Two questions:

1. surely unconditionally rebooting locked iPhones every 3 days would cause issues in certain legit use cases?

2. If I read the article correctly, it reboots to re-enter "Before First Unlock" state for security. Why can't it just go into this state without rebooting?

Bonus question: my Android phone would ask for my passcode (can't unlock with fingerprint or face) if it thinks it might be left unattended (a few hours without moving etc.), just like after rebooting. Is it different from "Before First Unlock" state? (I understand Android's "Before First Unlock" state could be fundamentally different from iPhone's to begin with).

To me the biggest takeaway is that Apple is sufficiently paranoid to add this feature. Some people (like John Gruber) advocate for activating bio lockout at the border by squeezing the volume and power buttons. I would say if you’re the type of person who would do this, you should go one step further and power off.

Similarly, if you’re in a situation where you cannot guarantee your phone’s security because it’s leaving your possession, and you’re sufficiently worried, again, power off fully.

>In the After First Unlock (AFU) state, user data is decrypted

Note that this is a slight simplification because, I assume, the reality is irrelevant to understanding the topic:

There are a few different keys [0] that can be chosen at this level of the encryption pipeline. The default one makes data available after first unlock, as described. But, as the developer, you can choose a key that, for example, makes your app's data unavailable any time the device is locked. Apple uses that one for the user's health data, and maybe other extra-sensitive stuff.

[0]: https://support.apple.com/guide/security/data-protection-cla...

I had to look up what SRD meant. It's a Security Research Device - "a specially fused iPhone that allows you to perform iOS security research without having to bypass its security features."

https://security.apple.com/research-device/

Great writeup, but I wonder why so much emphasis is put on not 'connected to network' part. It seems like a timed inactivity reboot is a simpler idea than any type of inter-device communication schemes. It's not new either; Grapheneos had this for a while now and the default is 18 hours (and you can set it to 10 minutes) which would be a lot more effective as a countermeasure against data exfiltration tools.