How secure is the Apple Watch?

The Apple Watch is, by Apple's own admission the most personal, most intimate device the company has ever released. It tracks health, it handles communications, it can control our homes, it can pay for our purchases. Security on the Apple Watch is something that's going to matter to everyone who uses it. The response to the sensational headline used by MarketWatch, is that they don't know. And the follow up is pure fear, uncertainty, and doubt. That's not only bad journalism, it's an actively harmful attack.

[Apple] has released little information thus far on the watch-that-knows-all's security features and told MarketWatch more information will come when the product becomes available on April 24.

The Apple Watch works in conjunction with the iPhone. WatchOS is also based on iOS. Apple has released an excellent guide to iOS security (opens in new tab). It can serve as great starting point to become familiar with basics of how Apple handles end-to-end encryption and other related technologies.

Apple has also posted an open letter on security and privacy, and an entire root-level section of the company's website - (opens in new tab), that outlines the philosophy behind it. In short, Apple's made privacy and security a front-line feature for the company's customers. Again, an important starting point for this type of discussion.

"I don't know enough about what's in there. That's the common challenge of security researchers or anyone who wants to make security decisions about Apple products," David Schwartzberg, a senior security engineer at MobileIron, a Mountainview, Calif.,-based mobile security company. "They don't release enough information."

See above.

Sensors on the watch can detect when a user takes it off his or her wrist. Upon removal, the watch will put Apple Pay on lockdown. To unlock it, you'll have to enter the passcode for Apple Pay. So unless a thief also has your arm, the moment the watch comes off, the paying system shuts off. Though in theory, what stops a criminal from threatening you for the passcode?

Deplorable "Has your arm" hyperbole aside, "in theory", what stops a criminal from threatening you for your phone's passcode? Your wallet? Your car keys? What about any of that is unique to the Apple Watch?

Researchers at FireEye, a Silicon Valley security firm, said in a February report that hackers have learned how to bypass Apple protocols to publicly release malicious applications. And last year, another security firm found that a type of malware called WireLurker could have infected hundreds of thousands of Apple devices.

If you jailbreak and visit a pirate app store and otherwise expressly override Apple's built-in protections. In other words, if you leave your car open with the keys in, in front of a chop-shop, then security isn't the problem. You are.

"If somebody's able to get a piece of malware on a device like they have with the iPhone, iPods and iPads, if this watch is doing fitness data, they could tell when you're exercising. They could tell a lot of things about you," says Brian Markus, CEO of Aries Security.

See above.

For example, someone who figures out how to hack a slew of Apple Watches could begin email marketing relevant health products (bogus or legitimate) to those consumers, targeting individuals with spam or phishing scams based on their specific needs. And a stalker could use the watch as another way to track someone's location and movements.

The bigger and more realistic danger, by near-infinite order of magnitude, is the "security" sellers who hack "reporters" into harming their readership by publishing complete and utter bull, backed up by no hard data or realistic threat assessment.

Within just a few months of the rollout, fraudsters found a way to game Apple Pay, The Wall Street Journal reported last week. Banks responded by increasing verification measures to leave less room for crooks to upload stolen card information onto Apple Pay.

Except, no. They absolutely didn't.

Apple Pay wasn't gamed at all. It was and is so secure all "fraudsters" could do was run old-fashioned social engineering attacks on banks that admitted they not only chose not to invalidate stolen card data, but authorize it for purchase.

  • Banks, retailers 'stung', Apple Pay still secure

Mobile security is lagging at a time when people carry nearly as much information on their smartphones as on their computers. Smartphones, across the board, don't by default include antivirus software, and many users don't install it onto their devices. And the Apple Watch is basically an iPhone for your wrist.

