Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[pshufd]

Not really -- some people's only email access is the iPhone. It seems odd to us of course. For me it would work, but not everyone I think.

Businesses started going to email only about 15 years ago for low-wage workers and everything was done over email - hiring, scheduling, etc. I used to get a lot of these emails because people used one of me email accounts to apply for stuff (it was a very short address) so I'd get all of their emails on hiring and scheduling.

The US Government eventually provided free mobile phones and service so that people could work and also use government services. PCs cost more and you'd have to include some kind of broadband access.

 

[bobcomer]

That's possible, yes.

You have some protection if someone grabs your unlocked phone without knowing the passcode, because it makes finding the ID harder.

That's why they watch you key in your passcode. The easy out is to not never key it in in public, but the stupid iPhone requires it ever so often.

 

[pshufd]

That's why they watch you key in your passcode. The easy out is to not never key it in in public, but the stupid iPhone requires it ever so often.

An interesting option would be to have two passcodes. One that would also require biometrics and the other that would work alone. That way you normally use the one that also requires biometrics and only use the second if the iPhone requires it or you can't otherwise get in.

 

[Pleonasm]

In the spirit of brainstorming, consider this approach: change your Apple ID email to one that (a) is used for Apple account authentication exclusively, and (b) is not stored on the iPhone (e.g., not in Contacts or Mail). Is this a practical solution to the problem of preventing a thief with an iPhone and device passcode from changing a user's Apple ID password?

P.S.: I am assuming that a Screen Time restriction is also in place to prevent viewing the Apple ID on the iPhone (i.e., suppressing access to Settings | [name] by configuring Settings | Screen Time | Content & Privacy Restrictions | Account Changes = Don't Allow).

Unfortunately, the Apple ID email is displayed on the App Store | Account screen on the iPhone. Thus, it may not be feasible to prevent a person in possession of an unlocked iPhone from gaining access to a user's Apple ID.

 

[jdoll021]

An interesting option would be to have two passcodes. One that would also require biometrics and the other that would work alone. That way you normally use the one that also requires biometrics and only use the second if the iPhone requires it or you can't otherwise get in.

Another option might be to geofence the passcode request so that the weekly auto disable of biometrics is only in a trusted location rather than it being a regimented schedule that’s triggered no matter where you are.

The best would probably be both: two passcodes, with a requirement that the one protecting your Apple ID be alphanumeric, and passcode geofencing so that Apple only ever prompts you to enter it in trusted locations.

I don’t see Apple dropping the weekly passcode entry requirement. I suspect they do that so people don’t forget what their passcode is.

 

[dk001]

Another option might be to geofence the passcode request so that the weekly auto disable of biometrics is only in a trusted location rather than it being a regimented schedule that’s triggered no matter where you are.

The best would probably be both: two passcodes, with a requirement that the one protecting your Apple ID be alphanumeric, and passcode geofencing so that Apple only ever prompts you to enter it in trusted locations.

I don’t see Apple dropping the weekly passcode entry requirement. I suspect they do that so people don’t forget what their passcode is.

Good ideas.
How would it handle when you travel?

 

[jdoll021]

Good ideas.
How would it handle when you travel?

That’s a good question. I suppose there could be a prompt that asks if the user is in a secure location for entering a passcode. Most likely, it would just not prompt for the passcode until you’re home again.

I can see this as an issue for the “road warrior” subset of the population so Apple might have to determine alternative solutions for them. Not sure what that would be though.

 

[jdoll021]

I just ordered a new 16” MBP and was setting up my AppleID when I noticed that it had a checkbox asking if you want your AppleID to change the password on your computer. I unchecked it. So that’s at least one device that can’t be remotely locked out I guess.

 

[CharlesShaw]

I just ordered a new 16” MBP and was setting up my AppleID when I noticed that it had a checkbox asking if you want your AppleID to change the password on your computer. I unchecked it. So that’s at least one device that can’t be remotely locked out I guess.

