Apple's 'Find My iPhone' works great, but thieves can easily disable

Apple's Find My iPhone feature is helpful, but can be thwarted by tech-savvy thieves.

(Credit: CNET)

Over the weekend, Livejournal blogger HappyWaffle (real name Kevin), posted a great story about how he purportedly used Apple's MobileMe service to track down his iPhone, which was stolen while he was at a bar. By using a laptop with a Sprint EVDO wireless data card, he and his friends figured out where it was and managed to get it back from the person who had taken it. They even used Google Translate to alert the thief (in multiple languages) that they would call the police if the device was not returned.

As good as the story is, a lot of it relies on iPhone owners having certain settings flipped on, as well as the person who has the phone not knowing the right ones to turn off. For one, they can disable all of the MobileMe features by simply yanking the SIM card out or deleting the MobileMe account from the phone. They can also perform a software wipe right on the phone, which means your data gets erased, however that means you can no longer track where it is without carrier intervention.

This isn't the main thing to worry about though; it's that MobileMe's capability to locate your phone hinges on you having the 'Find My iPhone' setting enabled on the phone itself. This lets the device maintain a constant connection with Apple's servers to provide that neat-o, real-time tracking and instant receipt of messages you send it. With this and push messaging turned off, (both are changes that can be made without any sort of MobileMe, or iPhone password check) the service can no longer locate the phone.

Turning this and push messaging off can make your iPhone harder to track down if it's been stolen.

(Credit: CNET)

As a side effect of this, both the capability to perform a remote wipe of all your data, and send whoever has your device a message can be put off indefinitely if push has been turned off. When off, any messages you've sent (which would normally arrive a second or two after being sent from the MobileMe site) get delivered the next time your phone does a fetch for mail from MobileMe. This means that if you've got it set to check mail manually, whoever has your phone would not be alerted with those messages until they opened up the mail application. And if you've got a pass code lock on your phone, it means they'll never arrive.

As a solution, Apple could allow users to remotely change certain phone settings, such as when the device checks for mail, or lock it down to only be able to use certain applications. Also, instead of wiping the phone entirely, it would be fantastic to enable the passcode unlock remotely. This would keep users from accessing personal data without the code.

Another key thing that needs to be changed is the way users can interact with incoming messages that are sent to the device. In Kevin's experience, he tried several times to get the thief to call a specific number by sending it in the SMS-like messages that can be sent from the MobileMe site. The problem with these, however, is that as soon as you click on the big "okay" button to dismiss them, they're gone for good. Unlike SMS messages, which get stored on the device, the only record of these comes as a carbon-copied e-mail to your MobileMe account. They also do not allow you to copy and paste text, or click on a phone number to dial it.

So do these things kill some of the utility of the Find My iPhone feature? No way. There's plenty of room to expand on them, and despite the aforementioned shortcomings, I still think it's one of the most useful features of the service, if not one of the main reasons to invest in it. It just needs a few tweaks to go beyond the all-or-nothing remote wipe solution, and outsmart tech-savvy thieves who know their way around the settings menu.

Note: Updated language on the process of wiping user data from the phone.

[langspoon]

The passcode really doesn't protect your data at all. Apps such as PhoneView can see and download everything to your Mac without entering the passcode on the device.

[drspringfield]

langspoon:

That's incorrect. To sync your iPhone with a computer, the iPhone needs to be paired with that computer. To pair your iPhone with a new computer, you need to enter your passcode on the iPhone.

[langspoon]

So, if I understand correctly, the pairing of the iPhone with iTunes is the mechanism that PhoneView uses to communicate with the iPhone (even though iTunes does not need to be running when PhoneView is). Is there an easy way to unpair the iPhone from iTunes so that I can test this?

[drspringfield]

PhoneView uses the iPhone backups, which are stored in an easily readable form. Unless they're encrypted, in which case I'm not sure if PhoneView can access them.

[langspoon]

I tried PhoneView with encrypted backup on in iTunes and it still reads all the data. I am not sure that PhoneView does just read the backup because it requires the iPhone to be connected to work.
I would like to test whether an unpaired iPhone works with PhoneView, but cannot find how to do this - any idea?

[usarioclave1]

"The feature only works if it's turned on."

[Josh.Lowensohn]

Yeah, but you get my point right? There should be some measure of security that keeps someone from turning it off.

[Hep Cat]

Truly, one of the more lame Apple-baiting articles I've read.

You mean, if you don't have a passcode on your phone, the thief can defeat the antitheft technology? Horrors!

Seriously can you tell me a phone that this is not true for? I'll bet if you put the phone in Airplane Mode, NO ONE will be able to find it!

