System security for watchOS
Apple Watch uses many of the same hardware-based platform security capabilities that iOS and iPadOS use. For example, Apple Watch:
Performs secure boot and secure software updates
Maintains operating system integrity
Helps protect data, both on the device and when communicating with a paired iPhone or the internet
Supported technologies include those listed in System Security (for example, KIP, SKP, and SCIP) as well as Data Protection, keychain, and network technologies.
Updating watchOS
watchOS can be configured to update overnight. For more information on how the Apple Watch passcode gets stored and used during the update, see Keybags.
Wrist detection
If wrist detection is turned on, the device locks automatically soon after it’s removed from the user’s wrist. If wrist detection is turned off, Control Center provides an option for locking Apple Watch. When Apple Watch is locked, Apple Pay can be used only by entering the passcode on the Apple Watch. Wrist detection is turned off using the Watch app on iPhone. This setting can also be enforced using a device management service.
Activation Lock
When Find My is turned on for an iPhone, its paired Apple Watch can also use Activation Lock. Activation Lock makes it harder for anyone to use or sell an Apple Watch that’s been lost or stolen. Activation Lock requires the user’s Apple Account and password to unpair, erase, or reactivate an Apple Watch. For more information, see Activation Lock security.
Secure pairing with iPhone
Apple Watch can be paired with only one iPhone at a time. When Apple Watch is unpaired, iPhone communicates instructions to erase all content and settings from the watch.
Pairing Apple Watch with iPhone is secured using a secret encoded in an animated pattern displayed by Apple Watch, which is captured by the camera on iPhone. A six-digit PIN is also available as a fallback pairing method, if necessary. The way the secret or the PIN is used depends on which operating system version is running on the Apple Watch and iPhone.
When Apple Watch with watchOS 26 or later is paired to iPhone with iOS 26 or later, pairing is performed by exchanging keys over a secure IKEv2 connection. This connection is either authenticated using standard PSK authentication with the secret encoded in the animated pattern or by a connection-specific secret derived from the PIN using SPAKE2+. ML-KEM-1024 is used to provided quantum security in addition to the security provided by elliptic-curve Diffie-Hellman.
After the connection is established, each device generates random Ed25519 public-private key pairs, and the public keys are exchanged. The private keys are rooted in the Secure Enclave on Apple Watch. This isn’t possible on iPhone because a user restoring their iCloud Backup to the same iPhone preserves the existing Apple Watch pairing without requiring migration. Each device also generates and exchanges secrets for BLE 4.1 out-of-band pairing.
When Apple Watch and iPhone are running older software versions, the secret encoded in the animated pattern is used for for BLE 4.1 out-of-band pairing, and the six-digit PIN is used for pairing standard BLE Passkey Entry. After the BLE session is established and encrypted using the highest security protocol available in the Bluetooth Core Specification, iPhone and Apple Watch exchange keys using either:
A process adapted from Apple Identity Service (IDS) as described in the iMessage security overview.
A key exchange using IKEv2/IPSec. The initial key exchange is authenticated using either the Bluetooth session key (for pairing scenarios) or the IDS keys (for operating system update scenarios). Each device generates Ed25519 public-private key pair, and during the initial key exchange process, the public keys are exchanged. When an Apple Watch with watchOS 10 or later is first paired, the private keys are rooted in its Secure Enclave.
On an iPhone with iOS 17 or later, the private keys aren’t rooted in the Secure Enclave, because a user restoring their iCloud Backup to the same iPhone preserves the existing Apple Watch pairing without requiring migration.
Note: The mechanism used for key exchange and encryption varies, depending on which operating system versions are on the iPhone and Apple Watch. An iPhone with iOS 13 or later when paired with an Apple Watch with watchOS 6 or later, use only IKEv2/IPSec for key exchange and encryption.
After keys have been exchanged:
The Bluetooth session key is discarded and all communications between iPhone and Apple Watch are encrypted using one of the methods listed above—with the encrypted Bluetooth, Wi-Fi, and cellular links providing a secondary encryption layer.
The BLE device address is also rotated at 15-minute intervals to reduce the risk of the device being locally tracked if someone broadcasts a persistent identifier.
(IKEv2/IPsec only) The keys are stored in the System keychain and used for authenticating future IKEv2/IPsec sessions between the devices. Encryption between devices depends on the hardware and operating systems:
An iPhone with iOS 26 or later paired with an Apple Watch with watchOS 26 or later utilizes ML-KEM-768 for quantum security in addition to the security provided by elliptic-curve Diffie-Hellman.
An iPhone with iOS 15 or later paired with an Apple Watch Series 4 or later with watchOS 8 or later is encrypted and integrity protected using AES-256-GCM.
Older devices or devices with older operating system versions ChaCha20-Poly1305 with 256-bit keys.
To support apps that need streaming data, encryption is provided with methods described in FaceTime security, using either the Apple Identity Service (IDS) provided by the paired iPhone or a direct internet connection.
Apple Watch implements hardware-encrypted storage and class-based protection of files and keychain items. Access-controlled keybags for keychain items are also used. Keys used to communicate between Apple Watch and iPhone are also secured using class-based protection. For more information, see Keybags for Data Protection.
Approve in macOS with Apple Watch
When Auto Unlock with Apple Watch is enabled, the Apple Watch can be used in place, or together with Touch ID, to approve authorization and authentication prompts from:
macOS and Apple apps that request authorization
Third-party apps that request authentication
Saved Safari passwords
Secure Notes
Secure use of Wi-Fi, cellular, iCloud, and Gmail
When Apple Watch isn’t within Bluetooth range, Wi-Fi or cellular can be used instead. Apple Watch automatically joins Wi-Fi networks that have already been joined on the paired iPhone and whose credentials have synced to the Apple Watch while both devices were in range. This Auto-Join behavior can then be configured on a per-network basis in the Wi-Fi section of the Apple Watch Settings app. Wi-Fi networks that have never been joined before on either device can be manually joined in the Wi-Fi section of the Apple Watch Settings app.
When Apple Watch and iPhone are out of range, Apple Watch connects directly to iCloud and Gmail servers to fetch mail, as opposed to syncing mail data with the paired iPhone over the internet. For Gmail accounts, the user must authenticate to Google in the Mail section of the Watch app on iPhone. The OAuth token received from Google is sent over to Apple Watch in encrypted format over Apple Identity Service (IDS) so that it can be used to fetch mail. This OAuth token is never used for connectivity with the Gmail server from the paired iPhone.