Yeah, riiiiight. I hope you never find out the hard way...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
That's not my goal -- my goal is just to both keep people aware of what can happen with the way things are now with authentication, and to hopefully to wake Apple, Google, and others to rethink a few things! (2FA doesn't help in the trusted device scenario as is)
Android kind of has the same problem as the iPhone, though it is easier to reclaim your google account.
I frequently need to walk alone and/or use public transportation in a city where there is enough crime for it to be on everyone’s radar.
As I said early in this thread, I need to believe that I could surrender my phone and walk away unharmed and unworried about my digital security if someone jumped out of the passenger side of a vehicle or approached me in an empty subway car, threatened violence, and demanded my iphone and the passcode. Regardless of what Apple does or cannot or won’t do, I made my own solution.
Using Face ID to authenticate on recent years' models of iPhone and iPad is great, but even then, iOS and iPadOS demand pass code authentication once a week (minimum).
Face ID - and biometrics in general - are not protected by any type of privacy regulation.
So if you're held up at a port of entry, or by the police, good luck protecting your data and device.
(this is why I am always prepared to disable biometrics by whacking the power button 10x)
The difference between the house keys and the iphone passcode, is that the house key only opens the house door. That's it. It doesn't open your safe in the bedroom. It doesn't open your bank account. It might not even open your locked shed in the backyard. The iphone passcode, on the other hand, opens way more than just the iphone itself. If you use the iphone as Apple intends on you using it, then that passcode not only opens the iphone, but also opens up your password manager, which opens up all of your passwords, unlocking your bank and financial accounts, and any other sensitive data you might have. So while the analogy is cute, it isn't really analgous to the harm described in the report. FaceID and TouchID are not helpful, as again, that same iphone passcode allows you to change that. And like the report says, that same iphone passcode allows you to change the Apple ID and completely lock you out. That can't happen with your house. A thief can steal the house key and get inside. He could then steal anything in there that isn't locked, but that's it. He couldn't get into your computer, or into your accounts, and he certainly couldn't steal the house either.
All one has to do is turn on Screen Time > Content & Privacy Restrictions > Passcode Changes > Don't Allow, as well as Account Changes > Don't Allow. Be sure to use a different passcode for Screen Time.
That won't stop it.
A couple of users here posted how to fairly easily get around this.
I posted that comment in the WSJ vid also.
I already do that with my work phone (IT requirement) looks like I’m going to have to do this with my personal phone also.
Guess I will begrudgingly need to start using FaceID. 😒
surprised that Joanna Stern has nothing better to do.
Of the billions of iPhones, a bunch of sloppy careless drunks in hookup bars are ruining it for the rest of us.
@sk1ski1, can this flaw be avoided by skipping Screen Time Passcode Recovery when the Screen Time passcode is first setup? The "Forgot Apple ID or Password?" prompt presumably would no longer appear, and the device passcode would therefore no longer be sufficient to bypass Screen Time restrictions (i.e., Content & Privacy Restrictions | Account Changes = Don't Allow)?
Thank you for your assistance.
If you get the apple ID from the phone, you can change the password from the web, as long as you have a trusted device passcode.
On my iPhone (I activated Screen Time for various things), in Settings the Apple ID is greyed out so they cannot see the email address.
Thank you, @bobcomer.
In the spirit of brainstorming, consider this approach: change your Apple ID email to one that (a) is used for Apple account authentication exclusively, and (b) is not stored on the iPhone (e.g., not in Contacts or Mail). Is this a practical solution to the problem of preventing a thief with an iPhone and device passcode from changing a user's Apple ID password?
P.S.: I am assuming that a Screen Time restriction is also in place to prevent viewing the Apple ID on the iPhone (i.e., suppressing access to Settings | [name] by configuring Settings | Screen Time | Content & Privacy Restrictions | Account Changes = Don't Allow).
Last edited:
Except others say that you can recover the screen time passcode with the device passcode, and a search of the web shows there's software to do it too.
Not really -- some people's only email access is the iPhone. It seems odd to us of course. For me it would work, but not everyone I think.
That's possible, yes.
You have some protection if someone grabs your unlocked phone without knowing the passcode, because it makes finding the ID harder.