XPost: misc.phone.mobile.iphone
From: mariasophia@comprehension.com
hh wrote:
> I do recall a period around five years ago where there was some sort of
> issue with iCloud, such that users were being prompted 'frequently' for
> passwords on their devices.
>
> T'was weird & irritating, but also quite obviously an isolated incident.
>
> Fast-forward to today, I don't recall having to enter my iCloud password
> on any device for at least all of last year (2025)...its just not one of
> the things that I bother to that explicitly track...but I did find a
> notation that I used it while setting up a new device in January 2024.
Hi -hh,
Thanks for sharing your experience so we all benefit from each other.
The goal of this thread is to better understand how iOS actually behaves
with respect to reauthentication, since Apple is the only common consumer
operating system vendor whose devices will eventually be 'bricked' by the
mother ship (i.e., activation lock) even when the user never signed out.
Ask me how I know this.
My test iPad was set up normally, logged into my Apple ID once, and
used for a while to exercise services. After that point I refused all
password prompts. The device stayed online, contacted Apple servers
whenever it wanted, and I never entered the password again. The prompts
became more nagging over time, to the point that it would refuse to go away
even after a half dozen cancels. After about two years Apple unilaterally
'bricked' my iPad (i.e., activation lock). It happened for two iPads and
I'm on the third iPad test as we speak as I use them to test iOS.
My goal is to understand how the iOS device really works.
The reason your experience may differ from others is that iOS does not use
a single token. It uses multiple independent tokens with different
expiration rules. Apple does not publish the timers, but the behavior is
known from developer documentation and observation.
1. When you sign into an Apple ID, the device receives several token
types. Examples include iCloud service tokens, App Store tokens,
iMessage and FaceTime registration tokens, Find My association
tokens, and device based authentication tokens for iCloud Keychain
and other services.
2. These tokens do not expire at the same time. Some expire in hours,
some in days, some in months. Some refresh silently when the device
can reach Apple servers. Others require the user to enter the Apple
ID password.
3. If you refuse to enter the password long enough, eventually one of
the critical tokens expires and cannot be silently refreshed. At
that point the device demands the password. If you continue to
refuse, the device eventually loses the ability to prove to Apple
that it is still authorized to be associated with the Apple ID.
4. When the device can no longer prove that association, it will enter
activation lock on the next reboot or major system event. This is
what happened to my test iPad. I never signed out, but the device
no longer had a valid token to prove its status.
5. This also explains why you may not see prompts. If your devices
refresh tokens during App Store use, iCloud sync, or other normal
activity, the timers never expire. That prevents the cascade that
leads to activation lock.
What's weird is even if you do nothing at all, iOS still contacts Apple
servers. This happens because several internal system events force
background check ins that are not visible to the user.
a. Time and certificate validation events. iOS periodically validates
system time, certificate trust anchors, and security policies.
When a certificate nears expiration or a trust list changes,
the device contacts Apple mothership tracking mainframes.
b. Push notification channel maintenance.
Apple Push Notification services (APNs) requires periodic
keepalive traffic. APNs uses a persistent TLS connection from
the device to Apple servers. This connection is created by iOS
itself, not by the carrier.
When the connection drops or rotates, the device
reconnects automatically. The device maintains this connection by
sending periodic keepalive packets.
These packets go over the Internet, not through any carrier
specific signaling channel
c. Find My device state checks. The Find My association token is
validated in the background even if you never open any app.
d. iCloud account validity checks. The system performs periodic
account checks regardless of user activity.
e. Keybag and escrow service checks. Devices that have ever used
iCloud Keychain perform periodic escrow and keybag validation.
f. Backend policy changes. When Apple rotates signing keys or updates
backend policy, the device contacts Apple the next time it wakes or
enters a background refresh window.
g. Network transitions. Reconnecting to WiFi, waking from sleep, or
recovering from network loss often triggers background contact.
These events occur even when the user does nothing but leave the
device powered on and connected to the Internet. Because of this, the
device notices token expiration quickly. If a critical token expires
and cannot be refreshed without the password, the device starts
prompting. If the user continues to refuse, activation lock follows.
The key point is that activation lock is not triggered by signing out.
It is triggered when the device can no longer prove to Apple that it
is still authorized to be associated with the Apple ID.
No other common consumer operating system does what iOS does.
That's why it's important for all of us to understand how it works.
--
The purpose of this newsgroup is to better understand how iOS works.
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
