PSA: iOS 17’s NameDrop is NOT a Security Risk

Over the past few days, some misinformation has gone viral that suggests that NameDrop, the feature that allows you to share a digital business card by holding two iPhones or Apple Watches together, is a security and privacy risk.

Considering Apple’s staunch stance on privacy as a fundamental human right, it’s a notion that should be laughable — except for the fact that it’s being amplified by well-meaning public service agencies such as police departments, warning parents and kids to turn the feature off or risk having their personal information stolen.

A recent report by The Washington Post (Apple News+) shares how police departments across the US have been reposting a warning on Facebook about the dangers of NameDrop:

“IMPORTANT PRIVACY UPDATE: If you have an iPhone and have done the recent iOS 17 update, they have set a new feature called NameDrop defaulted to ON. This feature allows the sharing of your contact info just by bringing your phones close together. To shut this off go to Settings, General, AirDrop, Bringing Devices Together. Change to OFF.“

While the Dewey Police Department in Oklahoma, which appears to be have posted one the earliest appearances of the warning by a police agency on Facebook, adds the disclaimer that “The intent of the post was to get parents engaged with their children and what they are doing on their devices, not the fear mongering as suggested,” but it also appears to stand by the statement that NameDrop should be disabled, implying that it works “just by bringing your phones close together.”

As The Washington Post points out, there’s nothing to be concerned about here, and people should just move along.

The truth: NameDrop is quite safe. The warnings about this technology are wildly exaggerated. Chester Wisniewski, a digital security specialist at Sophos, called the warnings about NameDrop “hysteria” and “nonsense.”Shira Ovide, The Washington Post

While the Post implies that this is equivalent to warnings about using public Wi-Fi and plugging your iPhone into public chargers, the reality is that NameDrop is even less of an issue. There is a small but real risk to using an unknown public charger, as you are connecting a potentially unknown device into your iPhone’s Lightning or USB-C port. Similarly, unknown “free” public Wi-Fi networks can be fake hotspots, or “honeypots,” created by hackers for nefarious purposes.

The good news is that an iPhone is generally safe from attacks like these, but it’s by no means immune. The odds are incredibly slim, but they aren’t zero.

On the other hand, while the likelihood of NameDrop creating a privacy risk isn’t quite zero either, it’s so close that, to cite Hari Seldon from Foundation, “it’s not a number worth discussing.”

How NameDrop Protects Your Contact Info

The key is that NameDrop works entirely between two Apple devices. The entire process is under Apple’s control, and Apple cares deeply about privacy.

As a result, NameDrop is far from automatic. The idea that somebody could snarf up your contact info just by brushing up against the iPhone in your pocket is absurd on the face of it — and anybody who has actually tried NameDrop should know this.

Here’s what actually happens when you place two iPhones in close proximity to each other:

1. Firstly, by “close,” we’re talking about an inch or two. Contact must also be made between the top edges of the two iPhones.
2. Secondly, your iPhone must be unlocked. If your iPhone is in your bag or pocket, it should generally be locked, in which case nothing happens when somebody brings their iPhone near yours.
3. Once the iPhones are aligned and unlocked, both will offer a strong haptic vibration, regardless of the ring/silent settings on the iPhone. You can’t miss it, so you’ll know something is up immediately.
4. This will initially show a notification banner indicating another iPhone has been found. Keep the two iPhones close together for another second or two, and you’ll see a full-screen preview of your contact information with two buttons.
5. Nothing is transmitted until you authorize it by selecting the Share button. You can also tap Receive Only if you want to get contact information from the other iPhone without sharing your own — although the other person would have to hit the Share button on their iPhone for that to happen. If both users tap Receive Only, nothing gets sent.
   

That’s a lot of checks and balances to make NameDrop happen — your iPhone must be unlocked, and you must explicitly select the Share button. It’s virtually impossible for NameDrop to share your contact details without your consent unless you regularly walk around with your iPhone screen turned on in your pocket and have an object in there that could accidentally activate buttons on your screen. However, if that’s how you travel with your iPhone, you’ll have bigger problems than the risk of somebody trying a sneaky NameDrop maneuver on you.

So you shouldn’t worry about NameDrop. But you should worry that police and news organizations are failing you by sounding false alarms about technology.Shira Ovide, The Washington Post

So, what about the Apple Watch? After all, that’s unlocked whenever it’s on your wrist. What happens when you bring an Apple Watch near another Apple Watch?

The short answer is nothing.

Unlike the iPhone, NameDrop has to be initiated manually on the Apple Watch. While an iPhone will initiate NameDrop if it’s held near an Apple Watch, two Apple Watches won’t respond to each other at all. You have to open the Contacts app on the watch and then tap your picture in the top right corner to start a NameDrop session.

The screen that’s displayed when NameDrop is engaged is also very hard to confuse with any other kind of request. It’s not your typical pop-up dialog box that somebody could gloss over and hit “Allow” without thinking. It’s a full-screen rendering of your contact poster with a very obvious Share button. If someone taps that without knowing what they’re doing, that’s on them.

Nevertheless, if you have no use for NameDrop and would rather avoid the whole thing, it’s easily switched off. Just head into Settings > General > AirDrop and toggle off Bring Devices Together. Just be aware that this will also remove the ability to share other information via AirDrop in this manner — you’ll need to revert to the old-fashioned way of manually selecting the other person’s iPhone from the AirDrop share sheet instead.