That's an anti theft feature. Intended to make the phone useless to a thief. It doesn't work very well, thieves manage to get around it somehow (not so much with Apple's version) so it ends up annoying the users more than it does deter thieves.
Apple is really really difficult about getting these unlocked. The carriers can't do it, you have to show them proof of purchase and have an enterprise support contract. With Google the carriers can just do it usually.
I managed a fleet of mobiles at work for a while, this is how I know. It often happened that colleagues returned a phone without unlocking it.
> thieves manage to get around it somehow
There are vulnerabilities. Some years ago when this was a new feature I got an android phone to use for development for someone. I just generated a new google account on it and promptly forgot the new email and pass.
Time to return it: surprise, it wanted the previous account to log in after a factory reset. I ended up keeping it and paying for it.
A few months later, after a weekend of googling, I found instructions on how to bypass it by using some vulnerability in the browser invoked in the initial set up, got to a browser window with an address bar, used it to download and install some apk with an older version of some system service, and used that to bypass the lockdown.
Of course, it's probably much harder than that now. But it's doable.
It is a very good thing that Apple is tough about it, given the high value of the devices, and how people carry them around in public. I very much want my devices to be useless to thieves.
It's still not clear how this requires Apple to do anything or why it should have anything to do with any cloud service.
The IMEI is burned into the phone. They should definitely make it hard to change the IMEI; but they do. If the phone is stolen then the IMEI gets reported as stolen and anyone who tries to activate the phone with a wireless carrier gets caught.
Why does Apple or Google need to inconvenience people who forget their passwords or encounter the conglomerate's bugs?
Stolen Imeis aren't always exchanged between carriers, much less internationally.
Even if that wasn't the case, as long as there were at least a few decently-sized countries not plugged into the system, that's where the thieves would sell all their devices.
Stolen Apple devices are still usable for parts (which is why parts pairing is not always a bad thing), and you can sometimes phish the Apple ID credentials from the victim, which is why stealing those devices is still profitable enough.
> Even if that wasn't the case, as long as there were at least a few decently-sized countries not plugged into the system, that's where the thieves would sell all their devices.
It still limits the market where they can be sold, because even there the customer doesn't actually want a stolen device. What if that country starts blocking them, or they want to travel anywhere that does? They could even get arrested.
It also requires the thieves to have a network to transport them there, vs. individual petty thieves who would otherwise be selling them locally.
> Stolen Apple devices are still usable for parts (which is why parts pairing is not always a bad thing)
Parts pairing is still a scam. They could check the part against a stolen device list without refusing to pair with parts from third party OEMs or first party non-stolen parts from other regional markets.
> Stolen Imeis aren't always exchanged between carriers, much less internationally.
Yes these often end up in Eastern Europe where the carriers don't really care about that stuff. And most people can't pay full price for top end phones so there's much more market for this stuff.
Even on legit corporations with tens of thousands of iPhones, Apple still gives you a lot of hassle if you want to get one unlocked. Just so this won't be used as a loophole.
> and you can sometimes phish the Apple ID credentials from the victim, which is why stealing those devices is still profitable enough.
Yep, I always see "is this text legit?" posts with clear phishing URLs in iOS help groups on Facebook, posted by people who had their iPhones stolen and think it's Apple Support attempting to get it back.
IMEI blacklisting is not worldwide. The phone can still be used in other countries. Also, rogue carrier employees are selling IMEI blacklist removal as a side gig on the black market.
Isn't this the same problem either way? The enterprising criminal can take a low level job at Apple rather than a low level job at a carrier, which is presumably one of the reasons it hasn't actually worked.
And if the problem is that each country is using a different IMEI blacklist then that seems like an obvious thing to fix. There are already treaties and agreements which is how the global phone network operates to begin with, or you could have US law enforcement set up a system to submit the IMEI to each of the individual blacklists.
I trust apple to have more intelligent audit controls on their employees than the average carrier.
And the calculation for the carrier is different. There's a inherent incentive on unblocking a phone for the carrier, as this means a billable contract. For Apple there's a inherent incentive in being known as having devices hard to unblock and thus, presumably less attractive for thieves.
