About Stolen Device Protection for iPhone
support.apple.comThis also solves a somewhat unique problem I experienced recently with iCloud keychain where all your passwords are only as secure as your passcode (and anyone that knows it).
I had to hand my phone over to a third party repairer. This would mean they needed to know my passcode so I wanted to lock down the phone to allow them to perform whatever diagnostic steps they might need but to restrict access to the wallet and iCloud keychain.
The first part was actually quite simple using a separate screen time passcode to restrict all apps bar the camera and any that they needed. The frustrating part was that the settings app itself cannot be blocked by screentime (I guess as thats where you configure the restrictions) and as iCloud keychain passwords are accessed from settings there was no way to block access to them.
With this update I could (somewhat) safely supply my passcode while being relatively confident that my keychain passwords were not viewed.
I think some (all?) Android phones allow you to put the phone into 'repair mode', which allows the repairer to access critical features without unlocking the entire phone. I'd like to see a feature like that for iPhones too.
What hardware repair would require handing over your passcode? If it's to test that the phone is working fine after the repair, can't you test it yourself in front of them before you pay? If they were doing software repairs, what would be the nature of the repair? Hard for me to imagine anything to repair software-wise, given how iOS is.
Anything that requires turning off the phone will need a passcode once it powers on. This includes battery replacement, screen, microphone, camera, etc. Only for camera repairs is it feasible to test fully without entering a passcode. Of course you could leave the testing until you pick it up and pay but then if something is faulty you’ll have to come back later and wait longer when they might have been able to repair beforehand if they’d known.
Having watched full screen replacements, button replacements, and battery replacements on my iPhone, I suppose I don't understand why one wouldn't just wait the extra 5 minutes to get the issue resolved. Repairs can get done really fast in my experience.
At least the passcode section of settings can indeed be restricted by ScreenTime. I've done this as my aging parents often want change the passcode then forget their new passwords (and sometimes get paranoid).
You took unnecessary risk. Wipe your device before handing it over, and restore it from a backup after the repair.
Also consider evil maid, or other kinds of backdoors (like jailbreaks).
It’s a risk. But it also takes a few hours to restore from backup and there’s a bunch of things that (sensibly) don’t restore and require manual setup.
I know Apple will never ask for your passcode but in the case of a repair shop that promises 15 minute service it’s kinda necessary unless you want it to take far longer and annoy them.
Ultimately with it locked down with screentime the only personal data I had an issue with was iCloud Keychain. Honestly I don’t know why Apple lets children access the full settings anyway. It would be trivial to add a screen time restriction for all features of settings except the screentime pane.
I wiped mine, but then a couple of hours before my appointment for a battery replacement they called and said due to heavy snow the techs could not get, and gave me a new appointment a couple of days later.
I didn't want to fully restore the phone for just a couple of days, so just set it up with a temporary passcode and signed in to an Apple ID I normally do not use [1], so that I could use it for that couple of days without things asking me to sign in.
After the battery replacement I then wiped it and restored from a backup under my normal Apple ID.
This mostly worked, except it messed up my Longest Move Streak with my Apple Watch. I'm not sure if this was just due to the wiping the phone part, or the having the phone on a different Apple ID than the watch for a couple days, or something else.
What the Fitness app tells me about the streak now is just weird.
The streak started on 2019-05-07 and I've not missed a day since then. The battery replacement was on 2022-12-21.
When I checked the streak in Fitness on 2023-02-04 it told me that:
Note that it is reporting a longest streak that is entirely within what it is reporting is my current streak.My longest streak was 39 days ending 2023-02-03 My current streak was 1368 days17 days later, 2023-02-21, it was reporting:
Note that when it thinks that the longest streak started was sometime during the previous longest streak, so that makes no sense.My longest streak was 41 days ending on 2023-02-20 My current streak was 1385 daysA few months later, 2023-09-23, it was:
I hadn't checked between that last and now. Checking now, on 2024-01-22, I get:My longest streak was 37 days ending on 2023-09-23 My current streak was 1600 days
That's better in that now it thinks the longest streak and current streak started at the same time, which is correct. But it still has the longest streak in the interior of the current streak which should not be possible.My longest streak was 1710 days ending on 2024-01-11 My current streak is 1720 days[1] I've got two Apple IDs because originally you couldn't use the same account for iTunes and their cloud service, and so everyone who wanted to use both had to have two accounts. Later they made it so one account could use both.
