Apple: end-to-end encryption for iCloud backup and more

0
106

Apple extends end-to-end encryption of its own services in areas such as iCloud Backup, iCloud Drive, Photos, Notes and more. After the US launch today in the Apple Beta Software Program, the global rollout is planned for early 2023. There are also new security mechanisms such as physical security keys for 2FA.

With the “Advanced Data Protection for iCloud” Apple is addressing a long-standing criticism of the end- end-to-end encryption for some of the company's services. Until now, iCloud Backup, iCloud Drive, Photos, Notes, Reminders, Safari Bookmarks, Siri Shortcuts, Voice Memos and Maps have been encrypted in transit and on Apple's servers, but not provided with end-to-end encryption Wallet – apart from those for payment.

Encrypted but not end-to-end

For these services, the storage of the encryption key has so far taken place at Apple, while the services with full end-to-end encryption only store the key on the user's familiar devices. A support document shows which services are encrypted with the previously offered “Standard data protection” compared to the new “Advanced data protection”. The differences are not yet listed in the German-language version of this document because the offer is initially starting in the USA.

Even Apple can no longer access access the data

Advanced Data Protection for iCloud means that Apple no longer has keys for the areas mentioned and can therefore no longer issue them to investigative authorities if the company is confronted with a court order or a comparable instruction. From a technical point of view, Apple is simply no longer able to support authorities in their investigations. The “Advanced Data Protection” must be activated manually by the user and will not be the standard even after global availability, Apple's software boss Craig Federighi explained in an interview with the Wall Street Journal. For activation, users must provide a backup contact who can help access the data if the password is lost, but cannot access it alone without the user. Alternatively, a special additional password can be generated, which must be written down or printed out by the user.

Advanced Data Protection for iCloud (Image: Apple)

Three areas remain without E2EE

iCloud Mail, Contacts and Calendar are still not covered by end-to-end encryption, but are encrypted in transit and on Apple's servers. Apple justifies this fact with the interoperability of different global e-mail, contact and calendar systems. Advanced Data Protection can be activated immediately in the US by users in the Apple Beta Software Program and will be offered to all US users by the end of the year. The global rollout, including China, as Federighi assures, is planned for early 2023.

Security key for 2FA of the Apple ID

Also new for the two-factor authentication of the Apple ID is the support of physical security keys from third-party providers, which is to be offered globally from the beginning of 2023. The feature is primarily aimed at people such as celebrities, journalists and members of the government, but can basically be activated by anyone in the settings. The two-factor authentication can be used, for example, with a YubiKey from Yubico, whereby keys with Lightning or NFC can be used on the iPhone.

Security Keys for Apple ID (Image: Apple)

iMessage Contact Key Verification

Also planned for early 2023 is the global rollout of iMessage Contact Key Verification, aimed at users of extraordinary digital threats, such as journalists, human rights activists or government officials. The feature is intended to ensure that iMessage actually communicates with the person who is displayed in the app. “iMessage Contact Key Verification” should automatically issue a warning to the user if, for example, Apple's servers are infiltrated as part of a state-sponsored cyber attack and a device tries to eavesdrop on the encrypted communication.

iMessage Contact Key Verification (Image: Apple)

For an even higher level of security, the two communicating users can also meet in person or contact each other via FaceTime or another secure call to compare a Contact Verification Code.