System security for watchOS (2024)

Table of Contents
Updating watchOS Wrist detection Activation Lock Secure pairing with iPhone Auto Unlock and Apple Watch Approve in macOS with Apple Watch Secure use of Wi-Fi, cellular, iCloud, and Gmail
System security for watchOS (1)

Apple Watch uses many of the same hardware-based platform security capabilities that iOS uses. For example, Apple Watch:

  • Performs secure boot and secure software updates

  • Maintains operating system integrity

  • Helps protect data—both on the device and when communicating with a paired iPhone or the internet

Supported technologies include those listed in System Security (for example, KIP, SKP, and SCIP) as well as Data Protection, keychain, and network technologies.

Updating watchOS

watchOS can be configured to update overnight. For more information on how the Apple Watch passcode gets stored and used during the update, see Keybags.

Wrist detection

If wrist detection is enabled, the device locks automatically soon after it’s removed from the user’s wrist. If wrist detection is disabled, Control Center provides an option for locking Apple Watch. When Apple Watch is locked, Apple Pay can be used only by entering the passcode on the Apple Watch. Wrist detection is turned off using the Apple Watch app on iPhone. This setting can also be enforced using a mobile device management (MDM) solution.

Activation Lock

When Find My is turned on on iPhone, its paired Apple Watch can use Activation Lock. Activation Lock makes it harder for anyone to use or sell an Apple Watch that’s been lost or stolen. Activation Lock requires the user’s Apple ID and password to unpair, erase, or reactivate an Apple Watch.

Secure pairing with iPhone

Apple Watch can be paired with only one iPhone at a time. When Apple Watch is unpaired, iPhone communicates instructions to erase all content and data from the watch.

See Also
3 Reasons to Think Twice About Enabling Location Sharing | McAfee Blog9 Essential iPhone Settings To Turn Off For Data PrivacyUse your Apple Watch without your iPhone nearby - Apple SupportIs it okay to shut-down (power off) my iP…

Pairing Apple Watch with iPhone is secured using an out-of-band process to exchange public keys, followed by the Bluetooth® Low Energy (BLE) link shared secret. Apple Watch displays an animated pattern, which is captured by the camera on iPhone. The pattern contains an encoded secret that’s used for BLE 4.1 out-of-band pairing. Standard BLE Passkey Entry is used as a fallback pairing method, if necessary.

After the BLE session is established and encrypted using the highest security protocol available in the Bluetooth Core Specification, iPhone and Apple Watch exchange keys using either:

  • A process adapted from Apple Identity Service (IDS) as described in the iMessage security overview.

  • A key exchange using IKEv2/IPsec. The initial key exchange is authenticated using either the Bluetooth session key (for pairing scenarios) or the IDS keys (for operating system update scenarios). Each device generates a random 256-bit Ed25519 public-private key pair, and during the initial key exchange process, the public keys are exchanged. When an Apple Watch is first paired running watchOS 10 or later, the private keys are rooted in its Secure Enclave.

    On an iPhone running iOS 17 or later, the private keys aren’t rooted in the SecureEnclave, because a user restoring their iCloud Backup to the same iPhonepreserves the existing Apple Watch pairing without requiring migration.

Note: The mechanism used for key exchange and encryption varies, depending on which operating system versions are on the iPhone and Apple Watch. iPhone devices running iOS 13 or later when paired with an Apple Watch running watchOS 6 or later use only IKEv2/IPsec for key exchange and encryption.

After keys have been exchanged:

  • The Bluetooth session key is discarded and all communications between iPhone and Apple Watch are encrypted using one of the methods listed above—with the encrypted Bluetooth, Wi-Fi, and cellular links providing a secondary encryption layer.

  • (IKEv2/IPsec only) The keys are stored in the System keychain and used for authenticating future IKEv2/IPsec sessions between the devices. Further communication between these devices is encrypted and integrity protected using AES-256-GCM on iPhone devices running iOS 15 or later paired with an Apple Watch Series 4 or later running watchOS 8 or later. (ChaCha20-Poly1305 with 256-bit keys is used on older devices or devices running older operating system versions.)

