Turn on Stolen Device Protection on your iPhone—right now
Phones contain tons of your personal and financial information: your email, your contacts list, your passwords, and your bank accounts. Unfortunately, as Joanna Stern at the Wall Street Journal reported last year, thieves have started to steal phones with the express goal of using that information to steal even more from you.
Fortunately, Apple has a new feature in iOS 17.3 called Stolen Device Protection that, when enabled, will make using the contents of a stolen phone more difficult.
What Apple is trying to prevent
Prior to Stolen Device Protection, if a thief wanted to access the contents of your phone, they would either covertly watch you enter your lock screen passcode, use force to obtain your passcode, or, in the case of very drunk people, simply ask for it. Then the thief would need to steal your phone through force or other trickery.
Once they had the phone and the passcode, the first thing they would do is lock you out of the phone by changing your Apple ID password and passcode. Prior to iOS 17.3, anyone could reset the Apple ID in the Settings app, using only the passcode from the phone. Once the original owner was locked out of their Apple ID, the owner would be unable to remotely lock the thief out of the phone quickly, if at all.
The thief would then enroll themself into Face ID or Touch ID, which would then allow access to apps that use your face or fingerprint for authentication. Once they added their face or fingerprint to the iPhone, they could access everything you could: banking, money sending apps, and stored passwords.
Thieves could then steal directly from various accounts by transferring money to themselves or an intermediary. Or even if they weren’t sophisticated enough to go for the apps, the thieves would also have access to any Apple Pay cards you had setup, as those require only the passcode.
Apple’s solution to phone and passcode theft
Fortunately, with iOS 17.3, Apple released a feature called Stolen Device Protection that makes new face or fingerprint enrollment, resetting the Apple ID password, or changing the passcode more difficult.
Those functions are only allowed to occur at “Significant Locations” — like your home or work. If you are away from a Significant Location, then two things must happen: you must wait an hour to complete the action, and you must also use an existing face or fingerprint to verify that it is you making the change.
Theoretically, this new feature should deter iPhone thieves from swiping your phone, because even if they have your unlock passcode, it is unlikely they will have you available 60 minutes later to use your face or fingerprint to unlock your phone.
The new Stolen Device Protection feature can be enabled in Passcode settings, but is not enabled by default.
How does the iPhone know your “Significant Locations” and can I stop it from knowing that?
The key to avoiding the one hour lock for these critical settings is having “Significant Locations” enabled on your iPhone. If you’re like most people, you probably had no idea the Significant Locations feature even existed.
Basically, your iPhone keeps track of everywhere you go — all day, everyday — and stores the data. The feature keeps track of how many times you visit a location, which is how it eventually figures out your “significant” ones. (Per Apple, all saved locations are end-to-end encrypted, which means Apple cannot read it directly.)
This could mean that not only your home and work are included. For example, if you frequent a coffee shop, that may become a Significant Location. Apple does not give you control over what it considers significant.
Even if we didn’t mind the inability to set Significant Locations ourselves, some of us still find the feature a potential invasion of privacy. For example, if someone looks through your phone — or has a warrant to view the data on your phone — they will know every place you’ve been, for months. Significant Locations can be disabled in the Settings menu, which you can also use to delete individual entries.
Once you turn off the Significant Locations feature, however, be warned that you will always need to wait one hour and also authenticate with your face or fingerprint, to change your passcode, change your Apple ID password, enroll a new face or fingerprint, or disable Stolen Device protection.
Still, it may be worthwhile to disable “Significant Locations,” especially if you’re worried about privacy. Disabling Significant Locations will always cause the hour wait timer to take effect for the previously mentioned device settings. Everyone has their own comfort level, so do what you think is right for yourself.
Stolen Device Protection makes sense to implement, but you can also do more
Obviously, this system is not perfect. Perhaps, if enough money is a stake, a thief would try to keep you around for an hour, somehow. But for most situations, this protection is sufficient to save what could be a costly loss.
That being said, if you really want to protect your financial accounts, you can also uninstall the apps from your phone and not store the passwords on your phone. This would make it impossible to access your accounts, using only fingerprint and face-based authentication. You could still access the accounts through the web versions, which require a password, but most importantly, someone would have to know you had these accounts in the first place, which might not be easy to do quickly. This strategy would also work on Android phones, which do not currently have a feature similar to Stolen Device Protection (yet).
Stolen Device Protection is the right amount of paranoid for most people
Stolen Device Protection makes things you are unlikely to do very often — like change passcodes and reset Apple ID passwords, take longer, at the expense of a relatively short wait. Enabling this is a minor inconvenience, but could save you from having your money stolen directly from your accounts, and the associated headaches.
Final note: If you don’t like Significant Locations, watch out for Google Maps
One more thing: If you don’t like the iOS Significant Locations feature — and turned it off on your phone after you read about it — keep in mind that Google Maps also has a similar, but more invasive feature enabled by default. Google Maps may track your location when the app is closed, and you location data can be stored on Google’s servers, where Google can read the location data directly.
Jerry Galvin has over 17 years of experience in engineering, vulnerability management, and cybersecurity operations. He currently works as a Business Information Security Officer for a financial institution. Views expressed here are his own.
