Apple declared in a series of security announcements on December 7, 2022, that it will be adding an extra layer of security to iCloud backup, photos notes, etc. which have now been revealed to be end-to-end encryption. Formerly available to 14 categories of data (iCloud Keychain and health data), Apple is now expanding it to 23 under what they refer to as Advanced Data Protection. ADP is a setting that offers apple’s users cloud data security giving their trusted device sole access to encryption keys for almost all of their iCloud data. These categories would cover Message backups, device backups, photos, notes, iCloud drive, reminders, voice memos, Siri shortcuts, Safari bookmarks, and wallet passes.
“The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.” said Apple in the announcement.
Flipping on Advanced Data Protection would ensure that these data categories could only decrypt on trusted devices (the device approved by the user). Thus the information would be protected even if a breach takes place. Expanding on the how, advanced data protection would simply enable the deletion of all CloudKit Service keys that were generated on the device and were later uploaded to available-after-authentication iCloud Hardware Security Modules (HSMs). ADP would permanently and irrevocably delete the keys from those HSMs in Apple data centers and keep it in the user’s iCloud Keychain Protection domain instead.
Unlike standard data protection, where Apple keeps the keys for the data that is not end-to-end encrypted, here the company would not be able to access or read the keys.
Matthew Green, Cryptographer and professor at Johns Hopkins University, said that Apple’s move today “is an important step that will send a clear message to certain attackers that deeper investment in cloud attacks is probably not worthwhile.”
Apple will be providing the option to switch on E2EE for their iCloud backup to US users first by the end of the year, and then proceed with spreading their service to China in early 2023, according to Wall Street Journal. This service will not be a default.
The pre-requisites for enabling the ADP option are:
- An Apple ID with 2FA enabled and the device secured by a password
- The Apple device should update to iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, and the latest version of iCloud for Windows.
- Apple Reccomends users to set up a recovery method for their iCloud data in case of loss of access to their account.
Other Notable Features
In 2023, Apple would lay out two new features for global users: Security Keys and iMessage contact key verification which is designed for celebrities, journalists, and members of governments as protection from online threats.