Requires updating to iOS 17.3. (Released today, I believe.)
The update is showing available and downloading onto my devices right now.
Way overdue feature IMHO. A reason why I didn’t want to use passcodes or keychain for passwords was that once someone knew my passcode to unlock my phone, they could access all my accounts
1Password at least uses a different password and isn’t unlockable with passcode alone
Nitpicking here. Older 1Password versions do allow unlocking using the iOS passcode if biometry fails, but I’m not sure it was ever intended as a feature. It isn’t a UI that is built into 1Password though, it’s the iOS fallback UI for that scenario (which looks very similar to the SIM PIN unlock screen).
A _lot_ of apps did and still do fall back to iOS passcode authentication when biometry fails. It does seem like more developers are disabling this, however.
Neat feature I guess, but how long before thieves realize that they can just look up your home or work address from the Maps or Contacts app and go stand near it to get around these restrictions?
Or for high value targets, just outright hold you hostage for an hour.
Regarding the actions that required FaceID/TouchID once the protections are enabled, what happens if the biometric authentication fails? Sometimes I can't unlock my phone with FaceID, and I have to resort to using my passcode after three attempts. Will it now allow unlimited attempts in the specific scenario covered by the new feature?
(I realise this means I can still get into my phone, just that I might not be able to access certain features - e.g. change passwords - if I'm not at one of my usual locations).
My experience with biometrics in general is that it gives you X tries, and then asks for a password. But IIRC if you close the app, and then re-open it, it will give you another X tries with biometric. It isn't like failed password attempts, where it will rate-limit you after a few misses.
This is also something I don’t understand. Would like to know the answer
I’ll be using this but what a stupid exception imo. I work in a big building where anyone could walk in without id and simply defeat the protection. Hell, a disgruntled coworker contractor or customer could be in on it.
> When your iPhone is in a familiar location, these additional steps are not required, and you can use your device passcode like usual. Familiar locations typically include your home, work, and certain other locations where you regularly use your iPhone.
I don’t think iPhone thieves are smart enough to connect a snatched phone’s owner’s identity to a location nor are they stupid enough to regularly go to a frequent location to unlock a stolen device. In practice, a change like this will help a lot. Most stolen phones get put into the Shenzhen parts supply chain, and it’s probably not economical for the middlemen to do bespoke work to unlock the device.
Oh how very wrong you are. This feature came in response to WSJ reporting about iPhone thieves, targeting affluent iPhone users so they could steal their iPhones and rapidly lock the owner out. All while accessing their bank accounts, credit cards etc.
What does that have to do with my comment which was about whether those thieves are willing to locate the owner’s frequently visited addresses, visit them, and then repeat this process at scale.
This is a pretty direct response to the WSJ's iPhone theft story from last year[1], which was focused on people managing to shoulder-surf your passcode while you're in a public place, steal your phone, then use your passcode to reset your Apple ID password (thus locking you out of being able to report the phone as stolen). It apparently relied on multiple people and a certain amount of social engineering -- one party managing to get the phone into a passcode-required state, another to see it entered, and a third to actually lift the phone.
The hope would thus be that although someone could walk into your workplace and steal your phone off your desk, they would be much less likely to have been able to watch you enter your passcode first.
[1]: https://www.wsj.com/articles/apple-iphone-security-theft-pas...
Yeah I saw that article too. It closes that one hole the wsj reported on but pretending there aren’t other credible threats is silly. a bad actor at work could observe the password and then steal the phone at a later date, and take it to the bathroom for instance. That’s just what I’ve come up with from there to of my head.
I agree in spirit with your stance, and it is a good solution to the shoulder surfing problem.
But generally I don’t think it’s plausible for a mass market device to counter every kind of threat, or every iteration of a more specific kind of threat.
In a workplace or home theft scenario, there are _presumably_ better ways of identifying a thief than at, say, a random bar.
My beef with this feature is that my Significant Locations haven’t been accurate for over a month, so my home location isn’t “trusted”.
