Keep iPhone signed into Apple or signed out?

Topic

New Reply

[J9438]

If I keep my iPhone always signed into Apple, I am thinking that if the phone gets stolen the thief can use the phone for nefarious purposes since it is signed in.

However, if I sign it out I get this:

Find My has been disabled on iPhone.

With Find My disabled, this device can no longer be located, placed in Lost Mode, or remotely erased using icloud.com/find or the Find My app.

In addition, your Apple ID and password will no longer be required for someone to erase, reactivate, and use your iPhone.

Seems like a security risk either way?? Any ideas on which is better?

 

• This topic was modified 1 year, 11 months ago by J9438. Reason: Remove html tags that I did not know would paste

1 user thanked author for this post.

windbg

Reply | Quote

Replies

J9438 wrote:

If I keep my iPhone always signed into Apple, I am thinking that if the phone gets stolen the thief can use the phone for nefarious purposes since it is signed in.

No.
When not in use your iPhone is in locked mode.
You need Face ID, PIN, Password, Apple watch.. to unlock and so will the thief/finder..

Keep the iPhone connected for apps, iOS, Find My ..notification and auto backup while charging.

1 user thanked author for this post.

J9438

Reply | Quote

Alex5723 wrote:

You need Face ID, PIN, Password

With my phone there are only 2 options to unlock, Touch (which I am somewhat leery of as my fingerprint could change from time to time as for example from a cut or other injury) and a 4-digit PIN which with a brute force attack does not seem that secure either. (And the erase after 10 attempts option might cost me all of my data if I get the phone back).

So with less sign in security of a phone compared to a PC with a gigantic password, seems like leaving the phone signed into Apple is not good either.

I just don’t understand why Apple would not require a password in ALL circumstances for someone to erase, reactivate, and use your iPhone. Makes no sense to me.

At least if someone did get in they still could not get into the Apple account if signed out and Apple did not have this backdoor-in described in their warning above, “In addition, your Apple ID and password will no longer be required”.

It sounds to me like they are trying to keep you signed-in to data mine.

1 user thanked author for this post.

windbg

Reply | Quote

Apple is hands down the most privacy first operating system.  You get asked (sometimes to the annoyance of all of the prompts) of how apps use your data.

With findmydevice you can remotely erase that sucker.

https://support.apple.com/guide/icloud/erase-a-device-mmfc0ef36f/icloud

You WANT to keep any mobile device logged in and ‘beaconing’ to something so that you can find it and wipe it.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

windbg, J9438

Reply | Quote

P.S. cuts on fingers won’t throw off the reader and you can enroll ‘backup’ fingers.  Up to five fingers can be used to sign up.

https://support.apple.com/en-us/HT201371

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Rick Corbett, J9438, Alex5723

Reply | Quote

Susan Bradley wrote:

P.S. cuts on fingers won’t throw off the reader

This statement surprises me.  Mine has been affected during healing and obviously while the bandage was on.  IMO, two fingers from each hand makes sense.

1 user thanked author for this post.

J9438

Reply | Quote

Susan Bradley wrote:

Apple is hands down the most privacy first operating system

I agree and I would add that Susan is my most trusted source for cyber security!

Susan Bradley wrote:

P.S. cuts on fingers won’t throw off the reader

Good to know. Thanks.

I guess I am more paranoid than most and I have even mentioned in other posts that convenience comes at a cost of security and visa versa.

I guess what bothers me is that almost every web site has that little check box that says, “Stay logged in”.

I would never want to stay logged in to a retail site or my email or Microsoft and yet Apple seems to force staying logged in to use some features.

I know every thing is suppose to be encrypted and privacy guarded and protected with 2FA. Yet, time after time I keep seeing news reports of XYZ company/government being hacked with soc sec numbers, birthdays, bank account numbers, etc stolen. I know we cannot protect everything perfectly but isn’t at least signing out of a PC, phone, or IoT device like locking your door when you leave your house or car? Why do we make it so easy for the hackers? Convenience vs security.

