Word surfaced in late February that Apple is working on improving iPhone and iCloud security, and now a new report says the company is working on finding the right balance between stronger iCloud encryption and maintaining convenience for users.
Apple is actively working on improving iOS and iCloud encryption
Apple is always working to improve security and privacy in its products, but after the company was hit with a Federal court order demanding it create a version of iOS that removes protections from brute force passcode attacks, it looks like those efforts have a new focus. Most notably, Apple is working on removing the ability to create the type of code the government is asking for, and to take away its own access to data stored in iCloud.
The court order was part of an FBI investigation into the mass shooting in San Bernardino last December where Syed Farook and Tashfeen Malik killed 14 coworkers and injured 22 others. The two were killed by police who then recovered a work-issued iPhone 5c assigned to Mr. Farook.
Apple helped the FBI recover as much data as they could through the iCloud account linked to to the iPhone, but couldn't unlock the device because the company doesn't have any mechanism for bypassing the lock screen passcode. The FBI has been trying to work around that issue through its court order compelling Apple to create a modified version of iOS that doesn't include the ten limit try for passcodes, removes the forced time delay between passcode attempts, removes the data self destruct feature, and adds a way to automate passcode entry attempts.
Apple is fighting the order saying it falls outside the government's authority, unnecessarily strips away privacy and security, and sets a dangerous precedent where companies could be forced to strip away encryption protection from their products. The company is scheduled to appear in court on March 22 along with the FBI to argue their cases.
In the mean time, Apple is actively working to remove the security weak points the FBI and others have been exploiting to get at our personal data. For iCloud, that's going to be a tricky balance because it could make using the service more difficult for end users.
Currently, Apple holds the encryption keys for iCloud, which makes it possible for the company to reset lost passcodes, and makes using the Web-based versions of Numbers, Pages, and Keynote easy. Taking away its own encryption keys and relying only on user's codes—just as it does with iOS—could make it much more difficult to keep iCloud's Web features easy to access, but would also take away the option to hand over unencrypted backups of our personal data to law enforcement agencies.
Sources speaking with the Wall Street Journal said that's the balancing act Apple is trying to sort out right now. Once Apple sorts that out and updates its iCloud services, law enforcement requests for data from our accounts will get little more than a "We can't do that" response. The trade off will be that forgotten passwords can't be recovered, and any data stored in our iCloud accounts will be lost forever.
Apple isn't saying what it's time frame is for hardening iOS and iCloud security. For iOS, that may include hardware changes in future iPhone and iPad modes. For iCloud, however, Apple may be able to beef up security and privacy through server and software updates, and those could come sooner than new mobile device upgrades.