abusive relationships, and it's the most underused tool on the phone. "Emergency Reset" instantly revokes all sharing — Find My, location sharing, calendar sharing, photo sharing — with everyone, signs you out of iCloud on every other device, and resets system privacy permissions. "Manage Sharing & Access" lets you walk through every person and every app you've shared anything with and revoke individually.

If you're worried someone close to you is tracking you, this is the screen. It's faster than a factory reset and it surfaces sharing relationships you've forgotten about.

Step 5: Apple ID sign-in activity

Open: appleid.apple.com on a clean device (not the phone you're auditing) > Sign-In and Security > Recent Activity

Look for sign-ins from devices, browsers, or geographic regions you don't recognize. If you see one, change your password from that clean device immediately and Turn ON ON ON two-factor authentication if you somehow still don't have it.

What to Do If You Actually Find Something

Don't reset first. I want to repeat that, because every other guide on the internet leads with "factory reset your phone" and it is the wrong first move. Resetting destroys evidence, it doesn't help if the attacker has your account credentials, and if a configuration profile or rogue device is the issue, you can fix it in seconds without losing your data.

Here's the order I use:

1. Gather evidence first. Screenshot the configuration profile, the unknown device on your Apple ID, the suspicious App Privacy Report entry, the password reset email — whatever you found. If this turns out to be a stalking situation involving someone you know, you'll want documentation. If it turns out to be something Citizen Lab or law enforcement should see, they'll want it too.

2. Change your Apple ID password from a device you trust. A different phone, a friend's laptop, your work computer. Not the phone you suspect is compromised. Pick a long, unique password you haven't used anywhere else. Turn ON ON ON two-factor authentication if it isn't already on.

3. Sign out of all sessions. From appleid.apple.com on the clean device, remove every device you don't currently have in your hand. This kicks any attacker out of your iMessages and iCloud immediately.

4. Remove configuration profiles. Settings > General > VPN & Device Management > tap each unknown profile > Remove Profile.

5. Check Safety Check. Use "Manage Sharing & Access" to revoke any sharing you didn't authorize. Or use "Emergency Reset" if you want to nuke every sharing relationship at once.

6. Update iOS. Settings > General > Software Update. Many real iPhone exploits are patched within days of being discovered. Running the latest iOS 26 point release closes most of the vulnerabilities a non-state-actor would have used.

7. Factory reset only if you're compelled to. If you've done all of the above and you still have evidence of compromise — say, the Privacy Report keeps showing data exfiltration after you've removed every suspicious app and profile — then a full reset (Settings > General > Transfer or Reset iPhone > Erase All Content and Settings), followed by setting up the phone as new (not from backup, since the backup may carry the problem with it), is the nuclear option. It almost always works because real persistent iPhone implants are extraordinarily rare outside the nation-state tier.

What iPhone Spyware Actually Looks Like

Here's the part most "is my iPhone hacked" guides get wrong by leaving out: real iPhone compromise looks almost nothing like what a panicked Google search will tell you to look for.

Citizen Lab's forensic reports on Pegasus are public reading. The actual indicators of a real, sophisticated iPhone implant tend to be invisible to the user — anomalous DNS lookups to specific command-and-control infrastructure, suspicious entries in the phone's shutdown.log and DataUsage.sqlite, specific process names that only appear in Apple's internal crash logs. Detecting these requires pulling a sysdiagnose archive off the phone and analyzing it with Amnesty International's Mobile Verification Toolkit (MVT) against published indicators of compromise. There is no in-app battery icon that lights up red.

For everyone else — meaning, anyone whose threat model is closer to "jealous ex" than "Saudi intelligence service" — the realistic categories are:

• Stalkerware via configuration profile. Surfaces in Step 1 of the audit above.
• Account takeover. Surfaces in Steps 2 and 5.
• Apps over-collecting data. Surfaces in Step 3.

If your threat model is somewhere in the middle — you're a journalist working on a sensitive story, you're an activist, you're a domestic-abuse survivor whose ex has technical skills — iVerify is a paid app that runs more thorough heuristic checks on your phone and is a reasonable next layer. And if you have specific reason to think you're a state-level target, contact Access Now's Digital Security Helpline directly. Don't try to DIY the forensics.

The honest framing: if a nation-state is targeting you specifically, no consumer-facing tool will reliably catch it, and the right response is to get help from people who do this for a living. If a partner or parent is tracking you through stalkerware or shared accounts, the audit above will almost always surface it. Those are the two real cases. The third case — generic mass-market iPhone hacking — basically doesn't exist.

The Settings That Prevent Re-Compromise

Once you've cleaned up, the goal is not having to do this again. The short version:

• Turn ON ON ON Stolen Device Protection (Settings > Face ID & Passcode).
• Turn ON ON ON Advanced Data Protection for iCloud (Settings > [Your Name] > iCloud).
• Turn ON ON ON two-factor authentication on your Apple ID, and use a unique password you don't reuse anywhere else.
• Turn OFF OFF OFF "Allow Apps to Request to Track" globally (Settings > Privacy & Security > Tracking).
• Audit Location Services and revoke "Always" from every app that doesn't genuinely need it.
• If your threat model warrants it, Turn ON ON ON Lockdown Mode.

I went deep on each of these — what they actually do, what they don't do, and which ones are theater — in a separate audit of every iOS 26 privacy setting. That's the place to start if you want to do the full hardening pass after the audit above.

One Last Note

If you got here because you're scared, and you walked through the audit, and everything came back clean: I believe you that something felt wrong. Trust your gut about the people in your life. But also believe the phone when it tells you nothing is there. The most common mistake I see is wiping a clean phone, losing photos, and then continuing to share an iCloud password with the person who was actually the source of the leak.

If you want the full walkthrough of every iOS 26 privacy setting that matters, with tappable deep-links that open each Settings page directly on your phone and a 30-minute checklist you do once and never have to think about again, that's iPhone Lockdown — the $19 ebook this blog is attached to. But the audit above is the substance of how to tell if your iPhone is hacked, and you can do it tonight without buying anything.