Which has among the best security in the industry. Would that MarketWatch aspired to such pride of craft.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Well written, Rene. The only things they can write are stretches of the imagination that make Apple the bad guy for user mistake.
  • The NSA will get the info, since they can hack and monitor anything digital there is, but I'm sure it will be secure against anything else. Posted with my Sony Xperia Z3 via the iMore App for Android
  • Excellent thought piece Rene. If it's not clear, I have to say that I enjoy almost all of your articles despite what some think from my comments. I think it's sad and wrong that all the Android trolls come over here to abuse you when you write something lately. As to security, I could be mistaken, but the thing that occurs to me is that the Apple Watch seems to be an eminently "steal-able" item. While it locks down Apple Pay once it's off your wrist, it doesn't have GPS does it? So it cannot be tracked on "find my iPhone" right? So definitely correct me if I'm wrong, but it seems to me that if you rip one off someone's wrist and run like crazy, it's yours isn't it? And some are worth $13,000 to $17,000?
  • Hey, some of us Android trolls like Apple products too. I owned almost every Ipod from the time of the original, and my first Smartphone was the IPhone 4. But some of us also happen to like some of what Android and Windows have to offer too, and are not blind Apple followers. Just about the only thing I've never tried is a Blackberry, so I have to get one soon. Posted with my Sony Xperia Z3 via the iMore App for Android
  • Based on your comments, you are not in the category of which Gazoobee speaks, IMO, i.e., you actually sound reasonable.
  • Indeed. I was referring to the more insistent, juvenile and insulting contingent that has recently taken to posting, en masse, on Rene's articles.
  • Non-cellular iPads are also missing GPS and so they use wifi to report their location. I expect the Apple Watch to do the same. My guess is that you will be able to use "find my iPhone" to lock it down so that when it is next connected to a device with some kind of internet (iPhone, Wifi) it will phone home a location and also shut down/do the 'Hi I'm stolen/lost' message. I also expect that a watch registered to an Apple ID will be pretty securely locked down to avoid it being reset/registered to a new ID without the current ID's password. That doesn't stop it being stolen of course, but it should remove a substantial amount of the resale value.
  • What makes you assume these things? There has been zero mention of any "lockdown" except ApplePay. I want the option to lockdown everything except time when it is off of my wrist. There's never been a mention of any passcode to access anything. I'm not saying it's impossible for them to include fantastic, innovative security but we don't know any of this for sure. Some dream of the watch unlocking their house/car/computer, there needs to be some sort of authentication before one device unlocks another. That demo of the garage door opening was slick, but anyone who puts that on their phone or watch without some sort of authentication is a rucking fetard.
    I would be perfectly comfortable with authenticating my watch after I put it on, then maintain that authentication until skin contact is lost. The level of complexity of authentication should be up to the user.
    I heard reporters mention Wi-Fi, but I don't recall Apple mentioning it (correct me if I'm wrong, I had the keynote on in the background while working). But there has certainly been zero mention from Apple that there will be a "find my watch" feature.
    Don't base your fervor on assumptions. Sent from the iMore App
  • You or concerned about someone using a stolen watch to open your garage or control your other gadgets. Your right it does not have wifi, it only has bluetooth. It is paired through bluetooth to your phone. When you tell your watch to open the grage door, the watch is actually telling your iPhone to tell the garage door to open. So if the theif steals your watch only only then they have no access. If they steal both items then you activate find my iphone for your phone, lock down your phone locks down the watch.
  • Well, that's lots of assumptions. But it will be interesting to hear what Apple says about this. Despite the two different events they've held and the web site, there still seems to be a lot of missing pieces. We'll find out the first time someone makes a grab for one of those $20,000 jobs I guess.
  • +1
  • Complete speculation here, but since the watches really need a companion iPhone to work, there may be some protection just from that. I would assume that Apple has some record of which watch is paired to which iPhone, if they do, perhaps when somebody tried to pair it with another one, some alarm could go off in Cuptertino,or if no, perhaps something you can set to trigger on your own account. It would not help you get it back, but it might dampen the resale value a bit, which in turn might decrease the attractiveness to a theif...
  • Yes correct, ripping it off your wrist it's gone most likely unless the criminal hooks up to Wifi while it's still registered to your Apple ID I imagine. But that's no different than someone ripping off your Rolex so....
  • I feel like other than some basic functions, not a whole lot is stored on the watch. Taking it from someone's wrist will kill access to  pay and getting out of wifi and Bluetooth range of your iPhone will sever everything else other than basic functions I would hope.
  • Certainly they haven't implemented such a thing, but requiring Touch ID or a passcode if pairing is tried with any phone but the original would be the only possible equivalent to find my phone. They didn't say it so I'm sure it's not so, but that would certainly stop the madness before it starts. Sent from the iMore App
