iCloud End-To-End-Encryption

[dingdingdong]

With all the recent news regarding Facebook's data-hoovering app, entire databases of stolen passwords and general debate about privacy or the lack thereof, I was wondering whether Apple is still actively focusing on improving security on their iCloud service?

It's actually been three years since they inadvertently announced they were pursuing adjustments to the iCloud's encryption (https://www.macrumors.com/2016/03/16/apple-to-double-down-icloud-encryption/).

With iPhone sales down and an apparent shift of focus to other sources of income, such as the infamous "services", I would hope that privacy isn't only a handy topic to ridicule competitors at conferences in Las Vegas, but actually something Apple deeply cares about. Bringing about user-end-encryption to iCloud Drive and all files and back-ups stored thereupon would be a strong signal underlining their commitment.

Besides, I'm quite certain the currently rather meager iCloud options would become substantially more attractive if Apple was offering something others currently aren't. The company I work at, which is already using Apple hardware but another encrypted cloud service (Nextcloud), would certainly jump at the opportunity if they were certain their data was safe. It would make things so easy.

Any thoughts or is it not worth hoping for a change?

 

[Closingracer]

Well their services would be apps ( Shazam which they own ) music library and movies which is as seen on now Samsung TVs and AirPlay 2 on Samsung and other makers TVs

 

[dingdingdong]

As far as I understand, the revenue they make from iCloud subscriptions, falls under the services category?

Anyway, that's besides the point. I'm not all too interested in Apple's revenue structure, I'm just hoping Apple follows up with their multiple promises.

 

[Closingracer]

As far as I understand, the revenue they make from iCloud subscriptions, falls under the services category?

Anyway, that's besides the point. I'm not all too interested in Apple's revenue structure, I'm just hoping Apple follows up with their multiple promises.

Well my point is they have other sources then mining your data. They can utilize their other resources without mining. They dont have the power to be a google or Facebook 2.0. Google has failed at trying to be Facebook 2.0 so Apple can’t. With all this I don’t see why they couldn’t keep their promises

 

[dingdingdong]

Well my point is they have other sources then mining your data. They can utilize their other resources without mining. They dont have the power to be a google or Facebook 2.0. Google has failed at trying to be Facebook 2.0 so Apple can’t. With all this I don’t see why they couldn’t keep their promises

This is of course true.

Though truth be told, I don't think many fear Apple and whether they may mine or what not. It's more a question of the fact that they still hold the key enabling access to every users' data on iCloud and the damage that can be caused by rogue third parties trying to acquire access to that data in some way, shape or form. Surely, Apple cannot be so confident of their immunity to such security breaches?

 

[Closingracer]

This is of course true.

Though truth be told, I don't think many fear Apple and whether they may mine or what not. It's more a question of the fact that they still hold the key enabling access to every users' data on iCloud and the damage that can be caused by rogue third parties trying to acquire access to that data in some way, shape or form. Surely, Apple cannot be so confident of their immunity to such security breaches?

Well the Group FaceTime bug shows that but I think I rather just put faith then be paranoid about it at this point. I don’t have any huge issue with google mining my data. Facebook is getting to the point where I am going to be soon though

 

[riverfreak]

Sorry to dredge up an old thread, just saw a link to it from another one.

OP, you lay out a thoughtful question. I know long ago Apple mentioned moving to zero knowledge encryption but also hedged saying it wasn’t possible for multi-device syncing?

I too wish they’d put more action into the lip service they pay to security. For example, a built in VPN on iOS (or at least more robust VPN settings), better management of things like location services, etc.

 

[dingdingdong]

Hi riverfreak - good to hear there are further loyal Apple customers looking for security-related improvements. As per usual, I'm putting some hope into the WWDC keynote the week after next. That being said, I've been hopeful before all of the keynotes they past few years.

Regarding zero knowledge encryption for iCloud, my understanding is that the main concern seems to be the potential loss of all of a customer's data if they were to forget their password. This is something which I personally would solve with the flick of a switch and a warning message for the customer ("If you turn on this setting, you may lose all your data if you forget your password!"). I cannot imagine multiple devices being the issue. Nextcloud, a competitor to iCloud Drive with advanced encryption options, offers syncing on multiple devices. Apple was also able to get syncing to work on some aspects of iCloud. For example, I do believe iCloud's encryption of iMessages is trustworthy.

It could of course also be that, due to the high cost and increasing difficulty in development, Apple has simply decided not to focus on improving security features while suggesting the opposite by continuing to advertise privacy's and security's importance in high-gloss commercials (see the recent advertisement with the lady laughing while looking at her iPhone screen). Considering the surprise on this forum and elsewhere when iOS' and macOS' security flaws are verbalised by users, the commercials seem to be working (and maybe fooling the average customer?) thus far. Let's see what happens a few leaks and security bills down the line.

Here's to a change in the near future!

 

[riverfreak]

@dingdingdong

Well said. What you say makes sense about zero knowledge encryption on iCloud. I’m with you — just make it an option.

There are so many areas for improvement at the intersection between security and privacy.

I’d like to see things like sets of apps that can be controlled in unison. For example, disabling cellular data or location services, while permitting others to remain enabled. Would be very handy for traveling. Doing it piecemeal is extremely tedious.

The lack of built in VPN is bizarre to me, as is the way the VPN status was demoted due to the notch. This needs to be front and center, as well as a system wide kill switch.

Even simple things, like blocking calls and messages from people not in your address book would be great. Same goes for voicemail.

I’d like to hope that Apple is thinking about improvements in this areas, but it seems like they are a very, very low priority. No flash, hard to market.