More online protection as Apple flex their cyber muscles
End-to-end has happened
Yesterday, Apple announced a massive step forward in online security by adding end-to-end encryption to a host of their apps.
In what they are calling Advanced Data Protection, (ADP) Apple has added this higher level of security to a further 9 of their apps. In total, 23 data categories are now covered, with Notes, Photos, and backups today being added to the list.
Coming to a phone near you soon
Apple has always been at the forefront, when it comes to data security for their customers. We can go back as far as 2015 in fact, when Apple stepped up security with two-factor authentication for the App Store.
The latest update is the biggest advance though, as Advanced Data Protection represents Apple’s “highest level of cloud data security”, said Ivan Krstic, Apple’s head of Security Engineering and Architecture. In a statement that can be found on the US Apple Pressrooms website, Krstic went on to add “Apple makes the most secure mobile devices on the market, and now, we are building on that powerful foundation.”
The service will initially, at least, be an opt-in service. It will give users the choice to “protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”
What’s covered?
Judging on a screenshot from Apple, the categories that will now be covered when you activate ADP, are: device backups, messages backups, iCloud Drive, Notes, Photos, Reminders, Safari bookmarks, Siri Shortcuts, Voice Memos, and Wallet Passes.
The only major omissions from that list, you’ll notice, are iCloud Mail, Contacts, and Calendar. That is because “of the need to interoperate with the global email, contacts, and calendar systems,” according to the press release. These systems are still running on older protocols.
If you are interested in finding out what of your data is currently encrypted with Standard Data Protection, then check out this page from Apple’s website.
What’s the difference?
Simply put, the primary difference between standard, and advanced data protection, is that with the Standard version, Apple holds the encryption keys for things that aren’t end-to-end encrypted. In real terms, that means, that if you need to recover data, Apple will be able to help.
With end-to-end encryption, and Advanced Data Protection, data can only be encrypted on a trusted device. You will have to be signed in to that device with your Apple ID, and the company, hackers, and even law enforcement cannot access your data.
If, in the future, you wish to disable Advanced Data Protection, your device will simply revert to securely uploading the required encryption keys to Apple servers. Your account will then, once again, offer you only standard data protection.
There has long been a call for Apple to add end-to-end encryption to iCloud backups, due to the amount of critical data they hold. There had been rumours that Apple had delayed protecting iCloud backups because of intervention from the FBI. Craig Federighi, Apple’s SVP of software engineering, denied that claim, saying he had heard that “rumour” but didn’t “know where that came from”.
In a recent interview with The Wall Street Journal’s Joanna Stern, Federighi went on to add:
Some of the steps we took over a decade ago and designing iCloud and the way we encrypted were necessary precursors to build toward this moment. Using end-to-end encryption for the other types of data, like passwords and browser history and so forth, help improve that technology.
Verification
There will be an optional iMessage Contact Key Verification as well. With that enabled, users will be alerted “if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications”, says Apple.
Security Keys
Building on the success of 2FA, it will now be strengthened, as one of those will now have to be a hardware security key. You’ll also be able to opt for a third-party hardware security key.
Popular third-party choices, such as YubiKey5C from Yubico, offer an extra layer of account security by requiring that you either plug in the key or tap it on your device, using the in-built NFC, when you’re trying to log in.
These keys offer a viable alternative to a message-based 2FA. A message can easily be intercepted by hackers, but hardware keys makes it much less likely of any infringements.
FBI concerned
As I write, the FBI has just made a statement to the Washington Post discussing Apple’s increased security features, saying:
“This could affect the agency’s ability to protect Americans, and again, we are pressing for backdoor access. We remain deeply concerned with the threat end-to-end and user-only-access encryption pose.
This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organised crime and terrorism. In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design.”
That last phrase, ‘lawful by design, actually, is a direct reference to encrypted data. Data is either encrypted or not, meaning you cannot allow a loophole for agencies to access end-to-end encrypted data, as that would effectively cancel all user privacy protection as cyber criminals will be able to exploit it.
When will it become available?
If you are one of the beta testers, then you will be able to experience ADP this week. After the beta testing period, it will then roll out later in 2023, becoming globally available, including in China, early next year.
Getting involved
Fancy receiving my weekly video newsletter?
It’s free, and simple to join. Just leave me your details here, and every Sunday lunchtime, I will drop in to your inbox, catching up on the last week.
Guess what – if you look forward to my articles & blogs landing each day, you can help that happen! By clicking via this link, you can join Medium, and get my blogs every day, the moment I publish them. And, you can even get email notifications about them too. Go on – one little click of the Magic Mouse, will make a big difference to both you and me! 😋
And Finally…
I am now on Vero – follow me here https://www.vero.co/dtalkingtech