I’m a longtime iPhone user who has never had to deal with a stolen or lost device. And I hope I’ll never have to experience an iPhone theft. It’s one of my top three anxiety-inducing iPhone events, alongside dropping the iPhone and running out of battery.
Even in case of iPhone loss, I didn’t use to worry. Until this spring, I thought I was doing everything right. Thieves could do little with my handset other than dismantle it and sell it for parts. Little did I know that some criminals found a scary way to steal iPhones, which leads to the victim losing access to the Apple ID that safeguards the handset alongside all their digital life connected to it.
I have taken extra precautions to prevent such damage since. But I’ve been waiting for Apple to introduce new security features that would thwart such nefarious attacks. It’s finally happening. I can’t wait to get my hands on the iOS 17.3 release, which will bring over an optional security feature called Stolen Device Protection. I think it should be mandatory, or iPhone users should be exposed to it.
Once enabled, the feature will make it almost impossible for anyone to get access to my Apple ID in case they steal the iPhone. Not only that, but Stolen Device Protection will give me enough time to remotely wipe the handset and secure the data on it.
How to secure your iPhone right now
A report from the The Wall Street Journal explained this spring that thieves have devised a somewhat brilliant way to steal iPhones. They would watch over your shoulder as you type in your password in a crowded place like a bar. Armed with that, they’d steal the device, then quickly get into your Apple ID and change the password and recovery key.
The attack effectively kills your protections. The thieves can turn off Find My iPhone, and you won’t be able to delete it remotely. Worse, they’ll have access to critical information, including your iCloud data, which can produce additional damage.
You’re unlikely to recover any of the data, and the thieves can wipe the handset safely to sell it to someone else.
I’ve already explained what you can do to prevent iPhone thieves from using this security loophole. Here they are again in brief, with a more detailed explanation at this link:
- use an alphanumeric password that’s longer than four or six digits
- always use Face ID/Touch ID in public
- disable Control Center access on the Lock Screen
- use Screen Time to prevent Apple ID access ( screenshot above)
On top of that, you should perform regular iPhone backups either to iCloud or to a computer.
Finally, you should use passwords/Face ID with all the iPhone apps that support it.
How iOS 17.3’s Stolen Device Protection will work
Following the reports in the spring, Apple has devised the new Stolen Device Protection mechanism, detailing it to The Wall Street Journal, which first reported the attacks.
With Stolen Device Protection active, which I’ll advise any iPhone user to turn on once they get iOS 17.3, you will benefit from the added security that should make it nearly impossible for someone to take over your Apple ID.
The feature relies on location information and biometrics to secure your iPhone. If the iPhone detects that the user is about to change sensitive settings like the Apple ID password and they’re in a different location from their home or a different frequent location, it’ll do three things:
- require Face ID or Touch ID authentication
- start an hourlong delay
- require a second Face ID or Touch ID authentication
A thief won’t be able to pass the biometrics. As for you, if you need to change sensitive settings on the handset while you’re away, you’ll just have to wait for that hour to pass.
The iPhone will employ the same measures if you attempt to change or add a security key. As for passwords saved in Keychain, Stolen Device Protection will render the Lock Screen password, which the thief knows, useless. They’ll need Face ID or Touch ID to get into your passwords.
The Journal listed the full Stolen Device Protection features below. As you can see, biometrics are heavily involved in the defence of the iPhone for various actions. More sensitive ones will also require the hourlong wait.
Again, that hour is enough for you to get a hold of an internet-connected computer, load icloud.com, and remotely wipe your device.
The report does point out that thieves still have access to your device if they steal your weak Lock Screen password. As such, they can access unprotected information on the device until you reset it. That might involve access to banking apps, trading platforms, and crypto exchanges.
You’ll want to enable password protection for all of those and use different passwords/Face ID for each one. This theft scenario is one reason I’d want to lock iMessage under Face ID and an app-specific password.
You can read the full WSJ report at this link.
As for iOS 17.3, the upcoming iPhone update is currently in beta, and it should be released soon. You can get on the beta to start testing Stolen Device Protection features. The feature should also be available on iPad. And I hope the Mac will get it, too.