In early January, S-RM published an article addressing a surge in client engagements involving phone theft, with a significant number of these incidents occurring in London. Nine months later, the issue has made global headlines, prompting the UK government to seek a tech summit aimed at addressing the critical question: How can this be stopped?
In this article, digital forensics experts Jordan Hare and Katarina Zotovic provide insights into the effectiveness of recent mobile phone security enhancements designed to better protect users’ data in the event of mobile phone theft, along with reflections on what more could be done to combat phone theft.
Key changes in iOS and Android security
iOS
On 22nd January, shortly after S-RM’s initial article, Apple released the iOS 17.3 update featuring “Stolen Device Protection”. This new capability leverages familiar locations and restricts certain actions if the device is not in a recognised location. Critically, passcode alone is no longer sufficient; even with your passcode, additional biometric authentication through Face ID will be required for changing critical security settings if this feature is enabled AND the device is not at a familiar location. A user can also enforce the additional authentication, regardless of location, which increases the security of the device.
Among the new features, “Security Delay” plays a pivotal role in enhancing Apple’s security efforts. It introduces an additional window of time before critical security settings, including resetting a device, can be performed, even with the correct passcode.
Unfortunately, a major drawback is that these features are not enabled by default. Many users may be unaware of their existence or may neglect to enable them due to a lack of engagement with device settings and regular updates. For some users who have enabled the features, issues with implementation have been reported. Users have experienced problems where the device fails to recognise familiar locations, leaving them waiting at home or at other routine locations for specific device functionality. As a result, some users are choosing to disable these features for ease of use. Is the risk of data theft worth the convenience?
More recently announced, iOS 18 introduces the ability to lock most applications, requiring Face ID or a passcode for access, adding an extra layer of security. While certain apps, like Camera, Find My, and Settings, cannot be locked, users can secure apps like the App Store, Messages, and third-party platforms. Additionally, users can now hide applications for enhanced privacy.
Android
On 15th May, Google introduced “Theft Detection Lock”, an AI-powered feature still in its early roll-out phase. It aims to auto-detect when a phone has been stolen by recognising “common motion associated with theft”. A regular practice among thieves is to take the device offline as soon as possible. The “Offline Device Lock” feature aims to counter this by automatically locking the device if it has been offline for a prolonged period. It also activates in cases of multiple failed login attempts.
As part of this update, improvements to the remote locking feature now allows users to lock their phone's screen from another device using only the device phone number and a security challenge. This is particularly useful if your device is stolen and you cannot immediately access your Google account. Additionally, like iOS, Android will now require biometric authentication (fingerprint or Face ID) to access or change “critical Google account and device settings, like changing your PIN, disabling theft protection or accessing Passkeys, from an untrusted location”. This adds an extra layer of protection, making it more difficult for unauthorised individuals to make changes often attempted after a theft.
Recently, Android released “Private Space” as part of Android 15 to allow users to create a separate, secure area on their device for sensitive apps and hidden content, protected by an additional layer of authentication. When locked, the apps in Private Space are paused and hidden from notifications, settings and other apps. Users can choose a separate lock method for it other than the main device lock option enabled.
While promising, these features are not infallible. Unfortunately, Android faces security risks due to the fragmented nature of its ecosystem. With many different manufacturers and variations of the Android operating system, not all devices receive uniform levels of security updates or features. Even with these new features, the data on the device may be better protected, but does it truly prevent the device from being resold?
Reflections on efficacy
The steps taken by Apple and Google to bolster security are encouraging, especially in the context of protecting personal data. For casual thieves, these new security features, along with older features like iOS Activation Lock and Android’s Factory Reset Protection, present significant obstacles. These protections succeed in making it more difficult for thieves to access sensitive data or reset stolen phones in preparation for resale.
However, challenges remain for tech companies to lock down these devices completely. More experienced thieves can exploit software vulnerabilities or loopholes in these systems to bypass protections. Though the systems are designed to prevent the phone being reset for a new user without the previous owner’s credentials, the protections currently in place are not sufficient to guarantee this.
However, challenges remain for tech companies to lock down these devices completely. More experienced thieves can exploit software vulnerabilities or loopholes in these systems to bypass protections”
Even when the phone itself is rendered inaccessible, and therefore unable to be easily resold, thieves are finding new ways to profit from stolen phones. Instead of attempting to bypass high-tech protections, many thieves now focus on the value of the hardware. The resale market for second-hand devices and their components has grown considerably, particularly within the black market. Reselling stolen devices takes several forms such as uninformed buyers on marketplaces, international customers where restrictions are fewer, and the selling of parts to repair shops or recycling companies. S-RM has seen a device move as far as China from London, and despite the remote wipe command being sent to the device, it was never brought online in the correct way to enable this feature to be effective.
