The Apple Watch Series 3 is the only device in our fitness wearable test that is only compatible with Apple iOS devices. It enjoys complete operating system integration, which is why the range of features is greater than with the other devices under our test. Whether security is also guaranteed, we have found out in our test.
The Apple Watch Series 3 communicates via Bluetooth with the owner’s iPhone. If this is not available via Bluetooth, WiFi is used for synchronization to Apple servers and the iPhone. Bluetooth communication has always been invisible from other devices. No details are known about the transmission encryption used, since iOS apps are stored encrypted on the iPhone, therefore no analysis of the apps was possible. Furthermore, no local communication could be recorded.
The communication between the iPhone apps and the cloud or Apple Watch and the cloud are always TLS1.2 encrypted and thus protected against simple man-in-the-middle attacks. Unencrypted communication could not be detected.
Furthermore, the communication of the iPhone was protected against the attempted man-in-the-middle attack by Certificate Pinning even after we installed the according CA certificate. To our knowledge there is no possibility to install certificates on Apple Watch. This is therefore also very well protected.
TLS1.2 encrypted communication of the Watch
As already mentioned above, the possibilities of analyzing Apple iOS apps are very limited due to the encrypted storage on the device. For this reason, only a dynamic analysis was performed in which no vulnerabilities were revealed. The implemented certificate pinning effectively protects against man-in-the-middle attacks.
Fitness data is encrypted for local storage, as well as for transmission and storage on iCloud servers. By default, analysis information is sent to Apple to improve the devices, services, and apps. This includes, for example, transaction data, the approximate course of the location or the usage duration, but, according to Apple, does not offer any possibility of identifying the individual. This data collection for analysis purposes can be disabled in the iPhone’s privacy settings.
Third parties can only access the Health data if the user manually authorizes them to do so. (e.g. other apps)
The Apple Watch Series 3 offers virtually no reason for criticism in terms of both security and privacy. It is very well protected against attacks and the manufacturer implements the European General Data Protection Regulation worldwide. It is therefore rated 3 out of 3 stars.