If you forget your user name’s password on the MBP, you could reset it using your Apple ID, so if that’s an unlikely scenario, I see no worries. The issue is about having FindMy (Activation Lock) turned on. You have to decide between knowing the whereabouts of your MBP versus knowing that if your Apple ID were ever stolen in a scenario such as in the WSJ pieces, your MBP could not be locked out (bricked).

 

[Apple_Robert]

Unfortunately, the Apple ID email is displayed on the App Store | Account screen on the iPhone. Thus, it may not be feasible to prevent a person in possession of an unlocked iPhone from gaining access to a user's Apple ID.

The App Store can easily be secured via FaceID. And without FaceID, it won't open. Another loop hole closed. I have also secured the Settings App and Wallet app with FaceID.

 

[jdoll021]

If you forget your user name’s password on the MBP, you could reset it using your Apple ID, so if that’s an unlikely scenario, I see no worries. The issue is about having FindMy (Activation Lock) turned on. You have to decide between knowing the whereabouts of your MBP versus knowing that if your Apple ID were ever stolen in a scenario such as in the WSJ pieces, your MBP could not be locked out (bricked).

Ah, got it. Since the new MBP is going to be my main Mac going forward, I’ll probably remove it from FindMy. I’m unlikely to be in a situation where I‘ll need to know its whereabouts.

 

[VineRider]

The App Store can easily be secured via FaceID. And without FaceID, it won't open. Another loop hole closed. I have also secured the Settings App and Wallet app with FaceID.

How do you secure the settings app with faceID?

 

[Apple_Robert]

How do you secure the settings app with faceID?

It requires 16.4 +

1. Open Shortcuts App
2. Create Personal Automation
3. Pick App
4. Make sure “is Open” is toggled on
5. Tap on App Choose
6. Pick the app(s) you want to lock with Face ID
7. Tap on Add Action and pick Lock Screen
8. Make sure “ask to run” and notify when running” are toggled off
9. Tape done
10. You can edit the list of apps you want to lock at any time

Edited to add: I lock the Mail app, Settings, Files app, Safari, Reminders, Support app, Messages app, Health app, Notes app, Camera, Phone app, Wallet app, Mint app, Find My app, App Store, Calendar app, Apple Store, Amazon app, credit card apps, and T-Mobile app

 

[VineRider]

It requires 16.4 +

1. Open Shortcuts App
2. Create Personal Automation
3. Pick App
4. Make sure “is Open” is toggled on
5. Tap on App Choose
6. Pick the app(s) you want to lock with Face ID
7. Tap on Add Action and pick Lock Screen
8. Make sure “ask to run” and notify when running” are toggled off
9. Tape done
10. You can edit the list of apps you want to lock at any time

Edited to add: I lock the Mail app, Settings, Files app, Wallet app, Mint app, App Store, Amazon app, and T-Mobile app

I’ll give this a try. Thanks for the detailed response!

 

[Apple_Robert]

I’ll give this a try. Thanks for the detailed response!

You can also lock the phone app, which I just did to make your phone even more secure.

 

[dk001]

You can also lock the phone app, which I just did to make your phone even more secure.

adding @VineRider

It’s crazy that we all are trying to come up ways to short term fix Apple’s lack. Based on Apple’s response so far, maybe long term fix.

 

[dk001]

You can also lock the phone app, which I just did to make your phone even more secure.

But what if they use the pin code to reset FaceID?

 

[Apple_Robert]

But what if they use the pin code to reset FaceID?

If at all possible, I would stick with the Face ID option as it is much safer. If someone picks the PIN code with the automation, pick the strongest method PIN code you can. I use Face ID so, I haven't looked into PIN Code.

If one has a strong phone passcode and doesn't enter it in public, one should be even safer with the automation I posted.

edited to add: If someone also uses an Apple Watch, set up the watch to unlock the phone, which is much better than entering the passcode in public.

iPhone Settings

Face ID passcode

Tap turn on Apple Watch

* Apple Watch needs to be on and unlocked when setting up this feature.

