Apple steps up user security with end-to-end encryption for iCloud

iCloud logo appearing on a smartphone being held in outstretched arms by a silhouetted person against a multicoloured background
(Image credit: Getty Images)

Apple has announced it will begin allowing users to secure data backed up to their iCloud using end-to-end encryption.

The feature, dubbed Advanced Data Protection for iCloud, will debut for users participating in the company’s beta software programme. The tech giant revealed the feature will be available for US-based users by the end of 2022 and will roll out globally early next year.

At present, Apple offers end-to-end encryption for data already stored in its cloud platform, including passwords, credit card and payment details, and health-related data.

The advanced feature will extend this protection, allowing users to back up other sensitive information such as photos, notes and iCloud backups.

This change will not cover all data, however. The company has confirmed that contacts, calendar information and email info will not be encrypted.

Craig Federighi, Apple’s senior vice president of software engineering said the new privacy features are a signal of Apple’s “unwavering” commitment to providing users with the “best data security in the world”.

“We constantly identify and mitigate emerging threats to their personal data on device and in the cloud,” he said.

“Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications.”

Initially, Apple users will be required to opt-in to the new feature and granted a specific encryption key which will be stored on their device.

Ivan Krstic, Apple’s head of security engineering and architecture, revealed that a key benefit of the Advanced Data Protection feature is that it will ensure iCloud data will be protected in the event of a cloud breach.

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices,” he said.

However, Jamie Akhtar, CEO & co-founder of CyberSmart, warned that the proposed opt-in requirement could leave users unprotected and place responsibility for data protection in their hands.

RELATED RESOURCE

Getting board-level buy-in for security strategy

Why cyber security needs to be a board-level issue

FREE DOWNLOAD

"With increased cybersecurity awareness among the general public, cultivating digital trust is imperative to business survival. Apple has long been the exemplar of this, having time and again invested in its user security,” he said.

“Unfortunately, the downside of Apple’s latest measures is the requirement for users to ‘opt-in’ which will likely leave many unprotected as the onus is on them to take action,” Akhtar added.

Similarly, Tony Sabaj, mobile security expert at Check Point Software noted that the added layers of security - including encryption keys - could inhibit users.

“This added layer of security is not without drawbacks as the end user is now responsible for storing, backing up and securing their own encryption keys,” he explained.

“From our experience in mobile security, even though Apple is taking steps to improve privacy, malicious apps, text/iMessage phishing and zero day threats will be unaffected by these measures.”

In a thread on Twitter, Matthew Green, professor of cryptography at Johns Hopkins University, said the encryption move “sets the standard on what secure consumer cloud backup looks like” and marks an important precedent for users globally.

“Even as an opt-in feature, this move will have repercussions all over the industry as competitors chase them,” he said.

See more

Bolstering data security

The move by Apple forms part of a broader strategy focused on bolstering security, with the company adding that the releases come “as threats to user data become increasingly sophisticated and complex”.

Research conducted by Apple found that the number of data breaches has more than tripled between 2013 and 2021. In addition, the study found that 1.1 billion personal records were exposed globally during 2021 alone.

In 2023, the company plans to begin supporting the use of hardware keys to improve two-factor authentication. Similarly, toward the end of 2023, Apple also plans to launch a feature called ‘iMessage Contact Key Verification’.

This new feature will enable users to confirm they are interacting with an intended contact. The verification scheme will also issue users with a warning if they are communicating with a contact or individual with “compromised” iMessage infrastructure.

Melissa Bischoping, endpoint security research director at Tanium, welcomed the move as a positive step to ensure that users are safeguarded amidst escalating global security threats.

“Apple has introduced these important security features to keep pace with the threat landscape and threats to privacy,” she said.

“By leveraging these features, you can know that your data is encrypted; even if the company holding the data is breached, you have additional assurance that you will not be a secondary victim. I am hopeful that this trend continues, as these protections are essential for reducing the secondary victimisation of a services' users after a data breach.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.