Apple released Stolen Device Protection (SDP) in response to criminals successfully ruining people’s lives by using an iPhone’s password to reset the victim’s iCloud password.

In 2023 the New York Times did a report on this new tactic, summarized on TidBITS:

Watch the video, but in short, a ne’er-do-well gets someone in a bar to enter their iPhone passcode while they surreptitiously observe (or a partner does it for them). Then the thief steals the iPhone and dashes off. Within minutes, the thief has used the passcode to gain access to the iPhone and change the Apple ID password, which enables them to disable Find My, make purchases using Apple Pay, gain access to passwords stored in iCloud Keychain, and scan through Photos for pictures of documents that contain a Social Security number or other details that could be used for identity theft. After that, they may transfer money from bank accounts, apply for an Apple Card, and more, all while the user is completely locked out of their account.

And yes, they’ll wipe and resell the iPhone too. Almost no crimes like this have been reported by Android users, with a police officer speculating that it was because the resale value of Android phones is lower. In the video, Joanna Stern said a thief with the passcode to an Android phone could perform similar feats of identity and financial theft.

Apple’s response? Stolen Device Protection:

With Stolen Device Protection, some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work. These requirements help prevent someone who has stolen your device and knows your passcode from making critical changes to your account or device.

• Face ID or Touch ID biometric authentication: Some actions such as accessing stored passwords and credit cards require a single biometric authentication with Face ID or Touch ID — with no passcode alternative or fallback — so that only you can access these features.

• Security Delay: Some security actions such as changing your Apple Account password also require you to wait an hour and then perform a second Face ID or Touch ID authentication.

In the event that your iPhone is stolen, the security delay is designed to prevent a thief from performing critical operations so that you can mark your device as lost and make sure your Apple account is secure.

Thieves can still come after you if they see you entering your passcode because they’re hoping you don’t have this feature enabled, or they might not be aware of it themselves.

The goal shouldn’t be to prevent thieves from breaking into your accounts and your life, the goal is to prevent them from taking your iPhone in the first place. Even if you have all the safety measures in place and your phone gets swiped, you’re still without a phone, which will be expensive to replace and will take hours to get everything synced up again.

The best way to stop this is to hide your password when typing it in, but sometimes we might be in a hurry and forget to keep our guard up. Not to mention this type of attack is common in bars, so your guard is already lowered.

The next best thing? Change your password to an alphanumeric one.

You don’t have to actually change your password, but you do have to add something at the end of it. Like a period.

Say your passcode was “090708”. You can change your passcode and add a period, so your password is now “090708.” If the potential thief does see you entering your passcode, they will see the alphanumeric keyboard and will be more likely to skip past you because it’s almost impossible to really see what someone is typing. The keyboard is small enough, even on the Pro Max models, that your “fat finger” will obscure what you’re typing, compared to the huge numeric keypad.

It also helps to turn off haptics when typing in your code since people can’t hear how long your password is.

Over time, you’ll actually get faster at typing the alphanumeric code since it is all number based, but no one would know you would do such a thing…unless they read my blog.

I tried to be even slicker and just keep the exact same password even though I selected an alphanumeric option and keyboard, but the iPhone defaults back to a numeric keypad, so I had to add the period.

Tim Hardwick from MacRumors:

OpenAI has expanded the capabilities of its ChatGPT app for macOS, adding support for Apple Notes and a range of popular third-party apps. The update builds on last month's release that introduced the ability to read on-screen content from select Mac apps…

OpenAI says that users maintain full control over which apps ChatGPT can access, and all data handling follows the same OpenAI privacy protocols as the app's regular conversation history. The expanded app integration feature remains exclusive to paid subscribers, including ChatGPT Plus, Pro, Team, Enterprise, and Edu users.

You do have to give ChatGPT permission to use the app, but that’s a lot of sensitive data to give to a 3rd party application, especially one as controversial as ChatGPT. People store all kinds of data in their Notes, including passwords, personal reflections, Driver’s license, medical and financial information, you name it.

I’m a free user of ChatGPT, so I have nothing to worry about, for now.

You can easily screw yourself over if you don’t use the Water Lock feature on the Apple Watch.

Whether you are swimming or taking a shower, you need to turn it on or else your screen will do crazy things.

Water conducts electrons like our fingers and can register touches and gestures on the touch screen. If you’re in the shower, the overwhelming amount of water can cause unpredictable behavior on your watch. 

I have had the following two scenarios happen to me because I forgot to turn on Water Lock when jumping in the shower:

1. My mail app was open, and the watch had swiped left on an email to delete it. I noticed it just in time, but I could have unknowingly lost an important email I couldn't’ afford to lose.

2. In a separate incident, I was getting out of the shower and I heard voices coming to me. I glanced at my watch and realized that I was on an active call with my mom who was trying to talk to figure out what the heck was going on!

Do yourself a favor, and turn on Water Lock before jumping in the shower. That way you won’t have to worry about your watch accidentally opening apps, calling people, or deleting your emails.

I was reading about Microsoft’s AI based Recall feature, and I thought to myself, what if that feature was on the Mac? Would sensitive information be blurred out when screenshots were automatically being captured?

The most sensitive app on your iPhone, iPad, or Mac is the Passwords app, and if it were to be “screenshotted,” it should blur the passwords.

On iOS and iPadOS, the Passwords app blurs all passwords when you take a screenshot. Even if you want to display the password in large type, the whole screenshot is a giant white blank screen, which is awesome. Even if the password field is obscured with dots (•••••••••••), taking a screenshot makes that whole field completely blank so you don’t even know how long the password is.

Here are 4 screenshots on iOS, showing the completely blank password field:

Now compare that to what you actually see when you are in the Passwords app on iOS (or iPadOS):

In general, iOS and iPadOS do a great job of obscuring your password when taking a screenshot in their app.