 

[dk001]

After all else I run into this....

https://twitter.com/x/status/1649835239596859393

 

[Pleonasm]

It requires 16.4 +

1. Open Shortcuts App
2. Create Personal Automation
3. Pick App
4. Make sure “is Open” is toggled on
5. Tap on App Choose
6. Pick the app(s) you want to lock with Face ID
7. Tap on Add Action and pick Lock Screen
8. Make sure “ask to run” and notify when running” are toggled off
9. Tape done
10. You can edit the list of apps you want to lock at any time

@Apple_Robert, kudos for identifying this approach. A few questions...

1. What would prevent a thief who is in possession of an unlocked iPhone from opening the Shortcuts app and disabling these automations?
2. Can these automations circumvent the use of Face ID by invoking Siri ("Hey, Siri. [name of automation]")?
3. What happens if Face ID fails? Does the automation prompt for the iPhone passcode?

Thank you.

 

[Apple_Robert]

@Apple_Robert, kudos for identifying this approach. A few questions...

1. What would prevent a thief who is in possession of an unlocked iPhone from opening the Shortcuts app and disabling these automations?
2. Can these automations circumvent the use of Face ID by invoking Siri ("Hey, Siri. [name of automation]")?
3. What happens if Face ID fails? Does the automation prompt for the iPhone passcode?

Thank you.

1) If a thief has your phone and it is unlocked, he or should would be able to turn off the automation, if said person thought to look for it.
2) No.
3) If Face ID fails, the phone will ask for the passcode to enable to use of Face ID again, unless you have your Apple Watch on, which will open the phone for you.

For further iPhone safety, the use of Siri while the phone is locked should also be turned off.

 

[citivolus]

It requires 16.4 +

1. Open Shortcuts App
2. Create Personal Automation
3. Pick App
4. Make sure “is Open” is toggled on
5. Tap on App Choose
6. Pick the app(s) you want to lock with Face ID
7. Tap on Add Action and pick Lock Screen
8. Make sure “ask to run” and notify when running” are toggled off
9. Tape done
10. You can edit the list of apps you want to lock at any time

Edited to add: I lock the Mail app, Settings, Files app, Safari, Reminders, Support app, Messages app, Health app, Notes app, Camera, Phone app, Wallet app, Mint app, Find My app, App Store, Calendar app, Apple Store, Amazon app, credit card apps, and T-Mobile app

Does this mitigate against the risk where someone knows your passcode? I followed these instructions but it seems to just lock the device first before opening the app, which can then be unlocked with the passcode as usual.

 

[Apple_Robert]

Does this mitigate against the risk where someone knows your passcode? I followed these instructions but it seems to just lock the device first before opening the app, which can then be unlocked with the passcode as usual.

If someone knows your passcode, what I posted won't completely stop said person from changing your passcode and locking you out of your account, if that is their goal. It will only slow them down a little.

Create a strong alphanumeric passcode and don't enter your passcode in public (along with the shortcut I posted). Those two things should help prevent a thief or someone finding your phone from accessing information and apps that could pose a security risk to you.

 

[jdoll021]

If at all possible, I would stick with the Face ID option as it is much safer. If someone picks the PIN code with the automation, pick the strongest method PIN code you can. I use Face ID so, I haven't looked into PIN Code.

If one has a strong phone passcode and doesn't enter it in public, one should be even safer with the automation I posted.

edited to add: If someone also uses an Apple Watch, set up the watch to unlock the phone, which is much better than entering the passcode in public.

iPhone Settings

Face ID passcode

Tap turn on Apple Watch

* Apple Watch needs to be on and unlocked when setting up this feature.

It really makes no sense to me that Apple only allows this feature if you have FaceID enabled. It should be an option even if you don’t enable FaceID. I’d rather avoid FaceID until the 5th Amendment is brought into the 21st century and biometrics are covered.

 

[ADrunkenMarcus]

Does this mitigate against the risk where someone knows your passcode? I followed these instructions but it seems to just lock the device first before opening the app, which can then be unlocked with the passcode as usual.

Sadly not. It does offer some protection if someone grabbed your unlocked phone without knowing the passcode, but beyond that NO...