> The enterprising criminal can take a low level job at Apple rather than a low level job at a carrier
To my knowledge, Apple has not had any insider compromise of activation lock.
This is why criminals try to phish the credentials from the victim instead.
Yes and even companies that can request it (I worked for one in this role) have to provide extensive documentation.
A phone must be purchased for us (with invoice with serial no) originally, or it must have been enrolled in our corporate MDM before getting locked. And for a while they didn't even accept the latter.
So even if you are at a third party you won't get away with sneaking these through. Which is good, a bit annoying sometimes though when some of our vendors didn't provide serial number invoices. We now require it but during the first years of anti-theft lock it was a bit of an issue and caused a lot of e-waste for us, sadly.
> To my knowledge, Apple has not had any insider compromise of activation lock.
First they would have to get caught.
> This is why criminals try to phish the credentials from the victim instead.
Either method would be effective and not every criminal would have access to an insider, or they would have to pay off the insider for each device and then still prefer to phish the customer if possible to avoid paying the bribe.
I want to know whether this actually deters thieves. Anecdotally, from what I heard, it seems that phone stealing is very much still a thing in areas with active pickpocketing.
It is not as bad as it used to be... Apple phones are only good for parts, which isn't much. I'd guess pickpockets typically can't tell what kind of phone you have before they take it, and Androids, being the exploitable mishmash of stuff they usually are, often can be unlocked.
In the US I am not worried about people taking my phone even in sketchy areas. I'm sure they'd much rather have my wallet or other valuables.
Even then, Apple also bind (an increasingly larger amount of) component IDs to the motherboard, so nowadays a stolen device can't (really) be used for parts either. (The display will not authenticate and Face ID & HDR won't work, in addition to a message showing that in Settings)
And to answer the obvious repair question -- yes, parts can be rebound to other motherboards etc., they just need iPhone Activation to pass first.
When five years ago thieves broke into my sons' class locker room, they stole all android phones and cash but didn't bother to take iphones. So yes it works or at least it did back then.
This isn't really consistent with the theft statistics, e.g. 68.6% of stolen phones are iPhones[1] (in the UK where they have ~44% market share). This is presumably because of higher resale value etc., but the premise that nobody cares to steal them anymore evidently hasn't panned out.
[1] https://www.loveitcoverit.com/news/changing-world/mobile-pho...
That could be because in many situations (crimes of opportunity) thieves don’t have the luxury of time to evaluate the model of a phone before they steal it. Google needs to step their shit up.
That isn't really consistent with the statistics either: If that was happening then the theft rate should approximate the penetration, but it's still higher for iPhones, implying that the thieves actually prefer them.
That makes sense if they e.g. have a higher resale value, but only if they have a higher resale value and the thieves are choosing them on purpose as a result.
I'm sorry that the reality in a locker room of a Norwegian high school is not consistent with British statistics.
Why would being in a different country change the effectiveness of the same system? The relevance of the country is that the theft rate has to be compared with the installed base for that type of phone, which is something that does vary by country.
It does because the thieves just want some cash to get a quick drug fix or whatever.
Even if they get $10 for a $1200 iPhone they are happy. And many components can still be salvaged and be worth more than that.
Yes, here in Barcelona which is pretty much pickpocket central, it's always funny to see the tourists going around with their big iPhone XL sticking way out of their back pocket.
At first I used to tell them (the way you would when someone goes around with their backpack wide open) but people were usually like 'mind your own business' so yeah. Better to let them find out the hard way then.
I get why the feature exists, but it's my humble opinion that a "brick your device" button shouldn't exist. Repeating myself, some alternatives with similar levels of antitheft whil being much more pleasant for the user:
- Don't enable that kind of reset functionality if that kind of antitheft is enabled
- Warn the user about the potential bricked device, and require an additional confirmation
- Don't require a ping to Google servers when you can verify account ownership just via a matched password hash
Antitheft is fine and dandy, but the implementation is bad.