Keeping your iPhone safe from thieves

We've published a guide - Keeping your iPhone safe from thieves.

Here is a quick back story on why we created this and now sharing with everyone.

About two years ago a friend had his iPhone snatched in London. The detail that mattered most, it was unlocked when they took it. Within two days the thieves were inside his email, his Apple ID, his entire WhatsApp history, and took thousands from his bank account. Face ID on the apps didn't help. The bank's passcode didn't help. Once they had the device, they were able to gain access to everything.

This is now a routine London crime and despite the recent crackdown the reality is that there were still 71,000 recorded thefts last year. What is important to understand here is that the phone itself is not the goal, the real prize is the digital life which exists behind the lock screen.

So long story short, we created our own guide on how you can protect what’s on your phone from thieves.

TL:DR Checklist

There are 12 suggestions and we'd encourage you to work through all of them, but we know that's a lot in one sitting. The ones that matter most are highlighted below in bold.

1. Secure your Apple ID account

2. Block Apple ID changes using Screen Time

3. Create a strong lock screen passcode

4. Remove risky shortcuts from the lock screen

5. Set up Face ID and apply it everywhere it's offered

6. Review notification previews for sensitive apps

7. Enable "Erase Data" after 10 failed passcode attempts

8. Enable Attention Aware Features

9. Remove your Express Transit card

10. Enable Find My iPhone — properly

11. Back up your data to iCloud

12. Bonus tip: use Shortcuts to auto-lock the phone on suspicious activity.

Details

1. Secure your Apple ID account

Your Apple ID is the master key. If a thief gets into it, they can lock you out of your own phone, wipe your other Apple devices, drain your iCloud backups, and read everything you've ever stored.

Use a long, unique password (not one you've used elsewhere), turn on two-factor authentication, and this is the important one, set up a recovery key. Without a recovery key, a thief who knows your phone passcode can change your Apple ID password from the device itself and lock you out forever.

2. Block Apple ID changes using Screen Time

This is the single most important setting most people have never heard of. Inside Settings > Screen Time > Content & Privacy Restrictions, you can require a separate passcode before anyone, including a thief who knows your phone PIN, can change your Apple ID password, sign you out, or start taking over the device.

This is what stops the "took the phone, locked the owner out and drained the iCloud" attack pattern in its tracks.

Important: set this Screen Time passcode to something different from your phone passcode. If they're the same, the protection is meaningless.

3. Create a strong lock screen passcode

A four-digit PIN can be guessed by someone who's been watching over your shoulder. Use a six-digit code at minimum, and ideally an alphanumeric passcode.

The Met has been clear that "shoulder surfing" thieves quietly memorising your PIN before they grab the phone is now a deliberate tactic.

4. Remove risky shortcuts from the lock screen

Lock screen shortcuts are handy. They're also just as handy for a thief holding a locked phone. Depending on your setup, the lock screen can expose Wallet, Control Centre, and the camera roll via Photos. Strip these back to the bare minimum. Leave on your flashlight and camera and consider removing just about everything else.

5. Set up Face ID and apply it everywhere it's offered

Face ID isn't just for unlocking the phone. Most banking, email, password manager, social and messaging apps can be set to require Face ID every time they're opened. Turn this on for every app that supports it. Even if a thief has your unlock PIN, they shouldn't be able to walk straight into your banking app.

6. Review notification previews for sensitive apps

Banking apps, email and authenticator apps can all show full notification content on the lock screen by default including one-time passcodes. A thief watching your phone screen on a café table doesn't need to unlock it to read the SMS code from your bank.

Hide previews entirely or set them to "When Unlocked". If you have Face ID enabled you won’t even notice the difference.

7. Enable "Erase Data" after 10 failed passcode attempts

Found in Settings > Face ID & Passcode.

After ten wrong PIN attempts, the phone wipes itself. Yes, there's a small risk a determined toddler ruins your day, but the trade-off is worth it. It makes brute-forcing your passcode pointless. Also refer to Hint 11 about backing up your data to prevent accidental loss of data.

8. Enable Attention Aware Features

Tucked away in Face ID settings, this requires you to be looking at the phone for Face ID to work. Without it, someone can hold the phone up to your face while you're distracted.

9. Remove your Express Transit card

Express Transit lets you tap through the Tube without unlocking your phone.

Brilliantly convenient and just as convenient for a thief, who can use it for contactless transport and, depending on your card, contactless retail without ever needing your PIN.

Even worse is a well-publicised hack which could give a thief the ability to steal all your money without even unlocking your phone: Veritasium: I Stole $10,000 From A Locked iPhone

Just turn it off, that is our advice.

10. Enable Find My iPhone

Find My is the difference between "my phone is gone" and "my phone is gone but I can wipe it remotely from a friend's laptop in five minutes."

Make sure it's on, make sure Find My network is enabled (so the phone is locatable even when offline), and make sure Send Last Location is on.

Practice the remote-wipe flow once when you're not panicking. Knowing how to do it under stress is half the battle.

11. Back up your data to iCloud

If the worst happens and you do have to wipe the phone remotely, an up-to-date iCloud backup is what gets you back on your feet within an hour rather than a week.

Turn on iCloud Backup, check it's actually running (Settings > [your name] > iCloud > iCloud Backup > last successful backup date), and pay the few pounds a month for enough storage to cover everything that matters.

12. Bonus tip: use Shortcuts to auto-lock the phone on suspicious activity

Here's one that not many people know about.

Your phone will auto-lock after a few minutes of inactivity — but thieves know this, and they'll make sure the screen stays awake while they work. You can close that gap by using the Shortcuts app to force the phone to lock the moment a thief tries the two things they'll almost always try first.

Think about what a thief does with an unlocked phone. One, they put it into Airplane Mode to cut off the signal and block a remote wipe from Find My. Two, they open Settings to start taking over your Apple ID. Both of those actions are fingerprints of the attack in progress.

In the Shortcuts app, under Automation, set up two Personal Automations that both trigger the "Lock Screen" action:

• When Airplane Mode is turned on > Lock Screen.

• When the Settings app is opened > Lock Screen.

Yes, it's a minor nuisance. You'll need to unlock with Face ID every time you pop into Settings. In practice that's a second or two. The upside: if someone grabs your phone while it's unlocked, the first thing they do to take it over is now the thing that locks them out.

Notes and disclaimers

We've stuck to iPhones. We don't manage Android devices day-to-day, so we'd rather not give advice we can't stand behind.

This guide reduces your risk, it doesn't eliminate it. No set of settings can guarantee your phone or its contents will be safe if it's stolen, and you should treat the steps below as sensible precautions rather than a cast-iron defence.