Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Apple Adding End-to-End Encryption to iCloud Backup

Apple on Wednesday announced plans to beef up data security protections on its flagship devices with the addition of new encryption tools for iCloud backups and a feature to help users verify identities in the Messages app.

Apple on Wednesday announced plans to beef up data security protections on its flagship devices with the addition of new encryption tools for iCloud backups and a feature to help users verify identities in the Messages app.

The security-themed upgrades, scheduled to ship in 2023, includes a new feature called Advanced Data Protection for iCloud offering end-to-end encryption to protect iCloud backups even in the case of a data breach.

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices,” apple security engineering chief Ivan Krstic said in note describing the coming upgrades.

Apple devices currently offer end-to-end encryption by default for some data categories like health and passwords but when the new features ship, the categories will be expanded to iCloud backups, Notes and Photos.

[ READ: Apple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks ]

“For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud,” the Cupertino device maker said.

Apple said the only major iCloud data categories that are not covered by the end-to-end encryption are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.

The new enhanced security features also include iMessage Contact Key Verification, which will allow users to verify they are communicating only with whom they intend.

Apple is positioning the iMessage contact key verification feature as another roadblock to high-profile hackers that target journalists, human rights activists, and members of government.

[ READ: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problems? ]

“Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications. And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call,” Apple said.

The company also plans to add support for third-party physical security keys, a feature aimed at helping celebrities, journalists and government figures to have an additional layer of multi-factor authentication.

“For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam,” Apple added.

Related: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem

RelatedApple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware

RelatedApple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.