Harden your iPhone against thieves

Martin Shelton

Principal Researcher

Illustration by Olivia Martin.

(Freedom of the Press Foundation/CC BY 4.0)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Thieves don’t just steal iPhones for the hardware — they may also want access to banking apps and Apple Pay to facilitate fraudulent transfers and purchases. Here’s the playbook: Thieves first convince a target to share their passcode, or else shoulder surf (observe someone enter their passcode). If they then get hold of the iPhone, they will quickly enter this passcode and transfer money from banking apps to their accounts, sometimes locking the victim out of their Apple ID by changing the passcode and even disabling the “Find My” feature. In its new iOS 17.3 update, Apple introduced an important new security feature designed to slow down thieves by delaying their ability to change your passcode or “Find My” settings, and requiring additional biometrics such as Face ID or Touch ID before someone can change those and other sensitive security settings. Read more.

What you can do

  • One thing that works in thieves’ favor is that people often use short passwords that are easy to shoulder surf and to memorize — typically only six digits. To minimize this risk, instead of typing in passcodes, where possible and practical consider opting for Face ID or Touch ID when unlocking the phone in public spaces. Whenever that’s not convenient for you, you can also quickly disable biometrics by clicking the power button on your iPhone five times.
  • Consider an alphanumeric passcode that would be more difficult for someone to guess or memorize on the fly. You can find that here: Settings app > “Face (or Touch) ID & Passcode” > "Change Passcode" > "Passcode Options" > "Custom Alphanumeric Code."
  • If you choose to enable an alphanumeric passcode, you’ll want to do so before enabling Stolen Device Protection, because the new feature may introduce a delay of an hour before you can change your passcode.
  • Enable the Stolen Device Protection feature here: Settings app > “Face (or Touch) ID & Passcode” > “Stolen Device Protection.”
  • As always, ensure you have the newest update to iOS for access to the most recent security patches and new features, including Stolen Device Protection.

Updates from my team

  • My colleague Anastasia Kolobrodova wrote a post on some preliminary research she has conducted. It concerns the narratives educators use to frame communications surrounding the value of digital security for journalists. Check it out.

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.


Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Mozilla breaks into the anti-data broker game

Hundreds of data brokers aggregate and sell access to personal data, such as phone numbers, emails, addresses, and even purchasing habits collected through loyalty card programs, social media sites, apps, trackers embedded in websites, and more. Mozilla has a new monthly subscription service which automatically scans for your personal data on data broker websites, but there are other ways to make your data less easily searchable. Read more from the Digital Security Team.

Moving from passwords to passkeys

Instead of traditional passwords, where you log into a website with credentials that you know or store in a manager, a passkey is a credential that you store on your device, registered with an online account. Read more in our newsletter.

Journalists targeted with Pegasus yet again

Mercenary spyware firm NSO Group’s Pegasus spyware, designed to remotely access targeted smartphones, is marketed to governments around the world for the purposes of law enforcement and counterterrorism. But in the wild, we’ve seen governments repeatedly abuse this and similar spyware tools to infect journalists, spying on their most sensitive files, communications, and sources.