Can Police Get Into a Locked iPhone or Android?

This is one of the most common digital-privacy questions, and it has two very different answers depending on what you are really asking. There is the legal question (are police allowed to search your phone?) and the technical question (can they actually break into a locked device?). This article focuses mostly on the technical reality, because that is what people usually mean when they ask whether police can bypass an iPhone passcode or unlock a phone without the password.

First, the legal baseline: they need a warrant

Under the Fourth Amendment, police generally cannot search the contents of your phone without a warrant. The Supreme Court settled this in Riley v. California (2014), which held that the enormous trove of private data on a modern smartphone means officers must get a warrant before searching it, even when they seize the phone during an arrest. A related case, Carpenter v. United States (2018), extended warrant protection to historical cell-site location records held by your carrier.

But here is the key point: a warrant gives police legal permission to search. It does not magically give them technical access. If your phone is locked and well-encrypted, a judge's signature does not type in your passcode. That is why the technical side matters so much.

How locked phones protect your data

Both modern iPhones and Android phones use strong, full-device encryption tied to your passcode. When the phone is locked, your data is scrambled, and the key needed to unscramble it is derived from your passcode (plus a hardware secret baked into the chip). On iPhones this is enforced by the Secure Enclave; most current Android phones use file-based encryption backed by similar secure hardware.

This design creates two important states:

• Before First Unlock (BFU): the phone has been powered off and rebooted but not yet unlocked once. In this state the encryption keys are not loaded into memory, and the data is at its most protected. Extraction tools struggle badly here.
• After First Unlock (AFU): you have unlocked the phone at least once since it booted. The keys are now in memory, and forensic tools can often pull far more data, even while the screen is locked.

This is why one of the single most effective privacy steps is simply to power your phone all the way off if you think it may be seized. A fully powered-down phone is in the BFU state.

The tools police actually use

Law enforcement agencies do not personally hack phones with movie-style typing. They buy commercial forensic tools, most famously Cellebrite (its UFED and Premium products) and GrayKey (made by Magnet Forensics/Grayshift). These tools attempt to bypass the lock, exploit software vulnerabilities, or brute-force the passcode.

How well they work depends on several factors:

• The operating system and patch level. It is a cat-and-mouse game. Apple and Google patch the vulnerabilities these tools rely on; the tool makers find new ones. A phone running the latest, fully updated OS is often far harder to crack than one that is years out of date.
• Lock state (BFU vs AFU). As above, AFU devices give up much more data.
• Whether biometrics or a passcode is the barrier. See below.
• Passcode strength. This is the factor you control most.

Why passcode strength is the whole game

Brute-forcing means trying every possible passcode until one works. The math is unforgiving:

• A 4-digit passcode has only 10,000 combinations.
• A 6-digit passcode has 1,000,000 combinations.
• A strong alphanumeric passphrase (letters, numbers, symbols) has trillions upon trillions of combinations.

On their own, those small numbers would fall in seconds. What protects you is that the Secure Enclave (and Android equivalents) enforces escalating time delays between wrong guesses and, if you enable it, can erase the phone after 10 failed attempts. Forensic tools work by trying to bypass or speed up that rate-limiting. When they succeed, a 4- or 6-digit code can fall in hours or days. A long, random alphanumeric passphrase is, for practical purposes, infeasible to brute-force even with these tools. If you want real security, use a long alphanumeric passcode, not a short PIN.

Biometrics: the weak link in custody

Face ID and fingerprint unlock are convenient, but they create a legal vulnerability. Many courts treat compelling you to enter a passcode as protected by the Fifth Amendment, because revealing what you know is "testimonial." By contrast, several courts have allowed police to compel a fingerprint or face scan, treating it like taking a fingerprint or a DNA swab. The law here is genuinely unsettled and varies by jurisdiction, but the practical takeaway is clear: biometrics can sometimes be forced; a passcode in your head usually cannot.

Both phones let you instantly disable biometrics and force a passcode. On an iPhone, hold the side button and a volume button until the power-off/Emergency SOS screen appears, then cancel; the next unlock will require your passcode. On Android, the lockdown option in the power menu does the same. Knowing this gesture is one of the most useful things in this whole article.

Can Apple or Google just unlock it for police?

Generally, no, not the device itself. Apple and Google designed these systems so that they do not hold the key to your locked, encrypted phone, which means they cannot decrypt it even if served with a warrant. This was the heart of the 2016 San Bernardino standoff, when the FBI tried to force Apple to build special software to break into a locked iPhone; Apple refused, and the FBI ultimately paid a third-party vendor to get in instead.

What Apple and Google can hand over, with legal process, is data stored in the cloud: iCloud or Google account backups, photos, and messages that are synced to their servers. So even if your physical phone never gets unlocked, a warrant served on your cloud account may expose much of the same information. End-to-end encrypted backups (like Apple's Advanced Data Protection) change this calculus.

What to do practically

• Use a strong alphanumeric passcode, not a 4- or 6-digit PIN.
• Power the phone fully off if seizure looks likely, to force the harder-to-crack locked state.
• Disable biometrics with the lockdown gesture, since a face or fingerprint can sometimes be compelled.
• Keep your OS updated, which closes the vulnerabilities cracking tools exploit.
• Do not consent to a search and do not unlock the phone voluntarily. You can invoke the right to remain silent and ask for a lawyer. Forcing them to rely on a warrant and their own tools is your strongest position.

This is general legal and technical information, not legal advice. The law on compelled unlocking varies by state and is actively changing, and forensic capabilities change with every software update. For your specific situation, talk to a criminal-defense attorney.