Safeguarding children’s devices against Screen Time removal
The Washington Post wrote recently about vulnerabilities in Apple’s Screen Time mechanism, and how children are able to circumvent some of its restrictions. Susan Li of Fox News followed up on the story, looking at methods some teens use for recovery of their parents' codes.
Kids are outsmarting an army of engineers from Cupertino, Calif., home to Apple’s headquarters in Silicon Valley. And Apple, which introduced Screen Time a year ago in response to pressure to address phone overuse by kids, has been slow to make fixes to its software that would close these loopholes. It’s causing some parents to raise questions about Apple’s commitment to safeguarding children from harmful content and smartphone addiction.
Our experience is in helping people get easier access to their own data on their Apple devices, so some of the angles the WaPo examined are outside of the areas we typically look at it. It seems like there are some weaknesses in Screen Time, particularly with regard to the mechanism the article describes to circumvent restrictions on YouTube.
Reincubate has been at the forefront of recovery and reset of lost Screen Time passcodes (and the earlier restrictions passcode setting). Our R&D led us to release passcode recovery in early 2014, and we have updated it with every subsequent iOS update.
Doesn't this let kids bypass their parents' restrictions?
Whilst removing a Screen Time passcode is easy for an adult user with their own device, it doesn’t undermine parents who set passcodes to regulate their children’s behaviour.
There are a few reasons for this.
Firstly, the technique we use on iOS 13 disables Screen Time passcodes both when Screen Time has been set up individually on a device, and when Apple’s “Share across devices” option has been set, locking down all devices on an account. However, if the child’s device has been added to “Family Sharing” as Apple recommends, the technique won't work.
Even if the child’s device has been incorrectly set up and lacks “Family Sharing”, there is another factor that prevents this technique from working for children. To remove a passcode on iOS 13, Apple’s “Find My” functionality must be temporarily disabled. This is not possible without an iCloud password, which in many cases a child would not have. Similarly, to use the technique on iOS 12, a child would need know the backup password their phone had been configured with.
Finally, Screen Time removal in our product requires a paid license, and access to a credit card. It is expected most children are not freely able to make credit card purchases unmonitored online.
Why is it important to be able to reset a lost Screen Time passcode?
Screen Time isn’t specifically for children. In fact, many users use it to monitor and shape their time with apps.
As Canadian investor Andrew Wilkinson found, Apple cannot help with a lost Screen Time passcode other than to suggest a complete reset of one’s device, potentially having to starting again with no data.
Unless Apple has changed something, there’s no way. You basically have to start the phone fresh, as crazy as that sounds. A year ago my kid entered a bad password like 40 times when screwing around and permanently locked the phone such that I couldn’t even restore it from iCloud.— Garrett Murray (@garrettmurray) September 21, 2019
With the release of macOS Catalina, the problem runs deeper: Screen Time is now integrated into Apple’s desktop products, and users who had lost passcodes on iOS and faced a minor irritation now face a greater one. The Screen Time passcode gets shared across a user’s devices, and now limits their use of their Macs.
Warning to any @Apple user. Do NOT update your Mac if you do not know your screen time passcode as it will be applied to your Mac! @AppleSupport no help! Anyone know a fix that doesn’t include wiping the whole thing?? @appleinsider @ijustine @LinusTech— Craig (@MrCraigDuncan) October 11, 2019
Our software is able to remove this passcode and lift the restrictions without a user having to reset their devices or lose any data.
How can parents ensure the Screen Time mechanism isn’t undermined by their children?
Simply put, Apple’s recommendations for regulating children’s behaviour with Screen Time are effective in ensuring Screen Time isn't removed without a parent's involvement.
Parents seeking to use Screen Time effectively should configure the child’s device with “Family Sharing” (see Apple’s guidance here). Apple provide great support and guidance for this in store, by phone, and on Twitter.
Whilst the following steps are not strictly necessary to safeguard against the removal of Screen Time restrictions, we’d recommend parents also:
Set a backup password for the child’s device that is not known to the child. These can't easily be recovered, and they prevent use of any future backup-based Screen Time exploits that may be discovered. A password like this can be set with iTunes on Windows, with Finder on macOS, or with iPhone Backup Extractor. There is no cost to using any of these options.
Use a password manager such as 1Password to securely record any passwords they set.
Periodically check the Screen Time reports on their own iPhone, iPad or Mac. Were Screen Time to be disabled on a child's device, time "time-per-app" and usage reporting would be empty.
Reincubate is a values-based business, and we’ve been helping users safeguard and recover data on their iOS devices for over a decade. If you have thoughts on how we can make our products or site better for parents, we’d love to receive your feedback in the comments below, through Twitter, or by email.