Is there a website that has a list of the steps you should take if your phone is stolen? My first instinct would be to use someone else's phone to google "what to do if your iPhone is stolen".
But I wouldn't know how to determine if the instructions I was seeing were incomplete, or outdated. Is there a trusted, frequently-updated site that we can easily remember and plug into our friends' phone if and when this terrible thing happens to us?
This Apple support page has a section on "If your iPhone or iPad is lost permanently or was stolen" : https://support.apple.com/en-us/HT201472
Very cool, thanks. I notice it doesn’t mention anything about changing bank passwords or the like. Might that be necessary, depending on how long it’s been out of your control? That is, if someone swipes your phone and was able to peak at your password (as a recent WSJ series focused on), you would probably need to take more dramatic steps if you didn’t realize it was gone immediately. Should I be making a list of the apps on my phone that have sensitive information and can be accessed without FaceID?
I wish it were possible to designate an app to require FaceID or both my device password and my Apple ID password (or some other second authentication). Does this new updates fix this issue entirely? I feel like not because until I mark the phone stolen it doesn’t know to lock the holder of the phone out of my apps using just my device password.
The Apple article does tacitly mention:
> You might want to change your password for other accounts, too.
Personally I would trust iOS security enough to not be too worried. Especially if I can issue a remote wipe in a timely manner. As long as the phone isn't swiped out of my hand while unlocked, I'm doubtful the average thief will be able to get past the lock screen. (Though I'm also assuming the thief doesn't have my passcode)
If something like a phone is stolen it's probably safe just to change everything. The inconvenience of having to go through and change your important passwords manually (including your manager's master password of course) is relatively minor compared to your financial accounts getting breached.
> I wish it were possible to designate an app to require FaceID
Developers can require that. Several apps I use do.
Oh yeah, I wish that it were possible as a use preference, on a per-app basis.
I have an Android phone, and a few months ago I left it behind in a Waymo autonomous vehicle.
Awhile ago, I added the "Find My Device" site to my bookmarks and I'd tested it out a few times. So I started there. And I also used Google Voice to place a voice call, so when it didn't ring in my home, I knew it wasn't here.
The Waymo passenger answered and there was much giggling. She kept saying she didn't know what to do. I said just leave it in the car.
So, knowing it was out of my control, I sent the remote wipe command, and hoped for the best. It turned out, the passenger also used the "Emergency Call" to send a text to my emergency contact. She offered to leave the phone in a pharmacy across town! I don't know how that would've helped.
Anyway, I did recover the phone at the Waymo Depot. It had obeyed the remote-wipe command and it was factory reset, with a full battery. It actually came out better-than-new, as the subsequent updates applied a few nice features.
> She offered to leave the phone in a pharmacy across town! I don't know how that would've helped.
Well for one, the pharmacy isn't moving.
I would say that moving the phone from the place I left it would promote it from "lost" to "stolen".
Can you now envision a conversation between this passenger and the pharmacy clerk:
"I found this phone in some car"
"What do you want me to do about it?"
"Hold on to it until some guy I don't know comes to claim it?"
"We don't want this personal property! Go away!"
[Waymo car is gone now]
[Passenger absconds with phone or throws it away]
[Owner is no longer able to track or retrieve phone]
Moving the phone from the place it was left with consent of the owner is not theft.
And it's not that crazy to leave lost property with a nearby business (presumably a trusted one)- sure they could say no but then you could just find another way to return the device.
Also why would you not be able to track it any more if they left it at the pharmacy, it's not like the Find My Device feature only works in Waymos. I guess you just mean due to the sequencing of wiping before noticing the text message?
> Moving the phone from the place it was left with consent of the owner is not theft.
Tell me more about how I somehow gave consent to that. Also, tell me more about how a stranger holding a random found device authenticates a caller as the owner of said device.
> The Waymo passenger answered and there was much giggling. She kept saying she didn't know what to do. I said just leave it in the car.
I inferred that you discussed this with the person, since you indicated you talked to them via voice. That would have been the perfect time to arrange for return of the device.
I guess after reading between the lines, this person didn't suggest this action during the voice call, only via the text you discovered afterwards?
Elsewhere you mention that leaving the phone in the car was the best course of action, but the next person in that waymo could easily have swiped it.
