Apple released iOS 9, the company's latest major version of iOS, which includes (among other user-centric features) many security features and security patches.
Many Security Patches
iOS 8 was regarded as one of the buggiest versions of iOS ever, which prompted Apple to focus much more on polishing up the OS in its next iteration. iOS 8 had over 100 security holes, and many of them sound quite scary, from bugs that allow TLS interception, to text files that can do arbitrary code execution, to holes allowing the RSA private key to be easily stolen, to bugs that allow privilege escalation, and many others.
iOS 9 fixes all of them, so users should feel much safer now in this regard, although we don't know what issues are yet undiscovered, so it remains to be seen how small or big Apple's future lists of security updates will be. However, because Apple fixed so many vulnerabilities already, iPhone users should update to iOS 9 as soon as possible, for this reason alone.
Besides all of the security patches that iOS 9 brings, there are also many security features that should significantly improve how safe an iPhone is.
One of the major ones is a six-digit PIN, which comes as default now, replacing the previous four-digit PIN authentication system. The improvement here is 100-fold, as a four-digit PIN could be "guessed" in 10,000 tries, but a six-digit PIN requires 1 million tries.
Native Two-Factor Authentication
When the "Fappening" celebrity data breach happened, many argued that the data could have been protected by a good two-factor authentication system for iCloud. Apple added that after the fact, but it has now gone one step further by adding full native support for two-factor authentication in both iOS 9 and Mac OS X "El Capitan."
The way it works is that every time you sign in from a new device or browser, it will ask you for a verification code, which will be prompted on your phone or on your other Apple devices. This should keep out those who may have gotten your passwords (such as when you either used a simple password, had it bruteforced, or it was stolen from another site where you used it), because they'll need the two-factor code to authenticate as well.
Apple included a public VPN API in iOS 9, which should allow VPN services to exist, which in turn can protect user security and privacy when using open Wi-Fi hotspots or when visiting more privacy-sensitive websites. The VPN API could also allow for the existence of Tor on iOS, as it has on Android with Orbot.
The API could also allow for various content blocking, which is what happened on Android, where ad blockers are specifically targeted by Google for banning. However, iOS 9 also comes with a separate content blocking API as well, so it's unlikely the VPN API will be used much for this anymore, especially considering that this method forces you to trust the ad-blocking entity with your browsing data.
Starting with iOS 9 and Mac OS X "El Capitan," Apple switched from OpenSSL to LibreSSL, which is a fork of OpenSSL, but much cleaned up by the OpenBSD group. The fork was created soon after Heartbleed was discovered, after the OpenBSD guys realized that continuing to use OpenSSL had become unacceptable. Google has also moved to its own OpenSSL fork called BoringSSL.
App Transport Security (ATS)
Apple also introduced ATS in iOS 9, which allows developers to adopt HTTPS encryption for their apps. ATS is easy to implement the right way with strong defaults such as using the latest TLS 1.2 protocol and only Perfect Forward Secrecy (PFS) cipher suites.
This could single-handedly make the iOS platform much more secure than the web itself, where most sites are still far too slow even in adopting HTTPS at all, let alone TLS 1.2 or PFS cipher suites.
For users' sake, Google shouldn't be too far behind in adopting this sort of feature in Android, but it seems Google has already advised iOS developers to delay implementing the feature, because not all advertising networks may support HTTPS yet. That could mean Google won't be in a hurry to adopt app transport security in Android soon, either.
Google has denied that its intention was to delay ATS adoption and in fact wants everyone to use HTTPS fully, but it's still strange that it chose to write a blog post specifically on an ATS workaround in order to make iOS 9 apps compatible with Google Mobile Ads SDK, rather than the other way around (Google forcing or kicking out advertisers that haven't yet adopted HTTPS encryption on their networks).
One of the best features of ATS is Certificate Transparency, a system invented by Google to more easily audit new digital certificates and ensure that they aren't forged or malicious. It's still very early days for Certificate Transparency adoption, which is why it seems like a big move from Apple to be one of the first to adopt it.
This year, Google removed China's Certificate Authority from Chrome's certificate root store and said it won't allow it back until China's CA adopts Certificate Transparency. Apple has had some problems with the Chinese government in the past regarding forged certificates and TLS interception, so that could be one of the reasons why it decided to be one of the first non-Google platform vendors to adopt CT.
Because it's still early days and there aren't that many certificate authorities that support Certificate Transparency, this feature is disabled by default in ATS. However, if developers have CT-enabled certificates, then they can opt-in into the feature.
Other Security Features
iOS 9 also brings improved MAC address randomization that now applies to location and auto-join scans, a more cleaned-up and improved list of cipher suites in Safari 9, as well as Apple-signed and hosted extensions for Safari 9 (just like Chrome, and soon Mozilla).