[Josh.Lowensohn]

@Hep Cat, no I mean the anti-theft technology has no security features that keep people from disabling it.

[drspringfield]

@Josh.Lowensohn:

It does. It's called a Passcode.

[The_happy_switcher]

If you leave 'push' on that will drain battery faster.

[seven7dust]

which is why I'm still curious to see the results of push notifications
I wonder how they'll work out , I still haven't found any IM apps that use it BTW !
anyone using them yet ?

[langspoon]

The only app I have that uses Push Notification is Truphone - it alerts when there is a VoiceMail.

[Josh.Lowensohn]

Yep. I tend to have it turned off on weekends, which I won't do now after discovering some of the phone-finding features rely on it. I just assumed the Find My iPhone feature existed separately from mail push.

[NetMage]

Considering Apple designed the Push process to save battery life, I doubt if having it on uses any more battery life than being able to receive phone calls or text messages.

Of course, if you receive a lot of push messages, just like if you receive a lot of text messages, your phone would be constantly waking to process them and that will definitely drain your battery. Just like if you average more than one email every 15 minutes, push is worse than polling every 15 minutes.

[enidesigns]

Sounds like a good feature. I'm a Blackberry man myself however, a little more tweaking on Apple's behalf and this could become a strong feature that sets the bar on security for hand held devices - which is something anyone willing to shell out several hundred dollars on a phone could surely appreciate.

[ken30307]

Josh is right. If you have a password on your iPhone (am I the only one who has this turned on?) then they can't go into your phone to turn off the "Find My iPhone"

There's a great story on gizmodo about someone finding their phone using mobleme

http://bit.ly/bB1mN

[Josh.Lowensohn]

The story on Giz is actually the same one I linked to. They just got the author's permission to re-print it on their site.

[bicparker]

I travel on business quite a bit and have taken to the habit of enabling my passcode on when I get to the airport. The passcode may not be the perfect security feature (but on the other hand, there really aren't any, are there?), but it is smarter than nothing at all.

This is a new type of security feature and I suspect as it matures, it will "get better". One big plus is that it really is easy to activate. It is a great idea overall, and I suspect you will be seeing more of this type of stuff in other phones.

If nothing else, the associated "Find my iPhone" ability to send a beep with a message to my iPhone, even when the ringer is turned off, is great when I accidently misplace it around the house.

[codynews]

Why does/should "Find My Phone" require "MobileMe" ? I have no use for MobileMe and it would suck to have to pay for it just for this one function (that could easily be a Mac/Windows app),

[Josh.Lowensohn]

I think it's a nice add-on to the service, which is pretty diverse as it is. It would make more sense to make it a part of AppleCare though.

[veggiedude--2008]

Because. Just because.

[terminalblue]

actually if AT&T would man up about phone theft then they could use triangulation to rak down stolen phones on there network. By using the 911 backbone built into every phone since 2005, they can track phones down to specific blocks and even buildings or apartments. My mother had her phone stolen a few months ago but they refused to reveal its location (even though they could, we had to fill a police report and then fax it to them for "review").

The find me feature is cute, but far from revolutionary, and it doesnt ad anything but a false sense of security for anyone thinking it will help anyone but the police find their phone.

[Perry_Clease]

What technology does Find My iPhone use? Because you must turn on Location Services I am assuming it uses GPS, but if that is not available can it use cell tower triangulation?

[Hep Cat]

"By using the 911 backbone built into every phone since 2005, they can track phones down to specific blocks and even buildings or apartments."

I'm sure the police will drop whatever they're doing, coordinate with ATT, and rush to the spot your stolen phone is located in order to apprehend the thief...that's what all the paramilitary hardware police squads are using is for, right? Phone thieves!

[why do i need a name?]

absolutely...

In fact, I would happily PAY ATT to tell me where the phone was ($10 for a specific phone while you're looking at it) for their trouble.

not only that, each phone has a serial number (IMEI) that ATT could use to entirely disable a stolen phone for the life of the phone, but they won't do that either. That way, there would be no value in stealing a phone because as soon as it was reported stolen the phone would never work again. (and they could even coordinate with T-Mobile and others to make this more effective) I asked them to do this 3 years ago when my son's first phone was stolen.

Apple has stolen another opportunity for the carriers to (1) offer an expanded service and (2) provide better customer service. If they would lock the phone out, send it a message that "you are stolen" and the phone OS could respond by the only thing that comes onto the display is "this is a stolen phone" they could provide a huge value to their customers. Guess it takes Apple to show them that this is valuable, now maybe they'll listen.