Where do we go from here?
Despite the growing sophistication of security measures on iOS and Android phones, phone theft is still a serious issue that requires attention from both consumers and governments.
Current Anti-Theft features
Not all Anti-Theft features are on by default; features such as Stolen Device Protection on iOS remain an optional feature that users often only become aware of once it’s too late. User awareness is therefore critical: consumers need to understand the importance of enabling security settings and regularly updating their devices to stay protected.
Ultimately, the success of any security feature is dependent on users actively engaging with it. Governments and tech companies must educate users about features, such as Stolen Device Protection and Theft Detection Lock, as well as warning about purchasing devices from unverified sources.
Furthermore, based on what S-RM has actively observed, features such as remote wipe are easily overcome, by separating the device from the network. This raises the question - is there not more that can be done to ensure a remote wipe is effective regardless of whether a device is online or offline?
Is there more that can be done to ensure a remote wipe is truly a remote wipe, regardless of whether a device is online or offline?
Existing technology allows devices to be interconnected without requiring each one to have an active internet connection or be in close proximity to one another. For instance, mesh communications enable a daisy chain effect, where only one device needs to be connected to the internet to maintain communication across the entire network. If mobile devices could retain this capability, even when powered off or in airplane mode, it would close a major gap in enabling users to more easily wipe or regain control of their devices. Unfortunately, it may also raise significant security concerns as users would not be able to fully turn off their devices unless the battery was completely drained. There is already a semblance of this concept being used, with location tracking on iOS devices, but it doesn’t allow for remote wiping and is not truly always on.
Preventing resale of stolen devices
The security measures today are primarily designed to protect users’ data, but hardware theft remains largely unaddressed with thieves being able to easily resell the phone hardware. Records and licences should be mandated and auditable for repair shops and resellers, high-value phone parts can be serialised or digitally locked to an individual device to allow for them to be identifiable and traced back to their original device, and stricter border controls should exist to combat the international resale of stolen devices.
The challenge now posed to tech companies such as Apple and Google is to consider what more can be done to ensure phones can be permanently disabled in a manner that prevents devices being illegally resold. We considered whether there is anything that could be done to render devices permanently unusable from a hardware perspective?
Is there anything that can be done to render the device permanently unusable from a hardware perspective?
One potential approach is to make devices, and their individual components, permanently unusable. Some components, like fingerprint ID sensors, are already digitally tied to a specific device, preventing their use in another device. However, equipment exists to reprogramme these components for legitimate purposes, such as transferring a functional sensor from a donor device if the original fails. If this approach were more broadly applied, where each component was tied exclusively to a single device, the resale value of these parts would significantly decrease. However, such a solution would need to strike a balance. Permanently locking parts to a single device could drive up repair costs by limiting access to affordable replacement parts. While this could deter theft, it would also lead to a significant increase in repair expenses, affecting the affordability for consumers.
If a device is not dismantled for its components and is wiped for intended reuse, its reuse should be limited. Factory Reset Protection (Android) and Activation lock (iOS) are designed to prevent unauthorised reuse by requiring the previous owner’s Google or iCloud password before the device can be setup for a new user. Technical methods used by thieves to bypass these protections may leave the device in a less functional state, however the device can still retain some monetary value.
A more robust solution could involve remotely disabling the device in a way that triggers an electronic fuse, rendering the device completely inoperative. If combined with serialised, hardware-locked components, the overall monetary value might be sufficiently reduced to deter theft and misuse.
Conclusion
As phone theft continues to rise, so too must the efforts to curb it. While Apple and Google have introduced strong features to protect against theft and data breaches, these measures are not a silver bullet. Governments, tech companies, and users all play a role in making smartphones more secure and reducing the profitability of phone theft. By strengthening security, increasing transparency in the resale market, and promoting public awareness, the fight against mobile phone theft can be significantly advanced.
S-RM will be producing two pocket guides – one for Android and one for iOS – that provide essential steps to follow if your mobile phone is stolen. In the meantime, please do not hesitate to reach out to the team if you have any questions regarding the information shared here.
