Activating data connections securely in iOS and iPadOS
On iOS or iPadOS devices, if no data connection has been established recently, users must use Touch ID, Face ID, or a passcode to activate data connections through a Lightning, USB, or Smart Connector interface. This limits the attack surface against physically connected devices such as malicious chargers while still enabling usage of other accessories within reasonable time constraints. If more than an hour has passed since the iOS or iPadOS device has locked or since an accessory’s data connection has been terminated, the device won’t allow any new data connections to be established until the device is unlocked. During this hour period, only data connections from accessories that have been previously connected to the device while in an unlocked state will be allowed. These accessories are remembered for 30 days after the last time they were connected. Attempts by an unknown accessory to open a data connection during this period will disable all accessory data connections over Lighting, USB, and Smart Connector until the device is unlocked again. This hour period:
Ensures that frequent users of connections to a Mac or PC, to accessories, or wired to CarPlay won’t need to input their passcodes every time they attach their device
Is necessary because the accessory ecosystem doesn’t provide a cryptographically reliable way to identify accessories before establishing a data connection
In addition, if it’s been more than 3 days since a data connection has been established with an accessory, the device will disallow new data connections immediately after it locks. This is to increase protection for users that don’t often make use of such accessories. Data connections over Lightning, USB, and Smart Connector are also disabled whenever the device is in a state where it requires a passcode to reenable biometric authentication.
The user can choose to reenable always-on data connections in Settings (setting up some assistive devices does this automatically).