This post will discuss the security and privacy implications of Find My iPhone. This feature has some excellent benefits, but there are also some concerns around its use.
FIND MY iPHONE SECURITY
Settings//iCloud//Find My iPhone: Find my iPhone is Apple’s OEM lost-device app and is probably the most capable and thorough option available. The app does not need to be installed on your phone to work, but it does need to be enabled in your settings and requires that you have an iCloud account. In Find My iPhone enable both sliders: Find My iPhone and Send Last Location. Send Last Location will send geo-coordinates for your phone’s last known location before the battery dies. Find my iPhone is a somewhat more robust solution.
When your device is lost, you must log into your iCloud account. Once logged in you will select “Find My iPhone” from the menu; this will immediately pull up your device’s last known location on a map. If the device still has battery power and cellular or Wi-Fi connectivity you can track it in near-real time. The level of accuracy will depend on the device’s signal and the interfaces that are available (i.e. cellular and Wi-Fi vs. cellular only). Sometimes this can be incredibly accurate and sometimes it can be off by a hundred meters or more. Generally I have found Find My iPhone to be extremely accurate.
Clicking on the device’s icon will open a new menu allowing you to perform several tasks. First, you can have the device play a sound. If you are near the device this can help you locate it. You can place the device in “Lost Mode”, or erase the entire device.
WARNING: FIND MY IPHONE AND TWO-FACTOR AUTHENTICATION
Because Find My iPhone is used on the assumption that your mobile device has been lost or stolen, it is also assumed that you do not have access to the device to retrieve your two-factor token. Even if your iCloud account is protected with two-factor authentication, Find My iPhone is not. An attacker who gains access to Find My iPhone can track your location or wipe the device. Carefully weigh the risks and benefits of this feature with your threat model.
Lost Mode does several things: first, it allows you to lock the device with a passcode if it was not locked when you lost it. It also requires that a passcode be required to unlock the device, rather than Touch ID. Next, this mode allows you to display a custom message on the phone’s screen. For example, you may wish to input a custom message indicating that the device is lost and a good contact number or email address at which you may be reached. If you choose to enter a contact number, the finder of the device can call that number from the lock screen, but will have no additional access to the rest of the phone’s data.
The biggest benefit of using Find My iPhone rather than a third-party application is that it may be used to remotely wipe your device. If you choose to utilize this option all of the information on your phone will be deleted. Because the data on the device is fully encrypted it will be unrecoverable once deleted, giving you the peace of mind that even though your handset is lost your data will not be accessed.
Find my iPhone also includes what Apple calls “Activation Lock” which provides some additional protections. When you enable Find My iPhone on your device it is automatically placed in Activation Lock status. Your Apple ID and password are required to turn off Find My iPhone, restore the phone to factory defaults, erase the device, or reactivate and use it. This makes the theft of an iOS device far less attractive to thieves.
If your phone is offline when it is lost (meaning it does not have a cellular data or Wi-Fi connection), any changes you make, including Lost Mode, Erase Data, and Passcode Lock, will not take effect until the device connects to a network. If you do not have a passcode on your device it may be too late at that point. Additionally, if Find My iPhone is not enabled on your device when it is lost, there is no other service that can be retroactively turned on the track the device.
Because an attacker can potentially erase your iOS devices and Mac computers through this service, it is important to protect your iCloud account. You should use an unpredictable username, a strong password, and perhaps most importantly, two-factor authentication.