I suppose a middle ground could have been to tell them to put it in the back seat pocket or something so that it was a bit more hidden while you contacted waymo support to let them know to retrieve it.
> Also, tell me more about how a stranger holding a random found device authenticates a caller as the owner of said device.
This is a little much. That's quite a threat model you are operating under. It explains why you immediately wiped. I think most people are not concerned with that contingency.
Unnecessarily rude and combative reply. The GP is clearly talking about the hypothetical scenario where you consent to her leaving it at a pharmacy - which certainly makes a lot more sense than just leaving it in a car. You said she offered to leave it at a pharmacy. Then didn't. So it doesn't seem likely she was going to do anything without thinking she was allowed to.
> which certainly makes a lot more sense than just leaving it in a car.
Why? I am a Waymo customer. I left it in the car, and so the service has a policy to collect the item and return it to their customer. Some random store where I don't go, all bets are off.
I was able to contact Waymo and discuss the lost item and they were able to recover it because it was left in the car. That is a success. I was also able to retrieve the item from their Depot because their Lost & Found process works. That is a 100% success.
It was unclear in my original comment, but the passenger's offer to leave it at a pharmacy was in a text message to my emergency contact, who didn't reply. I heard about that bit after-the-fact. All I told the passenger, repeatedly, was, "please leave it where you found it in the car" because Waymo would be able to work that out with me, a customer.
A few months ago, I lost the front door key to my apartment. The leasing office was closing in 5 minutes. I needed a loaner key, and I had no ID. I offered to leave my phone (one in the same) as collateral. They were extremely reluctant to be holding on to that instead of an ID. They said they'd make a one-time exception.
Phones are not really things that strangers like to hold on to, in case you've not noticed. If you are admitted to a hospital or jail or something, they get really jumpy about putting your electronics in a locker. Partly having to do with the likelihood of fire or explosion, the volume and value of personal data on those things, and their trackability. The best course of action for a lost device is you leave it where you found it, because that's the owner's best hope of retracing their path and finding it again.
I'm glad it worked out in this occasion - it's definitely a success and a credit to both Waymo's processes and also the n people who were in the car after you and didn't steal it. But it just as easily could have disappeared after this woman offered to put it in a more secure location (in the hands of an employee at a business is more secure than a car that can be accessed by essentially anyone at any time).
You're overthinking it; it'd just be "I found this phone". They don't need to give the backstory. Most businesses will hold onto valuable lost property for a while, on the assumption that a customer dropped something.
> I would say that moving the phone from the place I left it would promote it from "lost" to "stolen".
A really key element here is that they offered to help you out by leaving it there for you, so I don't see how "stolen" would come in to it...
Honestly I can't envision that conversation happening between two real people. What is much, much more likely to actually happen in my experience:
"I found this phone."
"Ok." takes it
You go in later "I lost my phone, do you have it here?" and they hand it to you. For particularly fastidious store clerks they may ask you to describe it before handing it over. And you likely have to wait while whoever you ask asks all the other employees if they found a phone.
It's not clear to me that letting the phone just sort of drift through the ether toward the Waymo Depot while who knows how many other passengers use the car is any better than putting the phone at some other fixed location behind at least some cursory level of security.
It's also not leaving the phone at the mercy of an unknowable number of future Waymo customers until it got back to the depot.
You mean the Waymo cars that are bristling with dozens of cameras and sensors? The Waymo service where I immediately contacted Support and informed them, so they could recall the vehicle or have it meet a worker who could search it? Dunno, dude.
> She offered to leave the phone in a pharmacy across town! I don't know how that would've helped.
If I had been the one to find your phone, I probably would have told you to suggest some other drop off place I can take it to that isn't too far out of my way, and if you could not or would not I would have probably taken it to a police station.
I would not leave it in the Waymo, even if that is what you wanted, because I have no guarantee that some other Waymo passenger after me will find it and steal it before you can get it back from Waymo. That could leave me as the last person known to have been in possession of the phone. I have no interest in becoming a suspect in the theft of your phone.
So the next step for the criminals (the ones who steal both the passcode and phone) is to find your address (often stored in Contacts, or available in your Amazon account) then physically go there and lurk nearby while finishing their pwning steps.