Susan Bradley wrote:

With findmydevice you can remotely erase

I don’t know how the hardware works but since I can connect to any cell phone without being logged in why does Apple have to have you logged in to connect. It would seem if I lost my phone I should be able to log into Apple on my PC, request a wipe, Apple would call the phone and with some code in IOS activate a wipe. I know my cell service provider could do that to the SIM.

Aren’t these discussions stimulating????

Reply | Quote

J9438 wrote:

Yet, time after time I keep seeing news reports of XYZ company/government being hacked with soc sec numbers, birthdays, bank account numbers, etc stolen.

Apple’s iCloud, any Apple service.. has never been hacked.

1 user thanked author for this post.

J9438

Reply | Quote

J9438 wrote:

I guess what bothers me is that almost every web site has that little check box that says, “Stay logged in”. I would never want to stay logged in to a retail site or my email or Microsoft and yet Apple seems to force staying logged in to use some features.

My understanding of the “Stay logged in” option is that it sets a cookie so that you are recognized the next time you access the site from that PC and browser.  I assume the life of the cookie varies by site.  That said, I use Slimjet as my browser and have both the Privacy Badger and uBlock Origin extensions running.  The “Stay logged in” options don’t work.  I don’t know whether this is due to Slimjets’ built-in protections or the result of one of the extensions  but I don’t think you have anything to worry about if you take your browsing security as seriously as your phone security.

1 user thanked author for this post.

J9438

Reply | Quote

Alex5723 wrote:

Apple service.. has never been hacked

Another good to know. On TV the other day they were interviewing a business owner about their cyber security and he said they had dozens of attempted hacking EVERYDAY. I can imagine Apple must have hundreds of attempts every day but obviously has great security.

Peobody wrote:

so that you are recognized the next time you access the site from that PC and browser

I think you are correct. I always thought it meant you could access a site anywhere, put in your userid (email that the world knows) and it would let you in.

So I tried Walmart with stay logged in. Then logged out. Had to log in again with stay logged. Then I just closed browser. If I go to a different browser I have to log in again but if I go to the same browser it pops me straight in, so you are right that it must be a cookie on that particular browser and PC. I am not sure how useful that is unless I just want to come back next day and go straight in. (but again if the unlikely happens and next day while you are at work someone breaks into your home, finds you PC not protected with a password like some people do for convenience, pulls up Walmart with your credit card stored there “for convenience” then you are sorry you stayed logged in – even worse with a laptop or cell).

I guess everyone just has to weigh the cost of convenience vs the cost of security.

 

Reply | Quote

J9438 wrote:

I guess everyone just has to weigh the cost of convenience vs the cost of security.

Truer words have never been spoken.  I am often astounded by folks who value convenience over security.  Security is complicated and takes effort so I understand it in baby boomers who find technology challenging but I don’t understand it in Millennials and Gen Zers.  Lazy?  Apathetic?  Beats me.

2 users thanked author for this post.

J9438, windbg

Reply | Quote

In this specific case staying logged in actually provides better security as it allows you to track where the device is and control it.

“It would seem if I lost my phone I should be able to log into Apple on my PC, request a wipe, Apple would call the phone and with some code in IOS activate a wipe. I know my cell service provider could do that to the SIM.”

Apple has to be logged in as that gives them the ability to remote wipe. It can’t take over control of your device unless you are logged in.  It’s just the way remote wipe works.  In the case of your cell service SIM it’s logged in at all times to your cell service provider.  You don’t log out of your SIM.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

J9438, windbg, WSbobby-p

Reply | Quote

J9438 wrote:

4-digit PIN which with a brute force attack does not seem that secure either. (And the erase after 10 attempts option might cost me all of my data if I get the phone back). So with less sign in security of a phone compared to a PC with a gigantic password,

You can set the password for an iPhone to any length you want and even switch to alphanumeric passwords.  With a 4 number password a hacker with the right software such as GrayKey can crack that password in seconds to minutes.  If you want a more secure feeling, then increase the length of the passcode.  Increasing the passcode to 8 digits can cause the hack to take too long for the hacker to invest the time unless he knows the prize is worth it.  Any documents I keep on my iPhone that contains information I don’t won’t any hacker to see if my phone were hacked, I password protect with a separate and different password.