(Oh, BTW, ATT is not alone here, I know of no other mobile phone servcie provider that does this)

[invisible21]

Even if you pay ATT, there is no way they would tell you where your stolen phone is for one huge reason. Some idiot would go after the thief themselves vigilante style and end up either committing murder/assault or being a victim of it. In this case, ATT would probably be liable for any and all damage caused in the altercation. By requiring a police report and intervention, ATT effectively moves the liability over to the police department. I think this is sound reasoning for making you jump through hoops.

The real question is how Apple can avoid this liability. I suppose there's something in the Mobile Me user agreement.

[usarioclave1]

Restore the iPhone, and it's dead too. Not sure what you can do about that, except prevent erasure.

[sebastien.kalonji]

Apple should use the password code to be able to power off your phone. When a wrong password has been entered Find My iPhone should be activated automatically.

[mradamsettle]

that is genius. You 100% should send that feedback to apple. Instead of the wipe when the wrong password is entered too many times, the phone should activate the find my iphone feature. Not only would it save battery for push--but it's a great idea on your part. Kudos.

[jtaylor475]

To me, if someone finds my iPhone and I'm able to keep them from using the data I'd consider myself fortunate, even if I never get the phone back. Have the phone, thieves, just don't hack into my stuff. Now removing the SIM and them installing it in another phone.... what happens then?

As for someone not sufficiently cautious and responsible enough to use a passcode on their iPhone in the first place -- they shouldn't expect Find My iPhone to help make up for their flakiness. Really. If you have valuable information on your phone, the LEAST you should do is lock it. Worrying about being able to activate a passcode remotely is just sad.

[sjschaef]

That only matters if you actually save your contacts to your SIM card (which the iPhone does not do). If they take your SIM card and you have deactivated it by calling At&t.. it is useless for making calls.

[bonesbautista]

I own an iPhone and subscribe to MobileMe - the Find My iPhone feature is great.

ATT (and a few other providers) can track the devices ESN or IMEI number - THAT's the way we should be able to track and disable our phones and wipe our data!

[Perry_Clease]

Speaking of tracking things, the Apple Inc lawsuit against Psystar is back on track:

http://www.macobserver.com/tmo/article/judge_puts_apples_case_against_psystar_back_on_track/

[Vegaman_Dan]

I'm disappointed that Apple failed to state in their promotion of the new 'find my iphone' feature that it requires you to be a subscriber of Mobileme services, and that runs an additional $99/year.

If it's a feature that you're going to promote, it should be free with the unit- not require a separate purchase of a service to make it work. At least make that clear in the promotional material. People now may feel... well, bait and switch comes to mind.

[artistjoh]

When I read news reports of the feature they didn't mention Mobile Me but when I check Apple's promotional material Mobile Me is clearly part of the deal. In fact to get all the details of the feature you have to read it on the mobile me site.

This is the iPhone features page which introduces the concept and then directs you to Mobile Me for the details:

http://www.apple.com/iphone/iphone-3g-s/

It is true that they don't put it in headline letters across the top of the feature comments but it is in a pretty blue color that stands out from the normal text.

It is not a case of Apple hiding it, rather journos and others who fail to read the information fully which is understandable when there is so much new material to examine in a short time. No switch and bait here.

[sjschaef]

Did you watch the Keynote? They made it clear that you needed mobile me.

I just purchased mobile me from Amazon for $59.99... I will try it for a year and see how I like it.

[tahaa7]

Well, I guess Find My iPhone wasn't made to recover a stolen iPhone, only a lost one...

[peco412]

Is there an analogous application to Find My iPhone for a WiFi-connected iPod Touch?

[langspoon]

Yes The IPod Touchworks exactly the same with MobileMe - though obviously it has to be near to some mapped Wifi points for the location to be found. Irrespective of the location it can still be remote wiped etc.

[pj-mckay]

It's a great story but complete b0llox. If anyone believes this they need therapy. Thankfully few phones get stolen but if they do you've had it, and best leave it in my opinion. It's so weak it's not even worth discussing as a serious deterrant or tool; a thief can clearly disable it and move the gadget to another user with no hassle. It might come in useful if you mislay it but I doubt it. Looks to me like it's a sure fire way of tracing each others whereabouts however. I'm not into that, and have no desire to track my other-halfs movements but if that's what you guys need then go with it.

A missing phone might get returned by a truly honest person; a stolen phone is gone and will just result in violence if you progress it. Leave it and claim the insurance. This tool is purely for surveilance and tracking folk; in a cowardly fashion. If this was any other company they'd be in trouble for even suggesting it as a 'tool'. Accept it as it is and 'm sure it has some merit... but not as it's being advertised in this article.

[pozzy63]

There's a new app in the App Store that let's you perform some of the functions of Find My iPhone but doesn't require a subscription to Mobile Me.

The app's called TapTrace. Check it out.