I may be missing something. But if not it seems like Apple is now incentivizing a scenario where thieves will physically go to the location of their victims homes in order to circumvent some of these measures.
I know somebody who was recently drugged and had their iPhone stolen (amongst other things) while on a trip in New Orleans. While he has no recollection of the night, this may have mitigated the damage they were able to cause and the trouble he had to go through to recover his Apple ID.
I doubt the thieves would physically travel to his home for the phone, but I suspect that this will lead to blackmailing scenarios where the thieves exfil risqué or compromising content and threaten to send it to sensitive contacts if you don't unlock the phone the next day.
This is time sensitive. The criminals would lose too much time doing that. At least for the “criminal use case “ in Brazil, where they want to quickly access your bank app, this wouldn’t work.
Yes, as long as you know your phone was taken, and you immediately use someone else's phone to mark your as lost (or wipe it), you can probably beat them to it. But if your phone was stolen while you were at a movie theater, for example, you might not notice until it was too late. At least there's a 1 hour delay + biometric requirement for certain changes.
I don’t know if Brazil was one of the places that convince Apple to do that, but we have a huge problem of mobile phones robbery with that aim to access the bank apps to drain accounts dry.
In a quite resourceful way (social engineering, process and system exploits) these criminal organizations will jump all the hoops (2FA, Face Recognition) and manage to access most of those apps.
It’s a big problem is the USA also. It’s been in the news in prime time for about a year. They’ve been really slow to address it
This took quite a while to get ready but I do believe it prevents 99.9% of the theft cases mentioned. I am downloading it right now.
> I do believe it prevents 99.9% of the theft cases mentioned
I don't believe so, or at least where I am from. This 'only' provides additional protection against cases where thieves know your device passcode. I've had my phone stolen from me twice where they couldn't have known my passcode and couldn't remove it from Find My, and it was never seen again.
They probably stripped the phone down for parts. But there is another theft case where they hold a knife/gun to you and tell you to hand over the password/wipe the phone. Which this update solves.
The other issue could probably be resolved with more aggressive part ID checking. iPhones should just refuse to function if they have a part from a stolen phone.
Even if it prevents reselling the phone, it doesn't prevent the phone from being stolen. It would be a dumb criminal to leave you your phone to allow you to immediately call the police if you've been mugged. Just take the phone, trash it literally placing it in a bin or destroying it or both.
At the end of the day, you still don't have the phone whether the thief profits from it or not. All this will do is prevent criminals up to date with this info to not try to resell it. It does not prevent them from taking/destroying it.
This feature is not really about protecting your device from being stolen. It's about protecting your iCloud account and everything on your device from being compromised when somebody has stolen your device and also has your phone's passcode.
It's an attempt to resolve the fairly widespread iPhone / iCloud social engineering takeover attacks that were documented in great detail by Joanna Stern last year:
https://www.wsj.com/articles/apple-iphone-security-theft-pas...
https://www.wsj.com/video/series/joanna-stern-personal-techn...
> This feature is not really about protecting your device from being stolen.
Once a thief has stolen his 10th iPhone that he can't do anything with, he'll probably be less likely to bother stealing iPhones. If anything it's a liability since it can be tracked as long as it still has some battery.
> Once a thief has stolen his 10th iPhone that he can't do anything with, he'll probably be less likely to bother stealing iPhones. If anything it's a liability since it can be tracked as long as it still has some battery.
Theft isn't just for the whole device, it's also for parts. By making the part market so difficult they essentially create a black market for it in third world countries where just the phone's battery could be worth a day's wages.
That’s why they require that you activate parts as well. Motherboard, screen and face id sensors are useless. The battery isn’t worth much, compared to newer Chinese knockoffs
The screen is still usable no? It just disables true tone IIRC.
A day's wage in Colombia is about $10-15 and people tend to preference and pay more for original parts since the cost of the device is too high to risk. An iPhone X costs close to a month's salary. They even tend to avoid third party cables or chargers as a consequence.
You have a lot of faith in the learning curve of a thief. In my area, the ATT fiber lines have been cut multiple times in the same area multiple times directly impacting my my friend's service. These have been due to the lines getting cut searching for copper. They still haven't learned and it keeps happening.
