iCloud backups aren’t as secure as the data stored on your iPhone

BY Killian Bell

Published 3 Mar 2016

iCloud Backup

If you’ve been keeping up with Apple’s ongoing battle against the FBI, you may have heard that authorities could have used an iCloud backup to access the data stored on an iPhone used by San Bernardino shooter Syed Farook.

That’s because iCloud backups aren’t as secure as the data secured on iOS devices themselves, and Apple does have the ability to get into them if it needs to. Here’s why, and what you can do to ensure your backups are more secure.

Tim Cook explained during an interview with ABC News last month that if the iCloud password on Farook’s iPhone wasn’t reset, the device could have performed an automatic backup when connected to a recognized Wi-Fi network, and Apple could have granted access to that backup.

That’s because iCloud backups aren’t encrypted in the same way the data on your iOS device is. You passcode isn’t required to gain access, so Apple has the ability to “decrypt” the data itself. In an article for The Verge entitled “The iCloud Loophole,” Walt Mossberg explains:

In the case of iCloud, while security must also be strong, Apple says it must leave itself the ability to help the user restore their data, since that’s a key purpose of the service. This difference also helps dictate Apple’s response to law enforcement requests. The company’s position is that it will provide whatever relevant information it has to government agencies with proper, legal requests. However, it says, it doesn’t have the information needed to open a passcode-protected iPhone, so it has nothing to give. In the case of iCloud backups, however, it can access the information, so it can comply.

Although you can specify which data is sent to iCloud, in most cases, backups include iMessages and regular texts, photos and videos, app data, health data, your voicemail password, device settings, content purchase history, and more.

Backups also include iCloud keychain data, Wi-Fi passwords, and login details for third-party services. But it’s important to remember that Apple does not have access to this data; these things are designed to be encrypted in a way that makes them inaccessible to Apple.

Backups don’t include data that’s easily available from other sources, such as your emails, which are stored on provider servers.

Without being protected by your passcode, your iCloud backups are more open, and there’s no danger of them self-destructing when someone attempts to access them in the same way that your iPhone’s data can. But you shouldn’t be concerned about this.

Only Apple can access your iCloud backups, and it only does so when it receives instruction or order from the court or law enforcement agencies — so this doesn’t necessarily mean that they’re unsafe. However, you can still avoid backing up to iCloud if you’re concerned.

Mossberg suggests disabling iCloud backup and making local backups — via iTunes on a Mac or PC — that are encrypted. There’s a setting on the summary page when you connect your iOS device to iTunes that lets you specify whether or not local backups should be encrypted.

If you enable this, no one is able to access them without access to your hard drive. And even then, they cannot get into the backup and obtain the data without your iCloud password.

It’s also important to remember that Apple isn’t the only company that can access your backups. In fact, almost all of them can if they need to, including Google, Dropbox, and others.

[The Verge]