System security for watchOS
Apple Watch uses many of the same hardware-based platform security capabilities that iOS and iPadOS use. For example,Apple Watch:
Performs secure boot and secure software updates
Maintains operating system integrity
Helps protect data, both on the device and when communicating with a paired iPhone or the internet
Supported technologies include those listed in System Security (for example, KIP, SKP, and SCIP) as well asData Protection, keychain, and network technologies.
Updating watchOS
watchOS can be configured to update overnight. For more information on how theApple Watch passcode gets stored and used during the update, seeKeybags.
Wrist detection
If wrist detection is turned on, the device locks automatically soon after it’s removed from the user’s wrist. If wrist detection is turned off, Control Center provides an option for lockingApple Watch. WhenApple Watch is locked,Apple Pay can be used only by entering the passcode on theApple Watch. Wrist detection is turned off using the Watch app on iPhone. This setting can also be enforced using adevice management service.
Activation Lock
WhenFind My is turned on for an iPhone, its pairedApple Watch can also use Activation Lock. Activation Lock makes it harder for anyone to use or sell anApple Watch that’s been lost or stolen. Activation Lock requires the user’sApple Account and password to unpair, erase, or reactivate anApple Watch. For more information, seeActivation Lock security.
Secure pairing with iPhone
Apple Watch can be paired with only one iPhone at a time. WhenApple Watch is unpaired, iPhone communicates instructions to erase all content and settings from the watch.
PairingApple Watch with iPhone is secured using a secret encoded in an animated pattern displayed byApple Watch, which is captured by the camera on iPhone. A six-digit PIN is also available as a fallback pairing method, if necessary. The way the secret or the PIN is used depends on which operating system version is running on theApple Watch and iPhone.
WhenApple Watch withwatchOS 26 or later is paired to iPhone withiOS 26 or later, pairing is performed by exchanging keys over a secure IKEv2 connection. This connection is either authenticated using standard PSK authentication with the secret encoded in the animated pattern or by a connection-specific secret derived from the PIN using SPAKE2+. ML-KEM-1024 is used to provided quantum security in addition to the security provided by elliptic-curve Diffie-Hellman.
After the connection is established, each device generates random Ed25519 public-private key pairs, and the public keys are exchanged. The private keys are rooted in the Secure Enclave onApple Watch. This isn’t possible on iPhone because a user restoring theiriCloud Backup to the same iPhone preserves the existingApple Watch pairing without requiring migration. Each device also generates and exchanges secrets for BLE 4.1 out-of-band pairing.
WhenApple Watch and iPhone are running older software versions, the secret encoded in the animated pattern is used for for BLE 4.1 out-of-band pairing, and the six-digit PIN is used for pairing standard BLE Passkey Entry. After the BLE session is established and encrypted using the highest security protocol available in the Bluetooth Core Specification, iPhone andApple Watch exchange keys using either:
A process adapted fromApple Identity Service (IDS) as described in theiMessage security overview.
A key exchange using IKEv2/IPSec. The initial key exchange is authenticated using either the Bluetooth session key (for pairing scenarios) or the IDS keys (for operating system update scenarios). Each device generates Ed25519 public-private key pair, and during the initial key exchange process, the public keys are exchanged. When anApple Watch withwatchOS 10 or later is first paired, the private keys are rooted in its Secure Enclave.
On an iPhone withiOS 17 or later, the private keys aren’t rooted in the Secure Enclave, because a user restoring theiriCloud Backup to the same iPhone preserves the existingApple Watch pairing without requiring migration.
Note:The mechanism used for key exchange and encryption varies, depending on which operating system versions are on the iPhone andApple Watch. An iPhone withiOS 13 or later when paired with anApple Watch withwatchOS 6 or later, use only IKEv2/IPSec for key exchange and encryption.
After keys have been exchanged:
The Bluetooth session key is discarded and all communications between iPhone andApple Watch are encrypted using one of the methods listed above—with the encrypted Bluetooth,Wi-Fi, and cellular links providing a secondary encryption layer.
The BLE device address is also rotated at 15-minute intervals to reduce the risk of the device being locally tracked if someone broadcasts a persistent identifier.
(IKEv2/IPsec only) The keys are stored in the System keychain and used for authenticating future IKEv2/IPsec sessions between the devices. Encryption between devices depends on the hardware and operating systems:
An iPhone withiOS 26 or later paired with anApple Watch withwatchOS 26 or later utilizes ML-KEM-768 for quantum security in addition to the security provided by elliptic-curve Diffie-Hellman.
An iPhone withiOS 15 or later paired with anApple Watch Series 4 or later withwatchOS 8 or later is encrypted and integrity protected using AES-256-GCM.
Older devices or devices with older operating system versions ChaCha20-Poly1305 with 256-bit keys.
To support apps that need streaming data, encryption is provided with methods described inFaceTime security, using either the Apple Identity Service (IDS) provided by the paired iPhone or a direct internet connection.
Apple Watch implements hardware-encrypted storage and class-based protection of files and keychain items. Access-controlledkeybags for keychain items are also used. Keys used to communicate betweenApple Watch and iPhone are also secured using class-based protection. For more information, seeKeybags for Data Protection.
Approve in macOS with Apple Watch
When Auto Unlock withApple Watch is enabled, theApple Watch can be used in place, or together withTouch ID, to approve authorization and authentication prompts from:
macOS and Apple apps that request authorization
Third-party apps that request authentication
Saved Safari passwords
Secure Notes
Secure use of Wi-Fi, cellular, iCloud, and Gmail
WhenApple Watch isn’t within Bluetooth range,Wi-Fi or cellular can be used instead.Apple Watch automatically joinsWi-Fi networks that have already been joined on the paired iPhone and whose credentials have synced to theApple Watch while both devices were in range. This Auto-Join behavior can then be configured on a per-network basis in theWi-Fi section of theApple Watch Settings app.Wi-Fi networks that have never been joined before on either device can be manually joined in theWi-Fi section of theApple Watch Settings app.
WhenApple Watch and iPhone are out of range,Apple Watch connects directly to iCloud and Gmail servers to fetch mail, as opposed to syncing mail data with the paired iPhone over the internet. For Gmail accounts, the user must authenticate to Google in the Mail section of the Watch app on iPhone. The OAuth token received from Google is sent over toApple Watch in encrypted format over Apple Identity Service (IDS) so that it can be used to fetch mail. This OAuth token is never used for connectivity with the Gmail server from the paired iPhone.