This is assuming that the thief can tell which phone brand/model it is at the time of theft.
For phones which are in a case/cover, inside bags etc., it seems almost impossible so am unsure that this is an effective deterrent.
But it kind of does in a statistical measure.
If you think in the systems of how criminals work, they tend to spend more time stealing things they think will pay off. Taking something that will cost them time and not gain them money will over time bias thieves to not taking iphones.
For example it may prevent this
a) iphone is left on a table in the open.
but would not prevent
b) iphone is in a bag, bag gets stolen.
This would discourage thieves from targeting iPhones long term so there is a definite network benefit.
You can't really prevent "I stole your phone just to cause chaos". What Apple did with Find My was to remove the financial incentive to steal phones. What Apple does with this is protecting your iCloud account from someone who knows your passcode. (I would imagine that most people in relationships know their partner's passcode. Sometimes relationships sour.)
What prevents "I stole your phone just to cause chaos" is the risk/reward profile. Even though your phone is useless to someone that stole it, it's still theft, and you'll still have to face consequences if caught. If the incentive is "I'll be able to buy $1200 worth of shit", then people are probably going to take their chances with getting caught. If it's "I'll get nothing except the satisfaction of smashing someone else's electronics", then most people won't take their chances.
With the whole "knowing your passcode doesn't help" situation, it makes the long tail crimes even more difficult. "Tell me your passcode or I'll shoot you" no longer works, for example. It makes the crime significantly more difficult to commit, and requires committing crimes that carry significantly longer sentences. (Armed robbery turns into kidnapping. You could be looking at the rest of your life in prison for $300 in someone's checking account. Not worth it to most people.)
At the end of the day, there is only so much you can do. The rest is your insurance company's problem. The fewer viable attacks there are against you, and the less often they happen, the less your premiums are. (I actually don't know if there is insurance for this. I should check.)
The point of it is to protect your data, not the phone itself.
An interesting scenario I heard was a fellow in, I think, Colombia. He was visiting, and was looking at his phone on the sidewalk. As he was looking at it, a pair of people rode up on a motorcycle or scooter, grabbed it out of his hand, and drove off.
They just got themselves an unlocked phone.
I assume this protects, somewhat, against this by the fact that were the thieves to try and change anything, there's another step of verification necessary than there was before.
And I think it was very clever of Apple to leverage the device location as an ad hoc "2FA". "Something you know, some place you are."
Thieves have been known to steal iPhones not just for the value of the parts but to compromise your entire digital existence. Most online banking transfers only require a 2nd factor from your phone (your saved passwords are already on there).
Why would a criminal steal your phone if they knew they couldn't sell it?
They can still part it out, e.g. at least the screen and frame.
With that said, this will definitely make it more difficult and less profitable per unit of effort.
Edit: @google234123 +1 to that!
Soon I hope apple with blacklist electronic parts from stolen devices based on their serial numbers
you mean beside the specific examples of why i provided in the comment you replied to?
> At the end of the day, you still don't have the phone whether the thief profits from it or not.
I care a lot about some low life scumbag not profiting from it. Anything that discourages theft is great.
Available from iOS 17.3 for anyone wondering.
I went to settings and could not find the option to enable this, but it turns out I was still on 17.2
A one hour delay? Really? I don’t get it, how does that really help?
If you're robbed at gunpoint, and they demand you unlock your phone for them, this protection means they would have to kidnap you for at least an hour to then unlock it again. The former happened pretty regularly, but upgrading to kidnapping is a lot riskier, more dangerous, and invites a serious police response.
And if it takes more then an hour to get to a computer I can use? What if I’m wait to report it to the police? Seems like it should be a day.
> Security Delay: Some security actions such as changing your Apple ID password also require you to wait an hour and then perform a second Face ID or Touch ID authentication.
Emphasis mine.
It seems like you have a lot of reasonable questions and concerns about the efficacy of this measure, but Apple have done a pretty good job of addressing them and explaining their rationale in the first few paragraphs of the documentation.
> In the event that your iPhone is stolen, the security delay is designed to prevent a thief from performing critical operations so that you can mark your device as lost and make sure your Apple account is secure. Learn what to do if your iPhone is lost or stolen.