The Bluetooth Low Energy device address is rotated at 15-minute intervals to reduce the risk of the device being locally tracked if someone broadcasts a persistent identifier.

To support apps that need streaming data, encryption is provided with methods described in FaceTime security, using either the Apple Identity Service (IDS) provided by the paired iPhone or a direct internet connection.

Apple Watch implements hardware-encrypted storage and class-based protection of files and keychain items. Access-controlled keybags for keychain items are also used. Keys used to communicate between Apple Watch and iPhone are also secured using class-based protection. For more information, see Keybags for Data Protection.

Auto Unlock and Apple Watch

For greater convenience when using multiple Apple devices, some devices can automatically unlock others in certain situations. Auto Unlock supports three uses:

All three use cases are built upon the same basic foundation: a mutually authenticated Station-to-Station (STS) protocol, with Long-Term Keys exchanged at time of feature enablement and unique ephemeral session keys negotiated for each request. Regardless of the underlying communication channel, the STS tunnel is negotiated directly between the Secure Enclaves in both devices, and all cryptographic material is kept within that secure domain (with the exception of Mac computers without a Secure Enclave, which terminate the STS tunnel in the kernel).

Unlocking

A complete unlock sequence can be broken down in two phases. First, the device being unlocked (the “target”) generates a cryptographic unlock secret and sends it to the device performing the unlock (the “initiator”). Later, the initiator performs the unlock using the previously generated secret.

To arm auto unlock, the devices connect to each other using a BLE connection. Then a 32-byte unlock secret randomly generated by the target device is sent to the initiator over the STS tunnel. During the next biometric or passcode unlock, the target device wraps its passcode-derived key (PDK) with the unlock secret and discards the unlock secret from its memory.

To perform the unlock, the devices initiate a new BLE connection and then use peer-to-peer Wi-Fi to securely approximate the distance between each other. If the devices are within the specified range and the required security policies are met, the initiator sends its unlock secret to the target through the STS tunnel. The target then generates a new 32-byte unlock secret and returns it to the initiator. If the current unlock secret sent by the initiator successfully decrypts the unlock record, the target device is unlocked and the PDK is rewrapped with a new unlock secret. Finally, the new unlock secret and PDK are then discarded from the targetʼs memory.

Apple Watch Auto Unlock security policies

For added convenience, Apple Watch can be unlocked by an iPhone directly after initial startup, without requiring the user to first enter the passcode on the Apple Watch itself. To achieve this, the random unlock secret (generated during the very first unlock sequence after enablement of the feature) is used to create a long-term escrow record, which is stored in the Apple Watch keybag. The escrow record secret is stored in the iPhone keychain and used to bootstrap a new session after each Apple Watch restart.

iPhone Auto Unlock security policies

Additional security policies apply to iPhone Auto Unlock with Apple Watch. Apple Watch can’t be used in place of Face ID on iPhone for other operations, such as Apple Pay or app authorizations. When Apple Watch successfully unlocks a paired iPhone, the watch displays a notification and plays an associated haptic. If the user taps the Lock iPhone button in the notification, the watch sends the iPhone a lock command over BLE. When the iPhone receives the lock command, it locks and disables both Face ID and unlock using Apple Watch. The next iPhone unlock must be performed with the iPhone passcode.

Successfully unlocking a paired iPhone from Apple Watch (when enabled) requires that the following criteria be met:

  • iPhone must have been unlocked using another method at least once after the associated Apple Watch was placed on wrist and unlocked.

  • Sensors must be able to detect that the nose and mouth are covered.

  • Distance measured must be 2–3 meters or less

  • Apple Watch must not be in bedtime mode.

  • Apple Watch or iPhone must have been unlocked recently, or Apple Watch must have experienced physical motion indicating that the wearer is active (for example, not asleep).

  • iPhone must have been unlocked at least once in the past 6.5 hours.

  • iPhone must be in a state where Face ID is allowed to perform a device unlock. (For more information, see Face ID, Touch ID, passcodes, and passwords.)

