- | 8:00 am
Apple’s new iPhone Stolen Device Protection feature may have one big flaw
The company’s latest security features defend against passcode thieves—but they may not be foolproof.
Released as part of Monday’s iOS 17.3 update, Apple’s new Stolen Device Protection feature can protect users from industrious phone thieves who’ve managed to learn the device’s passcode. An iPhone passcode has been likened to “a treasure box” that grants near-total access to the user’s digital life—bank accounts, email, private photos, the whole privacy nine yards. Apple’s operating system previously gave victims precious few ways to safeguard that data if the passcode gets stolen. This latest feature is an attempt to address that shortcoming.
“Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as home or work, and helps protect your accounts and personal information in case your iPhone is ever stolen,” Apple explains. Once it’s enabled, if a phone strays from the user’s “familiar locations,” some features and actions will require additional security measures.
Specifically, trying to access stored passwords and credit card information will now prompt users for biometric authentication through either Face ID or Touch ID. Security actions deemed even more sensitive, such as changing your Apple ID password, go a step further by demanding two rounds of biometric authentication, separated by an hour-long buffer.
If you’re inside of what the iPhone considers a “familiar location,” that’s a sort of safe zone where the extra precautions aren’t enabled and you can use your passcode as usual.
However, some users report they’re already encountering a glitch: that their phone claims it isn’t in a familiar location when it’s inside their house, workplace, or other frequented locale.
A friend told me that since enabling the feature, they’re being treated like a would-be thief every time they attempt to access a protected feature from their own couch. Over on Reddit, a chorus of posts echo the same problem. “Keeps saying I’m not in a familiar location and locks me out of changes for an hour. Not fun,” one person wrote. “I have the same problem,” another said. “I’m disabling this feature for now because of this,” wrote a third. Others are asking what havoc is wreaked if they activate Stolen Device Protection and need to change their passcode, but their front camera or Touch ID sensor malfunctions.
Perhaps for security reasons, Apple hasn’t revealed many details about how Stolen Device Protection works. But a spokesperson told Fast Company that unfortunately, all of the above problems are “expected behavior,” since “users cannot configure familiar locations.” In fact, familiar locations aren’t disclosed anywhere on users’ phones. Apple declined to explain further, but presumably this is on fears that an enterprising thief could simply consult a familiar locations list to know where to relocate before unlocking a stolen phone.
Apple didn’t answer any of Fast Company‘s additional questions, but it does explain elsewhere that familiar locations are selected with the help of another iOS feature called Significant Locations. According to Apple, Significant Locations is a feature that allows your phone to “learn places significant to you in order to provide useful location-related information in Maps, Calendar, Photos, and more.” They’re encrypted, can’t be read by the company, and also aren’t downloadable from the phone, Apple says.
But anyone who can unlock the phone can also load the Significant Locations tab, and get a list of “Recent Records” that are time-stamped with their duration and have their geolocation displayed on an interactive map. A committed thief could give these exact locations a try, if they desired.
When Fast Company looked at the Significant Locations tab, the phone showed just one recent record, logging a visit from two days ago to a nearby Whole Foods. Apple didn’t respond when asked whether it believes this may pose a problem, or what steps it’s taking to remediate any of the concerns raised by users since the feature’s launch.
It did, however, direct Fast Company to the Wall Street Journal’s explainer on the feature, published Monday after two weeks of testing. The paper “described the experience accurately,” Apple noted. The WSJ‘s report said “the most frustrating part” of using Stolen Device Protection was “it took a couple of weeks for the iPhone to learn where we spend most of our time,” and that “after two weeks away from the office, it no longer recognized that building as familiar.”
“It isn’t ideal,” the piece said, before concluding: “But it means a thief won’t be able to drop by your address to use your passcode.”