Apple confirms plans to tighten up cloud security, including locking down photos and notes stored on its iCloud service
Apple plans a number of security upgrades “focused on protecting against threats to user data in the cloud.”
Apple announced on Wednesday “three advanced security features…representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.”
It will allow users to more tightly lock down their photos and notes stored on its iCloud service and require a physical security key when logging in from a new device. The new measures, along with another security measure for Apple’s iMessage chat program, are aimed at celebrities, journalists, activists, politicians and other high-profile individuals heavily targeted by hackers, Apple said.
With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend, Apple said.
With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account.
And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.
Apple noted that threats to user data have become increasingly sophisticated and complex, and these new features are designed to ensure that Apple products the most secure on the market.
“At Apple, we are unwavering in our commitment to provide our users with the best data security in the world,” said Craig Federighi, Apple’s senior VP of Software Engineering. “We constantly identify and mitigate emerging threats to their personal data on device and in the cloud.”
“Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications,” said Federighi.
iMessage Contact Key Verification
Apple said that it had pioneered the use of end-to-end encryption in consumer communication services with the launch of iMessage, so that messages could only be read by the sender and recipients.
FaceTime has also used encryption since launch to keep conversations private and secure.
Now with iMessage Contact Key Verification, users who face extraordinary digital threats – such as journalists, human rights activists, and members of government – can choose to further verify that they are messaging only with the people they intend.
Apple admitted that the vast majority of users will never be targeted by highly sophisticated cyberattacks, but the new feature provides an important additional layer of security for those who might be.
Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.
And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call.
Apple introduced two-factor authentication for Apple ID, FaceTime, and iMessage in 2015.
Before that Apple had actually added the option of two-factor authentication for its iCloud in 2013, after journalist Mat Honan had his iCloud account compromised and all of his devices wiped in 2012.
“Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection,” noted Apple. “This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government.”
For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors.
This takes Apple’s two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.
Advanced Data Protection for iCloud
The third and final upgrade is designed to improve iCloud security.
“Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation,” said Ivan Krstić, Apple’s head of Security Engineering and Architecture.
“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices,” said Krstić.
For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.
iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos.
The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.
Apple said that iMessage Contact Key Verification will be available globally in 2023.
Security Keys for Apple ID will be available globally in early 2023.
And finally Advanced Data Protection for iCloud is available in the US today for members of the Apple Beta Software Program, and will be available to US users by the end of the year.
The feature will start rolling out to the rest of the world in early 2023.