Approve in macOS with Apple Watch

When Auto Unlock with Apple Watch is enabled, the Apple Watch can be used in place, or together with Touch ID, to approve authorization and authentication prompts from:

  • macOS and Apple apps that request authorization

  • Third-party apps that request authentication

  • Saved Safari passwords

  • Secure Notes

Secure use of Wi-Fi, cellular, iCloud, and Gmail

When Apple Watch isn’t within Bluetooth range, Wi-Fi or cellular can be used instead. Apple Watch automatically joins Wi-Fi networks that have already been joined on the paired iPhone and whose credentials have synced to the Apple Watch while both devices were in range. This Auto-Join behavior can then be configured on a per-network basis in the Wi-Fi section of the Apple Watch Settings app. Wi-Fi networks that have never been joined before on either device can be manually joined in the Wi-Fi section of the Apple Watch Settings app.

When Apple Watch and iPhone are out of range, Apple Watch connects directly to iCloud and Gmail servers to fetch Mail, as opposed to syncing Mail data with the paired iPhone over the internet. For Gmail accounts, the user must authenticate to Google in the Mail section of the Watch app on iPhone. The OAuth token received from Google is sent over to Apple Watch in encrypted format over Apple Identity Service (IDS) so that it can be used to fetch Mail. This OAuth token is never used for connectivity with the Gmail server from the paired iPhone.

See alsoFace ID and Touch ID securityKeybags for Data ProtectionSecure features in the Notes appBluetooth security

Download this guide as a PDF

System security for watchOS (2024)
Top Articles
Detect and block spam phone calls - Apple Support
What happens if I miss my monthly repayments when I am under debt counselling? | DebtBusters
Express Pay Cspire
Knoxville Tennessee White Pages
Joliet Patch Arrests Today
Angela Babicz Leak
Instructional Resources
Don Wallence Auto Sales Vehicles
Flixtor The Meg
No Hard Feelings Showtimes Near Metropolitan Fiesta 5 Theatre
Deshret's Spirit
Lesson 3 Homework Practice Measures Of Variation Answer Key
Hope Swinimer Net Worth
WWE-Heldin Nikki A.S.H. verzückt Fans und Kollegen
Flights To Frankfort Kentucky
Jc Post News
Urban Dictionary: hungolomghononoloughongous
Xomissmandi
Water Days For Modesto Ca
Fraction Button On Ti-84 Plus Ce
Edicts Of The Prime Designate
Talbots.dayforce.com
Kashchey Vodka
12 Top-Rated Things to Do in Muskegon, MI
The Old Way Showtimes Near Regency Theatres Granada Hills
College Basketball Picks: NCAAB Picks Against The Spread | Pickswise
27 Paul Rudd Memes to Get You Through the Week
Horn Rank
Chamberlain College of Nursing | Tuition & Acceptance Rates 2024
Albert Einstein Sdn 2023
Craigslist Ludington Michigan
Lacey Costco Gas Price
Summoners War Update Notes
Myaci Benefits Albertsons
031515 828
Transformers Movie Wiki
Grand Teton Pellet Stove Control Board
Hypixel Skyblock Dyes
Bee And Willow Bar Cart
Garrison Blacksmith's Bench
No Hard Feelings Showtimes Near Tilton Square Theatre
Clark County Ky Busted Newspaper
Directions To 401 East Chestnut Street Louisville Kentucky
3496 W Little League Dr San Bernardino Ca 92407
1Exquisitetaste
3500 Orchard Place
From Grindr to Scruff: The best dating apps for gay, bi, and queer men in 2024
Join MileSplit to get access to the latest news, films, and events!
Pelican Denville Nj
Aaca Not Mine
Autozone Battery Hold Down
Philasd Zimbra
Latest Posts
Firewall Rules Logging  |  Cloud NGFW  |  Google Cloud
2.5 Hedge Effectiveness | DART – Deloitte Accounting Research Tool
Article information

Author: Chrissy Homenick

Last Updated:

Views: 6532

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Chrissy Homenick

Birthday: 2001-10-22

Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818

Phone: +96619177651654

Job: Mining Representative

Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming

Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.