The Apple Watch Series 3 is the only device in our fitness wearable test that is only compatible with Apple iOS devices. It enjoys complete operating system integration, which is why the range of features is greater than with the other devices under our test. Whether security is also guaranteed, we have found out in our test.

Local communication

The Apple Watch Series 3 communicates via Bluetooth with the owner’s iPhone. If this is not available via Bluetooth, WiFi is used for synchronization to Apple servers and the iPhone. Bluetooth communication has always been invisible from other devices. No details are known about the transmission encryption used, since iOS apps are stored encrypted on the iPhone, therefore no analysis of the apps was possible. Furthermore, no local communication could be recorded.

Online communication

The communication between the iPhone apps and the cloud or Apple Watch and the cloud are always TLS1.2 encrypted and thus protected against simple man-in-the-middle attacks. Unencrypted communication could not be detected.

TLS1.2 encrypted communication of the iPhone

Furthermore, the communication of the iPhone was protected against the attempted man-in-the-middle attack by Certificate Pinning even after we installed the according CA certificate. To our knowledge there is no possibility to install certificates on Apple Watch. This is therefore also very well protected.

TLS1.2 encrypted communication of the Watch

App

As already mentioned above, the possibilities of analyzing Apple iOS apps are very limited due to the encrypted storage on the device. For this reason, only a dynamic analysis was performed in which no vulnerabilities were revealed. The implemented certificate pinning effectively protects against man-in-the-middle attacks.

Failed Man-in-the-Middle Attack

Privacy

Apple’s privacy policy is very clear and easy to understand. The General Data Protection Regulation (GDPR) is applied worldwide, although it would only be mandatory in Europe. For example, it is now possible to retrieve the data stored about a person (an account) from anywhere in the world.

Fitness data is encrypted for local storage, as well as for transmission and storage on iCloud servers. By default, analysis information is sent to Apple to improve the devices, services, and apps. This includes, for example, transaction data, the approximate course of the location or the usage duration, but, according to Apple, does not offer any possibility of identifying the individual. This data collection for analysis purposes can be disabled in the iPhone’s privacy settings.

Third parties can only access the Health data if the user manually authorizes them to do so. (e.g. other apps)

Conclusion

The Apple Watch Series 3 offers virtually no reason for criticism in terms of both security and privacy. It is very well protected against attacks and the manufacturer implements the European General Data Protection Regulation worldwide. It is therefore rated 3 out of 3 stars.