  • Ridiculous security concerns notwithstanding, my big problem with the Apple watch is the Edition. And not because it starts at $10,000. It's because if you drop five figures on the gold watch, which is more than a Rolex, they have the nerve to ship it with that cheap, crap, insulting rubber band. Whoever made the decision to ship out any gold model with anything less than a nice leather band with a gold buckle is an arrogant POS. That infuriates me more than anything else related to the Apple watch.
  • I can agree with that. I have never seen a Rolex come with a rubber band. Sent from the iMore App
  • I can agree with that. I've never seen a Rolex come with a rubber band. Sent from the iMore App
  • If you think a gold Rolex cost $10k then clearly the edition watch is not for you (or a gold Rolex)
  • I never said gold Rolex. Their models start well below 10k. And you obviously chose to miss the point.
  • I think anyone who is even considering buying an Edition watch is just crazy, but I agree that if you are going to buy into the concept, the rubber band is an insult. Apple did mention previously (or someone did) that the Edition watches were supposed to come in some fancy wooden box that charges the thing for you or some such. Although you'd think Apple would have mentioned it at the event if it was still true. I must say, that as an intended buyer of the "cheap" steel Apple Watch, (which will cause me to drop about $1300-$1400), the fact that it comes in a box with a cheap charger and NOTHING ELSE, is a bit much. Every day I look at the Watch on my "Favourites" list and wonder why the f*ck I'm even spending that kind of money on a watch that performs such limited functions. So far I haven't deleted it, but I sure don't feel good about it. Apple has totally gone from, "That computer company I *admire* and buy all my products from," to "That computer company that I LOATHE (and buy all my products from)." I wish there was a company that made the kind of quality products Apple makes but that actually cared about ALL it's customers and wanted to make their lives better. I find it galling that they are selling the digital equivalent of Gucci bags now.
  • I'm in the same boat, but honestly, they haven't recently been the "everyman's" computer in terms of affordability. In 1984, maybe, but for the past decade they have focused on design, and "their vision of the future". In this case (pun!) they married technology & "fashion" to capitalize on their (some consider) fashionable status. On the other hand, if you weren't in the market for a $1000 Movado, why are you now considering a $1000 Apple Watch? Especially when the Sport has the same exact functionality of the Edition. IMO, $400 for all those features rolled into one device, it's not really a rip off. But there's the toss up: my phone already does these things. Why pay $400+ for something that can only do some of the things my phone can do? Convenience & saving time is a big selling point to me. I could sell some old stuff I don't use to cover the $400, then I'll have a new toy with more function than my Pebble, but I have no illusions that it will make me a super athlete, or grant me 3 wishes. One thing is for sure, Apple will push "smart watches" into the mainstream after others didn't. This is only the first step, don't empty your bank account on the first revision.
  • There are many very expensive Swiss watches which come with rubber bands. It's trendy now. So sorry, but you understand the expensive watch industry less than Apple I'm sure. Here are two quick examples I found in 1 minute of $5000+ watches with overpriced rubber straps:
  • Both of your examples are purposed diver's watches that can go hundreds of feet under water. This is a ridiculous example. Not to mention that both companies have dozens of different specific models for many purposes, from diving to formal wear. When you're a huge watch company, you're going to have a very large lineup with a lot of various options. And you're trying to justify a $10,000 gold smartwatch that's not even able to be submerged in water and obviously very formal, not even coming standard with a nice leather strap. Sorry that you're an Apple apologist. Oh, and if you want that $10,000 model with a simple leather strap (not a solid gold bracelet), it's another $5,000! But that's apparently fine with you, because you're an industry expert.
  • The people wih the money won't see it as an insult. If you have $10k to drop on one then $2k-$7k more for the right band is a non-issue.
  • I disagree. If you're crazy rich and want to splurge on a solid gold metal band, all the power to you. But to not even get a decent leather strap is an insult to anyone's intelligence. And to show just how arrogant Apple is being, if you want a simple leather strap, they're charging another $5,000. Nothing exotic, not a solid gold band. A basic leather strap for $5,000. It has nothing to do with being rich. It's simply outrageous on every level.
  • You may be right. We'll see. I'm far from rich but I do have a couple of friends who are extremely well off and I see how they spend money. $1000 to them is like $10 to me when it comes to the good things in life. I don't have an exact figure but one of them spent an un-Godly amount of money recently to fly himself and a couple of family members on a private plane for a hunting trip verses first class on commercial flight. Planes and watch bands are definitely trivial s#!t to this dude.
  • Well written. Thanks. Sent from the iMore App
  • Thoughtful piece. Not at all surprising that apple is everyone's favorite target. Most "news" isn't about sharing information anymore. It's about getting attention. Distorted hypothetical notions are everywhere and easily misunderstood as fact in any era of information overload. Sent from the iMore App
  • Yeah, but, will it bend? Sent from the iMore App