 

HTH, Dana:))

3 users thanked author for this post.

Lees7676, J9438, windbg

Reply | Quote

Assume your smart phone will eventually be stolen, broken, infected, or forgot to carry. You can’t guarantee a stolen locked mobile device won’t eventually be defeated. A thief might steal your iPhone pin at the same time.

Write down all the accounts that remain logged in or at risk. Have in place a procedure for when the smart phone is lost or stolen or hacked.

To limit the security risk when going for smart phone convenience, apply compartmentalization.

Example 1: Have a dedicated email account per mobile device. Have another email account for your most sensitive transactions that you keep off the cell phone.

Example 2: Limit what applications you choose to run on the smart phone. For example, certain financial accounts are excluded from your mobile device and accessed instead from a desktop physically protected by a central station alarm system.

Example 3: Use a physical security key that is kept physically separate from the smart phone but near enough to transmit a key.

Example 4: Only a subset of your passwords can be accessed from your smart phone.

Example 5: Important files stored in the smart phone vendor’s cloud, are also backed up elsewhere.

What security policy you choose to adopt, implicit or explicit, will vary.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

1 user thanked author for this post.

J9438

Reply | Quote

Drcard:)) wrote:

You can set the password for an iPhone to any length

I learn something new every day. Since my phone just always showed 4 circles for entering the passcode I thought that was all allowed. So I dug deeper and found there is an option farther down for a custom alphanumeric code just like on a PC. Only problem is typing on a tiny cell keyboard is difficult and I am logging in the phone dozens of times a day with text msgs. Maybe Susan has the right idea with the fingerprint scanner but hardware scanners and USB sticks still worry me as hardware stuff is always subject to unexpected failures. Gee, just can’t win either way.

Reply | Quote

Susan Bradley wrote:

Apple has to be logged in as that gives them the ability to remote wipe.

With the current IOS I have no doubt that is correct, but since when are we satisfied with current technology?

I am a dummy with regards to cell technology but I did find one Google search that said to use FindMyPhone the phone itself has to be already turned on and connected to internet. If that is true then regardless of being logged in or not FindMyPhone is useless if the phone is in a ditch by the side of the road.

That being said apparently a phone can be Pinged to find the ditch.

If a phone can be Pinged and if anyone can ring that phone even if it is turned off and not connected to the internet just by calling or texting then it seems to me that some simple changes to IOS installed with an update could allow Apple to send a command to wipe the phone if requested by the phone owner logged in to a PC or other phone, thus eliminating the need to leave the phone signed in all the time.

I know I must belong to a very small group of the ultra paranoid and FindMyPhone is a flashy feature that is very appealing to the average user who probably has no idea if their phone is signed in or not and may have a cell password of SeeSpotRun, I just think Apple  should not REQUIRE a phone or any device to be signed in perpetually. I am currently reading a 700 page book on cybersecurity and one of the rules given is, “Log out when you’re finished”.

Reply | Quote

I don’t know what the search result you got meant by “turned on and connected to the internet”, but the lost iPhone does not have to be lying somewhere unlocked and connected to the internet.  This website gives a good description of how to use the Find My app.  You can simply log in to your iCloud account and locate your lost phone assuming you’ve activated Find My on the iPhone.  I test this once in a while using my Mac and iCloud.com to make sure it’s working. https://support.apple.com/en-us/HT210515

iPhone 13, 2019 iMac(SSD)

2 users thanked author for this post.

J9438, windbg

Reply | Quote

Unless that book is specifically about phone security that advice isn’t always correct.  I don’t know of anyone else who logs out of their phone.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

J9438

Reply | Quote

Susan Bradley wrote:

Apple has to be logged in as that gives them the ability to remote wipe. It can’t take over control of your device unless you are logged in.  It’s just the way remote wipe works.  In the case of your cell service SIM it’s logged in at all times to your cell service provider.  You don’t log out of your SIM.

J9438…Susan wrote the above.  Defines “logged in”.

iPhone 13, 2019 iMac(SSD)

1 user thanked author for this post.

J9438

Reply | Quote

J9438 wrote:

a 4-digit PIN which with a brute force attack does not seem that secure either. (And the erase after 10 attempts option might cost me all of my data if I get the phone back).

