Apple’s iOS 17.3 update includes a new feature enhancing protections against theft. However, its pairing with an existing feature on “familiar locations” defeats its purpose and puts users at risk. Reporters Without Borders (RSF) looks into Apple anti-theft features and what it means for journalists’ safety.

Journalists who have their device stolen can lose their work, their data, their contacts, or even have their personal safety threatened, thus utilising anti-theft features available on their devices is essential for security. On iOS devices, Apple already has several anti-theft features including GPS tracking with Find My iPhone, and the ability to remotely wipe the device of sensitive data if needed. 

However, these tools can be disabled by thieves if they know the device’s passcode. So thieves will spy on victims in public until they key in a passcode, steal the device, and quickly turn off the anti-theft settings, locking the owner out and giving thieves plenty of time to access private information, finances, accounts, and sensitive data.

New security protections

To mitigate these risks, Apple’s new Stolen Device Protection feature adds a biometric verification step (Face ID or Touch ID) and a one-hour wait time before users can alter critical security settings. This means that a thief stealing a journalist’s phone could not immediately lock them out of tracking and controlling the device, giving a longer chance for the journalist to recover or protect their data. 

Critical security settings include:

  • Viewing or changing stored passwords;
  • Changing biometric data;
  • Changing the Apple ID password;
  • Making transfers from Apple Cash or savings;
  • Turning off Find My iPhone;
  • Turning off Stolen Device Protection.

Be wary of the Significant Locations feature

Significant Locations is an existing iOS setting that tracks the user’s movements and creates a list of commonly visited GPS locations. For a journalist, this can typically include their home, their newsroom or workplace, and other frequent stops. This list is visible to the user, and can be deleted. However, Stolen Device Protection uses the same data to create its own list of “familiar locations” and automatically turns them off in these places. The user cannot see or control this list, nor delete it.

This means if a journalist’s device is stolen at a “familiar location” like their home or workplace, or possibly their favourite cafe, bar, or gym, Stolen Device Protection does not activate, leaving the passcode as the only barrier between the thief and those critical security settings.

Recommendations 

  • Activate Stolen Device Protection, as it provides an extra layer of security in some circumstances…
  • …but turn off the Significant Locations feature despite its convenienceness. 
  •  Journalists should always employ multiple layers of security including password protection and encryption, and always have backups, as Stolen Device Protection does not add any additional security to the stored data itself (such as messages, contacts, files, and location history).