  • "For example, someone who figures out how to hack a slew of Apple Watches could begin email marketing relevant health products (bogus or legitimate) to those consumers, targeting individuals with spam or phishing scams based on their specific needs. And a stalker could use the watch as another way to track someone's location and movements." Are they describing Google??
  • I've been asking questions of Apple Watch's security on iMore, etc. No one else seemed very concerned. While I completely disagree with anything like that "editorial(?)" blatantly twisting words & making sh!t up, there does need to be a concern for security. Apple has done everything to hype this watch, rightfully, but Apple hasn't made much of attempt to promote the security of the device. Only the mention of authenticating ApplePay for the duration of skin contact. What about reading notifications or responding to them? Viewing Activity Statistics is trivial, but legitimate health information is yet to be seen in the watch, but it should by no means be left insecure. There has been no mention of authenticating to unlock other apps & features.
    I understand that with convenience comes some sacrifice of security, but we don't need to drop security all together. I'm not saying Apple has done this, it might be very innovative in the way it handles security, but Apple hasn't mentioned any of it. And I understand there is still time for them to make those cute little tutorials and videos, which may clear some of this air prior to going on sale.
    Personally, I would be satisfied with authenticating one time with my phone when I put the watch on, unlocking everything, until I take it off. It won't be out of my possession. Then I want everything except the time disabled. When the watch is off my wrist, I don't want someone else to be able to read my mail or messages and certainly not be able to open my garage door & view my surveillance cameras! (If someone puts a gun to my head, all precautions are useless, unless you can convince them you forgot the passcode 10 times, which erases all data, but they'll still take the hardware).
    There has also been no mention from Apple of there being a "find my watch" feature. I understand it should be possible with the known tech in the watch, and it could possibly be even better than what we currently know it to be. "Find" is a must for me. If a 3 year old $250 iPod in my pocket or bag can do it, then a brand new $400 watch on my wrist, where everyone I pass can see it, better damn well have something to locate it if lost or stolen. As well as iTunes account lockout.
    I am fully aware that million dollar "dumb" watches offer little to no security or anti-theft especially, but they also cannot access my personal information. This is supposed to be a "Smart Watch" (not Apple's words) so I expect a certain level of intelligence in this matter.
    We can HOPE there will be great security, implemented in an intelligent, innovative manner, but at this point there is not enough evidence to assume. I will not spend $400 on this if it does not meet these criteria. Sent from the iMore App
  • I did find in the little video of the settings app, there is a menu item for PassCode. No clue how it is implemented. Sent from the iMore App
  • Hopefully you can also use your fingerprint also like on the iPhone 5S and 6-6+ Sent from the iMore App
  • "has your arm" was not deplorable hyperbole - it was clearly a tongue-in-cheek way of conceding that the watch/Apple Pay's security is in fact solid on that front. The one thing that is different about a criminal threatening you for your passcode as opposed for your wallet is that, with the wallet, the criminal has your cash, and your cards, but still has to go somewhere or contact somebody to use them. If he gets your passcode, he has access both to your funds and to the means to spend at least some portion of them immediately. This is *not* something unique to the watch -- really, any mobile payment device is going to have the same issue. Apple is targeted because to date they are the only ones that have released a mobile payment system people want to use. That said, the picture marketwatch is painting here is silly, because they really did not think it through. The image of a thief strongarming me for my 6+ and its passcode to go on an amazon shopping spree with free gift shipping to his address is not going to keep me up at night, much less prevent me from using Apple Pay.
  • What's wrong with you Rene? I think there is nothing wrong with that article. The fact, there is room for improvement for apple products. That article was written with benefit the whole picture. Your thought on article was right and correct but your attitude of writing is really wrong. You will be much better writer.
  • I think it's fair to rip into authors of articles who are writing about things they don't understand and haven't taken any time to research. Extremely lazy journalism, or purposeful misinformation as click-bait. Both are despicable.
  • "And a stalker could use the watch as another way to track someone's location and movements." That's my favorite piece of FUD based misinformation. The Watch has no GPS and needs the iPhone to track locations. So how is the Watch suddenly a problem? What kind of dipshit morons are writing this stuff? Yes, you're a dipshit moron if you write about something you obviously haven't researched and know nothing of how it works. It's a shame so much of the tech writing online is aspiring to political propaganda levels of misinformation these days.
  • Not sure why you post a pic of the watch that hardly anyone will buy. Sent from the iMore App
  • Is there any quick information about a disable feature? Like when iOS 7 came out and made it a lot bigger hassle steal an iPhone, is that same feature in the Watch? Obviously it needs to be pared with the iPhone but I've heard you can leave the iPhone at home and go jogging alone with the watch, so is the entire system of the watch disabled by loosing skin contact, and not just Pay?