watchOS system security overview
Apple Watch uses the security features and technology built for iOS and iPadOS to help protect data on the device, and to protect communication with its paired iPhone and with the Internet. This includes technologies such as Data Protection and Keychain access control. The user’s passcode is also entangled with the device UID to create encryption keys.
Pairing Apple Watch with iPhone is secured using an out-of-band (OOB) process to exchange public keys, followed by the Bluetooth Low Energy (BLE) link shared secret. Apple Watch displays an animated pattern, which is captured by the camera on iPhone. The pattern contains an encoded secret that is used for BLE 4.1 out-of-band pairing. Standard BLE Passkey Entry is used as a fallback pairing method, if necessary.
After the BLE session is established and encrypted using the highest security protocol available in Bluetooth Core Specification, Apple Watch and iPhone exchange keys using a process adapted from Apple Identity Service (IDS), as described in iMessage overview. After keys have been exchanged, the Bluetooth session key is discarded and all communications between Apple Watch and iPhone are encrypted using IDS—with the encrypted Bluetooth, Wi-Fi, and Cellular links providing a secondary encryption layer. The Low Energy Bluetooth Address is rotated at 15-minute intervals to reduce the risk of local tracking of the device using the broadcast of a persistent identifier.
To support apps that need streaming data, encryption is provided using methods described in FaceTime, utilizing either the IDS service provided by the paired iPhone or a direct Internet connection.
Apple Watch implements hardware-encrypted storage and class-based protection of files and Keychain items, as described in the Encryption and Data Protection section of this paper. Access-controlled keybags for Keychain items are also used. Keys used for communications between the watch and iPhone are also secured using class-based protection.
When Apple Watch isn’t within Bluetooth range, Wi-Fi or cellular can be used instead. Apple Watch automatically joins Wi-Fi networks that have been already been joined on the paired iPhone and whose credentials have synced to the Apple Watch while both devices were in range. This Auto-Join behavior can then be configured on a per network basis in the Wi-Fi section of the Apple Watch Settings app. Wi-Fi networks that have never been joined before on either device can be manually joined in Wi-Fi section of the Apple Watch Settings app.
When Apple Watch and iPhone are out of range, Apple Watch connects directly to iCloud and Gmail servers to fetch Mail, as opposed to syncing Mail data with the paired iPhone over the Internet. For Gmail accounts, the user is required to authenticate to Google in the Mail section of the Watch app on iPhone. The OAuth token received from Google is sent over to Apple Watch in encrypted format over Apple Identity Service (IDS) so it can be used to fetch Mail. This OAuth token is never used for connectivity with the Gmail server from the paired iPhone.
If wrist detection is enabled, the device locks automatically shortly after it’s removed from the user’s wrist. If wrist detection is disabled, Control Center provides an option for locking Apple Watch. When Apple Watch is locked, Apple Pay can be used only by entering the watch’s passcode. Wrist detection is turned off using the Apple Watch app on iPhone. This setting can also be enforced using a mobile device management (MDM) solution.
The paired iPhone can also unlock the watch, provided the watch is being worn. This is accomplished by establishing a connection authenticated by the keys established during pairing. iPhone sends the key, which the watch uses to unlock its Data Protection keys. The watch passcode isn’t known to iPhone nor is it transmitted. This feature can be turned off using the Apple Watch app on iPhone.
Apple Watch can be paired with only one iPhone at a time. iPhone communicates instructions to erase all content and data from Apple Watch when unpaired.
Apple Watch can be configured for a system software update the same night. For more information on how the Apple Watch passcode gets stored and used during the update see, Keybags.
Enabling Find My on the paired iPhone also allows the use of Activation Lock on Apple Watch. Activation Lock makes it harder for anyone to use or sell an Apple Watch that has been lost or stolen. Activation Lock requires the user’s Apple ID and password to unpair, erase, or reactivate an Apple Watch.