Apple is adding end-to-end encryption to iCloud Backups, which is now part of the expanded list of data and content categories on iCloud, which will have the encryption layer. Simultaneously, Apple is also enabling iMessage Contact Key Validation for conversation privacy and will also allow users to secure their iCloud accounts using hardware security keys. The three new privacy layers roll out with iOS 16.2 for the iPhone, iPadOS 16.2 and macOS 13.1, all three expected in the coming days.
This comes as Apple has shelved the child sexual abuse material (CSAM) technology, something it had been criticised for since first detailing proposal for scanning photos on the cloud last year. Privacy and security researchers had raised concerns that the technology could be used to gain access to sensitive information on a user’s device.
Apple has instead decided that the alternative to potentially invasive photo scanning, can be the wider encryption that now includes Photos. “Child sexual abuse can be headed off before it occurs. That’s where we’re putting our energy going forward,” the Wall Street Journal quotes Craig Federighi, Apple’s senior vice president of software engineering.
It was in December last year when Apple rolled out the ‘Communication Safety’ feature for Messages. This, part of the Screen Time parental-controls software, enabled the ‘Check for Sensitive Photos’ option for parents to warn their children (those accounts must be linked as ‘child’ with the parent’s iCloud account) when they have received or attempt to send photos that contain nudity. One of the options is to ‘Message a Grown-up’.
Encryption gets iCloud at par with cloud storage rivals
To enable the expanded iCloud encryption, users will need to turn on Advanced Data Protection within the iCloud settings on an Apple device. From how it looks like pre-release, this will be optional. At least for now. If you do choose to enable the expanded encryption, it’ll now cover device backups, Photos, iCloud Drive, Messages backup (if you’ve enabled that), Notes, Safari bookmarks, Reminders, Siri Shortcuts, Wallet Passes and Voice Memos.
What changes for you is how the encrypted data can be accessed in case you must restore the data on an existing Apple device (one such scenario could be a device reset) or on a new Apple device.
Once Advanced Data Protection is enabled for your account, Apple will no longer have the encryption keys to recover the data. You will need a device passcode or password, a recovery contact, or a personal recovery key (this leads us to the inclusion of hardware security keys as a method for authentication).
This is the reason why the setup process will guide you to configure least one recovery contact or recovery key, before you turn on Advanced Data Protection.
Beyond backups, the inclusion of iCloud Drive in the new encryption envelope means your files, documents, media and other data stored there will now have the same level of encryption, as some of Apple’s biggest competitors in the cloud storage space. These include Google Drive, Dropbox and Proton Drive.
Also Read:For Apple iPad Pro 12.9, new chip is a step forward amidst calming familiarity
In fact, Proton Drive released apps for Android and iOS earlier this week. Though the base free storage tier offers lesser space (1GB compared with iCloud’s 5GB), the 200GB tier is priced similarly. Apple doesn’t have a 500GB option (the next best choice for iCloud is 2TB), which Proton Cloud offers, and could translate into better balance for more users.
Users on the iOS 16.2 beta already have access to the now expanded 23 category (up from 14 earlier) encryption. With the final release rollout of iOS 16.2 in the coming days, users in the US will be able to set this up first, with the rest of the world getting the option in early 2023.
2FA now gets hardware security keys too
Apple is expanding the scope of the two-factor authentication system to include the use of physical hardware keys. This means users will be able to use keys, such as those made by YubiKeys (now that it’s on the menu, expect many more options configured for Apple to arrive in the market soon), as a way to confirm authentication as the user of an Apple device.
There will be two ways to get a security key to authenticate a user. You’ll have to, depending on the key itself, either plug it into an Apple device such as an iPhone (the complication of Lightning and USB-C may be something to contend with), or using Near Field Communication (NFC) with the iPhone.
“This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government,” Apple said in a statement. The option to enable Security Keys for Apple ID will be available globally in early 2023.
Apple confirms more than 95 percent of all iCloud accounts have some level of two-factor authentication enabled, which used verification codes and distinguished between trusted and non-trusted devices.
Your messages, for your eyes only
Apple is adding a new security tool to iMessage, or Messages, in a bid to alert users if someone has attempted to access the communication on an unrecognised device. This alert will be sent through in case of forced attempts to breach the cloud servers (enabling the Advanced Data Protection should make this even more difficult) or a device has been forcibly added to the chain, to access messages.
In case an alert is sounded, both original parties in the conversation will be alerted to a potential breach. This comes after iMessage has been targeted recently by sophisticated spyware, such as Pegasus. Now, iMessage will immediately alert both parties if the device keys are different, or change with any unrecognised or new device in the mix.
“Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications,” Apple said in the statement.
There is confirmation that Message Contact Key Verification will be available globally in 2023.