Rob Allen

Pragmatism in the real world

Keep your iPhone passcode secret

TL;DR:

If someone sees you enter your passcode on your phone and then steals your phone, they can lock you out of your Apple account, losing access to all your iCloud data, including photos.

Treat your phone passcode as carefully as the secret it is.

The problem

I heard about “A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life” by Joanna Stern & Nicole Nguyen on The Talk Show and learnt something new. I recommend reading Joanna’s article.

It’s fairly obvious that once someone has your passcode they have the keys to everything on your phone, including all your saved passwords. We rarely consider our phone’s passcode as the important secret though.

One thing that I didn’t know is that you can change your Apple ID password from your iPhone with just the 4 (or 6) digit passcode, without needing to know the old password. I and everything in your Apple ID. As I understand it, Android works the same way and you can change your Google account password with just a phone and its PIN as described by 9To5Google.

Once they have your phone and your Apple ID, they can remove your recovery codes and legacy contact and so lock you out completely. They can remove your other devices from your account and using the Find My app remote wipe your other devices. They can also purchase anything using Apple Pay and have access to all your saved passwords if you use the built-in Keychain password manager.

With the complete loss of your iCloud account you also lose all your photos, notes, contacts, calendars, file in iCloud Drive, etc. The loss of all family photos and videos would be heartbreaking, let alone everything else.

The thief needs your passcode though, so try not to enter it in public and if you do, make sure you guard your phone and who’s watching when you do so. It’s not just a 6-digit code. It’s a password to your digital life.

Mitigations

The most obvious first-level mitigation is to use biometric login – Face or Touch ID. If you don’t have to type your passcode, then no-one can see you enter it.

Secondly, use an alphanumeric passcode. The keyboard is smaller, so it’s harder to look over your shoulder and what you type. You can also have a more secure passcode than just digits.

It’s also a good idea to back up your photos and data to a separate service. This is hard from a phone though, but if you have a Mac on your iCloud account then BackBlaze or similar would be wise.

Fin

To be clear, this isn’t new, but this is the first time that I’ve really thought about it.

Given that both Apple and Google work the same way when it comes to account password recovery from a trusted phone, I imagine that there’s a far bigger percentage of people who forget their account password, but know their phone passcode compared to those that lose their account via theft of their phone and its passcode. This must be a difficult thing to balance, but I’d quite like to see better opt-in protections for more security-aware users.

As most of our important data and memories are on our phones, it’s important that we’re aware of the security implications, and that we protect our passcodes from other people!

This article was posted on in Computing

Search

I'm Rob Allen, a software consultant and engineering leader, concentrating on HTTP APIs. A proponent of Open Source, I maintain rst2pdf and Slim Framework, and contribute to Apache OpenWhisk amongst other OSS projects.

I live in the UK, run 19FT and publish Daily Jotter for Mac. I am a public speaker and wrote Zend Framework in Action.

Follow

Nineteen Feet Limited logo

Books I've written

Zend Framework in Action book cover
C++Builder 5 Developer's Guide book cover