If you’ve got an iPhone or iPad, Apple’s Siri voice assistant will read out your lock screen notifications for apps even when you’ve turned off previews for the content inside them — and without making sure it’s you. This doesn’t work for iMessages and SMS texts; Siri always requests that you unlock your device before reading aloud what’s in those messages. But for other apps such as third-party email apps, Facebook Messenger, Slack, and many more, Siri will just spout off details about the notification without checking that it’s the right person asking to hear them.
Mac Magazine uncovered the unfortunate oversight, and 9to5Mac also reported on it. The problem is reportedly still present in beta versions of iOS 11.3. It’s not immediately clear whether the lack of consistency is a bug or instead just an odd design flaw or API limitation that impacts third-party apps.
Regardless, it’s probably not something that most users are aware of, and the discovery might be particularly concerning for iPhone X owners. By default out of the box, Apple’s flagship smartphone is set to hide lock screen previews; they appear as soon as Face ID has successfully identified you, but otherwise won’t be displayed to other people handling your smartphone. That’s an excellent, immediate wall of privacy, but this Siri weakness easily gets around it.
Apple’s own software remains relatively locked down. Saying things like “Read my last email” and “Read my last note” lead to Siri insisting that you unlock your phone before the voice assistant can follow through on the request since it associates those asks with Apple’s software. But if you use an alternative email app like Gmail, Siri will include those in the notifications it’s willing to read. The sender, subject, and first lines of a message are all included in the readout. There’s a glaring difference when it comes to how protective Siri is of them.
This isn’t a case where Siri is recognizing a user’s voice before talking. You don’t need to say “Hey Siri” to ask for notifications. All it takes is holding down the home button (or side button in the case of the iPhone X). I used a generic text-to-speech female bot voice to say “Read my notifications” and Siri did exactly that, spouting off a Slack direct message and Facebook Messenger message to everyone in earshot.
Until Apple rectifies this, you can avoid any potential privacy snooping by turning off lock screen notifications for sensitive apps. From what I can tell, as long as they don’t show up on the lock screen, Siri will say that you don’t have any new notifications and ignore those arriving in the background. You can leave notifications enabled elsewhere so that you’ll still see them after you’ve unlocked the phone and pulled down the notification tray. If you’d prefer to keep lock screen notifications, there’s also the option of just disabling Siri whenever your device is locked, so it will only be functional once you’ve authenticated with a passcode, fingerprint, or your face.