System security for watchOS
Apple Watch uses many of the same hardware-based platform security capabilities to perform secure boot, secure software updates, maintain operating system integrity and help protect data on the device as well as during communication with its paired iPhone and with the internet. Supported technologies include those listed in System Security (for example, KIP and SCIP) as well as Data Protection, keychain, and network technologies.
Secure pairing with iPhone
Apple Watch can be paired with only one iPhone at a time. When Apple Watch is unpaired, iPhone communicates instructions to erase all content and data from the watch.
Pairing Apple Watch with iPhone is secured using an out-of-band process to exchange public keys, followed by the Bluetooth Low Energy (BLE) link shared secret. Apple Watch displays an animated pattern, which is captured by the camera on iPhone. The pattern contains an encoded secret that’s used for BLE 4.1 out-of-band pairing. Standard BLE Passkey Entry is used as a fallback pairing method, if necessary.
After the BLE session is established and encrypted using the highest security protocol available in the Bluetooth Core Specification, iPhone and Apple Watch exchange keys using either:
A key exchange using IKEv2/IPsec. The initial key exchange is authenticated using either the Bluetooth session key (for pairing scenarios) or the IDS keys (for operating system update scenarios). Each device generates a random public and private 256-bit Ed25519 key pair, and during the initial key exchange process, the public keys are exchanged.
The mechanism used for key exchange and encryption depends on which operating system versions are on the iPhone and Apple Watch. iPhone devices running iOS 13 or later when paired with an Apple Watch running watchOS 6 or later use only IKEv2/IPsec for key exchange and encryption.
After keys have been exchanged:
The Bluetooth session key is discarded and all communications between iPhone and Apple Watch are encrypted using one of the methods listed above—with the encrypted Bluetooth, Wi-Fi, and cellular links providing a secondary encryption layer.
(IKEv2/IPsec only) The keys are stored in the system keychain and used for authenticating future IKEv2/IPsec sessions between the devices. Further communication between these devices is encrypted and integrity protected using ChaCha20-Poly1305 (256-bit keys).
The Bluetooth Low Energy device address is rotated at 15-minute intervals to reduce the risk of local tracking of the device using the broadcast of a persistent identifier.
To support apps that need streaming data, encryption is provided using methods described in FaceTime security, using either the Apple Identity Service (IDS) provided by the paired iPhone or a direct internet connection.
Apple Watch implements hardware-encrypted storage and class-based protection of files and keychain items. Access-controlled keybags for keychain items are also used. Keys used to communicate between Apple Watch and iPhone are also secured using class-based protection. For more information, see Keybags for Data Protection.
Secure use of Wi-Fi, cellular, iCloud, and Gmail
When Apple Watch isn’t within Bluetooth range, Wi-Fi or cellular can be used instead. Apple Watch automatically joins Wi-Fi networks that have been already been joined on the paired iPhone and whose credentials have synced to the Apple Watch while both devices were in range. This Auto-Join behavior can then be configured on a per-network basis in the Wi-Fi section of the Apple Watch Settings app. Wi-Fi networks that have never been joined before on either device can be manually joined in Wi-Fi section of the Apple Watch Settings app.
When Apple Watch and iPhone are out of range, Apple Watch connects directly to iCloud and Gmail servers to fetch Mail, as opposed to syncing Mail data with the paired iPhone over the internet. For Gmail accounts, the user is required to authenticate to Google in the Mail section of the Watch app on iPhone. The OAuth token received from Google is sent over to Apple Watch in encrypted format over Apple Identity Service (IDS) so it can be used to fetch Mail. This OAuth token is never used for connectivity with the Gmail server from the paired iPhone.
Locking and unlocking Apple Watch
If wrist detection is enabled, the device locks automatically shortly after it’s removed from the user’s wrist. If wrist detection is disabled, Control Center provides an option for locking Apple Watch. When Apple Watch is locked, Apple Pay can be used only by entering the watch’s passcode. Wrist detection is turned off using the Apple Watch app on iPhone. This setting can also be enforced using a mobile device management (MDM) solution.
The paired iPhone can also unlock the watch, provided the watch is being worn. This is accomplished by establishing a connection authenticated by the keys established during pairing. iPhone sends the key, which the watch uses to unlock its Data Protection keys. The watch passcode isn’t known to iPhone nor is it transmitted. This feature can be turned off using the Apple Watch app on iPhone.
Enabling Find My on the paired iPhone also allows the use of Activation Lock on Apple Watch. Activation Lock makes it harder for anyone to use or sell an Apple Watch that’s been lost or stolen. Activation Lock requires the user’s Apple ID and password to unpair, erase, or reactivate an Apple Watch.
Updating system software
Apple Watch can be configured for a system software update the same night. For more information on how the Apple Watch passcode gets stored and used during the update, see Keybags.
Auto Unlock with Apple Watch in macOS
Users with Apple Watch can use it to automatically unlock their Mac. Bluetooth Low Energy (BLE) and peer-to-peer Wi-Fi allow Apple Watch to securely unlock a Mac after ensuring proximity between the devices. This requires an iCloud account with two-factor authentication configured.
When enabling an Apple Watch to unlock a Mac, a secure link using Auto Unlock Identities is established. The Mac creates a random one-time-use unlock secret and transmits it to the Apple Watch over the link. The secret is stored on Apple Watch and can be accessed only when Apple Watch is unlocked. The unlock token isn’t the user’s password.
During an unlock operation, the Mac uses BLE to create a connection to the Apple Watch. A secure link is then established between the two devices using the shared keys used when it was first enabled. The Mac and Apple Watch then use peer-to-peer Wi-Fi and a secure key derived from the secure link to determine the distance between the two devices. If the devices are within range, the secure link is then used to transfer the preshared secret to unlock the Mac. After successful unlock, the Mac replaces the current unlock secret with a new one-time use unlock secret and transmits the new unlock secret to the Apple Watch over the link.
Approve with Apple Watch
When Auto Unlock with Apple Watch is enabled, the Apple Watch can be used in place or together with Touch ID to approve authorization and authentication prompts from:
macOS and Apple apps that request authorization
Third-party apps that request authentication
Saved Safari passwords