On macOS, that is not the case.

I opened the Passwords app and started taking screenshots, and it faithfully captures everything your eyes can see:

• If your password is hidden with dots, you will see the dots.

• If you hover over your password revealing itself and then you take a screenshot, you will see the password.

• If you choose the option to display the password in large type and then take a screenshot, you will see the password.

This is the complete opposite of iOS and iPadOS, and something Apple should address.

This might not be a security risk, but it can be in certain scenarios:

1. You save your screenshots to the cloud by default, making your passwords exposed to other individuals who might share the same iCloud folders as you.

2. You have multiple monitors and your passwords app is on your secondary (or tertiary) monitor. Many people don’t know or forget that when you take a screenshot, all of your monitors are being captured.

3. You have a custom mouse that has hotkeys for screenshotting, and you accidentally capture screenshots without your knowledge.

If this Recall feature was on macOS today, would you even want to open your Passwords app, knowing that the computer is taking screenshots in the background and capturing your sensitive information?

Not to worry, because Microsoft has a beta feature called Recall. Here is what it does in a nutshell:

If you opt in to the feature, then as you use your PC, a snapshot of your active screen will be saved every few seconds and when the content of your active window changes. Snapshots are also protected with Windows Hello, so that you are the only signed in user can access Recall content. Recall allows you to search for content, including both images and text, using the clues you remember. Trying to remember the name of the sustainable restaurant you saw last week? Just ask Recall and it retrieves both text and visual matches for your search, automatically sorted by how closely the results match your search. Recall can even jump back into the content you saw.

How safe is it?

To use Recall you need to opt in to saving snapshots, which are screenshots of your activity. Snapshots and the contextual information derived from them are saved and encrypted to your local hard drive. Recall does not share snapshots or associated data with Microsoft or third parties, nor is it shared between different Windows users on the same device. Windows will ask for your permission before saving snapshots. You are always in control, and you can delete snapshots, pause or turn them off at any time. Any future options for the user to share data will require fully informed explicit action by the user.

Do we really need our computer to constantly take screenshots of our online activity? Sounds overboard, even if the information is encrypted locally. I know that if Apple were to do something like this for the Mac, I would keep it disabled. Thankfully this feature is an opt-in feature for Windows users.

Since it is still in beta, there are still lots of security risks since Recall has trouble discerning sensitive websites and screenshots sensitive information.

Rushil Agrawal from Android Authority:

Apple, the tech giant that has built its reputation on safeguarding customer privacy, is now facing a lawsuit that claims its own employees aren’t getting the same treatment. Amar Bhakta, an employee in Apple’s advertising technology division, has accused the company of prying into workers’ personal lives through iCloud accounts and non-work devices.

The main issue here is the blending of personal and work iCloud accounts, and Apple “actively discouraging” the use of separate iCloud accounts:

The heart of the issue seems to be Apple’s policy of requiring employees to use Apple devices for work, which, combined with restrictions on company-owned devices, often leads employees to use their personal iPhones and Macs. This, in turn, necessitates the use of personal iCloud accounts, allegedly exposing personal data to company scrutiny.

For employees who’d rather not have their personal lives exposed, the alternative isn’t much better. The suit claims Apple “actively discourages” setting up separate iCloud accounts for work purposes, making it nearly impossible to avoid this blending of work and personal data.

Active discouragement of employees to use separate iCloud accounts for work will be what the case will revolve around.

Could just be a controlling manager, or something much bigger.

Not a good look for Apple.

With iOS 16 and later, Apple has made it a lot easier to find your Wi-Fi password and other Wi-Fi passwords that you have connected to.

With iOS 18, it’s way easier since you can do it from the Passwords app. 

I didn’t even know you could look at a Wi-Fi password when someone shares it with you, until I looked at the Wi-Fi category in the Passwords app.

I went to a relative’s house recently who likes to keep a low profile, and they are always reluctant to share their Wi-Fi password. They don’t even keep bluetooth on, so they have to manually type their password into my phone or my kids’ devices whenever we come over. 

Once he entered the password on my iPhone, I just went into the Passwords app, went under the Wi-Fi category, and voila! There was the password. 

They were surprised to find out how I knew it, but it shows you why you need to make sure that password is not used anywhere else. A lot of people (around 78%) use the same password for multiple accounts, and if you’re using your Wi-Fi password for something else, now is a good time to change it.

The short answer is no, but the devil is in the details.

With iOS 18, Apple has introduced RCS messages, which is a new industry standard in messaging that allows you to send high quality videos and photos instead of those abysmally low-resolution photos and videos you currently send to your fellow Android users.

RCS also supports delivery and read message receipts just like iMessage.

In a nutshell, it makes your interaction with non-iPhone users more like iMessage, while still keeping the green bubble.

Not all carriers support RCS, but remember one thing.

One very important thing.

RCS is not end-to-end encrypted.

According to Apple’s site:

Apple’s implementation of RCS is based on the industry’s standard. RCS messages aren’t end-to-end encrypted, which means they're not protected from a third-party reading them while they're sent between devices.

Besides the messages themselves, What other sensitive information about you can be transmitted when using RCS? 

More than you think:

User identifiers are exchanged for your carrier and their partners to authenticate your device and provide a connection. These identifiers could include but are not limited to your IMEI, IMSI, current IP address, and phone number. Your current IP address might also be shared with other RCS users.

It’s funny how all the news around RCS focuses on high end photo and video transmission, but no one emphasizes that it is just as insecure as regular SMS/MMS.

If you really want to have secure group chats that allow high quality images and videos, stick with a more secure platform such as WhatsApp.

Or better yet, you could just convince your friends to get an iPhone and use iMessage, which is end-to-end encrypted.