A brute force attack is not easy:

An iPhone will disable for 1 minute after six failed passcode attempts in a row. The seventh incorrect passcode attempt will lock you out for 5 minutes, the eighth attempt for 15, and the tenth for an hour.

If you go past ten attempts and have still not entered the correct passcode, you’ll receive the message iPhone is Disabled; Connect to iTunes.

What to do when your iPhone is disabled

 

Drcard:)) wrote:

With a 4 number password a hacker with the right software such as GrayKey can crack that password in seconds to minutes.

GrayKey (only available to government agencies, and not just software) only claims, “GrayKey can provide same-day access to the latest iOS and Android devices often in under one hour. (So some, possibly most, take longer than minutes.)

2 users thanked author for this post.

J9438, windbg

Reply | Quote

b wrote:

GrayKey can provide same-day access to the latest iOS and Android devices often in under one hour. (So some, possibly most, take longer than minutes

Apple has killed GrayKey long time ago since iOS 12 by adding ‘USB Restricted Mode’.

1 user thanked author for this post.

J9438

Reply | Quote

Alex5723 wrote:

Apple has killed GrayKey long time ago since iOS 12 by adding ‘USB Restricted Mode’.

USB restrict mode does not stop GrayKey from hacking the passcode to gain access.  GrayKey can extract data, but extracted encrypted data stays encrypted (to be hacked by other hacking software.  This screen shot from the current GrayKey web site shows it works with iOS 16.x and iPhones to current iPhone 14.

b wrote:

GrayKey (only available to government agencies, and not just software) only claims, “GrayKey can provide same-day access to the latest iOS and Android devices often in under one hour. (So some, possibly most, take longer than minutes.)

Refer to this link for GrayKey being available only to law enforcement and that was in 2018.  Wonder how many have that code now?

Hackers Leaked The Code Of iPhone Cracking Device “GrayKey”

As far as cracking in seconds to minutes, I refer to the use of GrayKey against 4 digit numbers only which I read could crack a lot of codes (~20% in a few seconds with custom dictionary) and all 4 digit codes in less than an hour (aka = minutes).

Hence my security suggestions:

Never lose possession of your phone. Treat it like your wallet (which for many is).
Any personal data that you don’t want anyone to see, encrypt it before leaving it on your phone.
In public always use touch or face ID to open the phone. Never enter your passcode where someone can see what you enter (even at a distance).

HTH, Dana:))

1 user thanked author for this post.

windbg

Reply | Quote

Drcard:)) wrote:

Refer to this link for GrayKey being available only to law enforcement and that was in 2018.  Wonder how many have that code now?

Hackers Leaked The Code Of iPhone Cracking Device “GrayKey”

It’s not just software:

“GrayShift further said that … they have made the necessary changes to prevent unauthorized access to their iPhone cracking devices.”

If they could have used it or sold it they wouldn’t have ransomed it.

Drcard:)) wrote:

As far as cracking in seconds to minutes, I refer to the use of GrayKey against 4 digit numbers only which I read could crack a lot of codes (~20% in a few seconds with custom dictionary) and all 4 digit codes in less than an hour (aka = minutes).

Where did you read that? Wouldn’t GrayShift claim that if true?

Reply | Quote

b wrote:

Where did you read that? Wouldn’t GrayShift claim that if true?

The link below states :

Taking a closer look at GrayKey, Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, says the iPhone unlocking device has the potential to crack a simple four-digit code in six and a half minutes, or 13 minutes at the longest.

Researcher estimates GrayKey can unlock 6-digit iPhone passcode in 11 hours, here’s how to protect yourself

And that article is from 2018.  Couldn’t find the more recent one I read about seconds to minutes with GrayKey with 4 digit codes.  Has to do with running a custom dictionary of commonly used 4 digit codes such as 1234 or 0000.  What I read stated that almost 20 % of phones with 4 digit codes use such common codes.  I’m just not sure how applicable this is as I expect the majority of iPhones use at least a 6 digit code.

HTH, Dana:))

1 user thanked author for this post.

b

Reply | Quote