Apple announces improvements to iCloud data security
December 8th 2022
Apple announced improved features to secure data using its iCloud services. The most significant feature is the new Advanced Data Protection, which is an opt-in feature that expands end-to-end encryption. This means no one but the encryption key holder can access the data. The encryption keys are generated on the user's device, which means Apple or any third party can't access the data without being granted access by the user.
Apple has been encrypting certain data types stored in iCloud. Apple has expanded the option to now protect iCloud Backup, Notes, and Photos. Data already protected is considered by most as the most sensitive data, like passwords and health data; however, backed-up contents of devices contain an enormous amount of data, with some of it certainly being considered sensitive. Additionally, photos and notes are considered private also.
Apple says it will continue to not provide this level of encryption to iCloud Mail, Contacts, and Calendar to continue providing interoperability with user services.
Advanced Data Protection is expected to be available to U.S. users by the end of the year, with a worldwide rollout beginning in 2023.
Other security announcements include contract verification for iMessage and FaceTime. iMessage Contact Key Verification will provide greater assurance that the device of contact hasn't been compromised. This is likely an edge case for individuals who may be targeted by an advanced persistent threat. iMessage Contact Key Verification is expected to be available in early 2023.
Apple also added support for hardware security keys for Apple ID verification. This is a physical device to perform multi-factor verification. This is an improvement over device verification, where a code is displayed on an authenticated device. A hardware security key requires the person to possess the security device to authenticate. This makes it more difficult to breach and also harder to scam through phishing. Apple didn't provide details on keys, but it appears wired keys that plug into the device's port and wireless NFC keys will be supported. Security keys are expected to roll out in early 2023.