Screen time API can be disabled easily

We have developed a Parental/Self control app using Screen time API. We have used individual authentication to authorize the app, using the instructions here: https://developer.apple.com/documentation/familycontrols/authorizationcenter


The problem is , that individual auth can be disabled easily , by the following steps:

  • enter Settings app.
  • in Settings app, click on the Parental/Self control app.
  • click to disable screen time restriction.
  • show the device owner's face/fingerprint. (or pin code)

Why is that a problem:

Parental control apps, or self-control apps, are about giving control to the software, To make it hard for the user to disable the restrictions.

So using the flow I have introduced above, it's super-easy for a user to disable his Parental control restrictions, which misses the entire point of Parental/Self control idea.

Furthermore, not only the user have the means to unlock his screen time restrictions, he also MUST have the means to unlock it.


This makes Screen time (with individual auth) useless: I have a code ready to make a great parental control app for my clients, with amazing ideas, but I can't use the Screen time API unless this problem is fixed.


Why child-parent auth is not enough: My clients are grownups people between ages of 15-40, that are interested in self-control, so they don't have iCloud child accounts.

also, the child-parent auth solution forces my clients to give some control to other person, and my clients prefer their privacy. Some of them prefer self-control and not parental-control.


What I suggest as a solution:

1: Give more options to users how to disable the Screen time restrictions. including:

  • a second faceID / FingerPrint (that isn't the same as the one used to unlock the device)
  • a second pin password.
  • a string password

2: Give the users the option to choose to not have the device's owner Face/Finger/Pincode ID , as a method to disable the Screen time restrictions.

+1!

This is also huge issue with an app we are working on. We have restrictions in-app to prevent users from disabling shielding of apps (per their requests) but we cannot stop them going to Settings and just turning off the toggle for permissions which immediately disables all restrictions.

Well explained. I've been hoping Apple will resolve this for a while.

Currently a third party Screen Time restriction's app can be easily bypassed using the device Face ID in Settings. This means you can't impose restrictions on the user like you can with Apple's built in Screen Time functionality, where you can lock the restrictions behind a separate 'Screen Time Passcode'.

As you say, it would work well if you could set a different password (preferably supporting longer than 4 digit PINs or string passwords) that prevents you disabling the app's Screen Time access. And don't allow them to use the device Face ID to disable it. This password could be the existing Screen Time Passcode for consistency across the Screen Time settings.

I just discovered this issue with Freedom app. :/ I can simply toggle off the access to screen restrictions. They need to put that toggle behind the restrictions passcode.

+1 Similar thread here for .individual authorization:

Hello, Unfortunately, with the new iOS 17 this problem is stil persistent.

Completely agree. This flaw has made the Freedom app pointless. If Apple were serious about addressing addiction issues, it would address this flaw.

Can this be solved somehow using Apple Configurator?

+1

This is blocking me from making my app effective.

Apple? Hello? Could someone at least respond to this?

I am also very interested in this problem. Is there a possible workaround for an adult to artificially lower his/her birth year associated with the Apple ID so he/she appears to be a child, and then create a second Apple ID that has an 'adult' birth date, and use the adult birth date to manage the 'child' account?

A little cumbersome, but I'm trying that now. Trouble is, I see that the 'child' account can easily enable / disable any app's access to the Screen Time API with an easy toggle that doesn't require the 'parent' approval.

So did I misunderstand the distinction between child-parent auth vs. individual auth?

Screen time API can be disabled easily
 
 
Q