London's Met Police is now sharing stolen-device data with Apple, and the numbers point to a working defense: most phones snatched in recent weeks couldn't be factory reset. For developers, it's a useful look at how Activation Lock and Stolen Device Protection actually hold up against attackers in the field.
London's Metropolitan Police has gone public with a data-sharing partnership with Apple aimed at killing the resale value of stolen iPhones, and the early results are the kind of feedback loop most security teams never get to see. According to BBC News, the force began sharing stolen-handset data with Apple to build what Commissioner Sir Mark Rowley called a "global picture" of what happens to devices after they're taken, specifically whether they ever reconnect to a cellular network.
The headline figure: phone-related thefts in London fell by 14,000 between June 2025 and May 2026, an 18% year-over-year drop. In Westminster, where phones are involved in roughly 70% of personal robberies each week, thefts are down 45.8% so far this year. Rowley's framing is the part worth paying attention to as a developer. "If stolen phones cannot be reactivated, their value collapses, and so does the incentive to steal them."
What's actually doing the work on the device
The two features driving this are Activation Lock and Stolen Device Protection, and they operate at different layers.
Activation Lock has been around since iOS 7. It ties the device to the owner's Apple Account at the activation server level. When Find My is enabled, the Apple Account credentials are required before the device can be erased and reactivated. Critically, this check happens server-side during activation, not just locally, so a thief with physical possession can't simply wipe the phone and bring it back online. The hardware identifier is checked against Apple's records.
Stolen Device Protection, introduced in iOS 17.3, addresses a different threat model: the shoulder-surfer who watches you type your passcode, then grabs the phone. When the device is in an unfamiliar location, certain sensitive actions require Face ID or Touch ID with no passcode fallback, and security-critical changes like turning off Find My or changing the Apple Account password trigger a one-hour security delay followed by a second biometric check. The design assumption is that an attacker has your passcode but not your face or fingerprint.
If you're building anything with sensitive local state, this is a reasonable pattern to study. The biometric-only requirement plus the time-delayed re-authentication is a defense against the exact scenario where the primary credential is already compromised.
The factory-reset bypass, and why it mattered
The interesting technical wrinkle is what Apple was up against. Criminal markets developed illicit software to factory reset iPhones in a way that bypassed Activation Lock, letting devices be sold abroad as if they were new. This is the whole ballgame for a theft economy: a locked iPhone is worth its weight in parts, but a clean, reactivatable one carries near-retail value in secondary markets.
Rowley says Apple now believes it has "cracked" that engineering problem. The data coming out of the partnership shows that the vast majority of phones stolen in London in recent weeks were not successfully factory reset. The feedback from the police side gave Apple ground-truth telemetry on which bypass methods were working, which is exactly the signal a vendor needs to close the gap. Apple was able to block the offending software once it understood how reset attempts correlated with real network reconnections.
For cross-platform developers, the contrast with Android is instructive. Google's equivalent is Factory Reset Protection, which similarly requires the previously synced Google Account after a reset. Both platforms now converge on the same core idea: bind the device to an account at a layer the local attacker can't reach, and verify reactivation against a server. The implementation details differ, but the threat model is shared. If you ship a device-bound app, assume the platform's reactivation guarantees are part of your security perimeter and design accordingly rather than rolling your own.
Developer impact and what to check
Nothing here forces an SDK change, but a few practical points follow from it.
If your app stores credentials or sensitive tokens, lean on the Keychain with appropriate accessibility classes (kSecAttrAccessibleWhenUnlockedThisDeviceOnly and the biometric-gated kSecAccessControlBiometryCurrentSet) so that a passcode alone doesn't unlock everything. Stolen Device Protection raises the bar at the OS level, but your own secrets are only as protected as the access control flags you set.
MDM and enterprise fleets get a direct benefit here. Supervised devices can have Activation Lock managed through your MDM provider, which matters because a personal Activation Lock on a corporate device can brick it for IT after an employee leaves. Apple Business Manager and Apple School Manager let you bypass Activation Lock on devices you own, so confirm your enrollment flow captures that.
The broader takeaway is that hardware-anchored, server-verified identity is what actually moved the crime statistics, not any single client-side check. The police didn't out-engineer the thieves; the device's inability to come back online did. That's a useful reminder when you're deciding where to place a trust boundary. Local checks deter casual tampering, but the durable protections are the ones that require a resource the attacker holding the phone simply doesn't have.
Apple hasn't published technical detail on the specific reset-bypass it closed, which is sensible given the adversarial dynamics. The crime numbers will be the real measure over the next year, and with London now feeding network-reconnection data back to Cupertino, both sides finally have a way to tell whether the defenses are holding.
Comments
Please log in or register to join the discussion