Apple Actively Working on More Secure iCloud

| News

Word surfaced in late February that Apple is working on improving iPhone and iCloud security, and now a new report says the company is working on finding the right balance between stronger iCloud encryption and maintaining convenience for users.

Apple is actively working on improving iOS and iCloud encryptionApple is actively working on improving iOS and iCloud encryption

Apple is always working to improve security and privacy in its products, but after the company was hit with a Federal court order demanding it create a version of iOS that removes protections from brute force passcode attacks, it looks like those efforts have a new focus. Most notably, Apple is working on removing the ability to create the type of code the government is asking for, and to take away its own access to data stored in iCloud.

The court order was part of an FBI investigation into the mass shooting in San Bernardino last December where Syed Farook and Tashfeen Malik killed 14 coworkers and injured 22 others. The two were killed by police who then recovered a work-issued iPhone 5c assigned to Mr. Farook.

Apple helped the FBI recover as much data as they could through the iCloud account linked to to the iPhone, but couldn't unlock the device because the company doesn't have any mechanism for bypassing the lock screen passcode. The FBI has been trying to work around that issue through its court order compelling Apple to create a modified version of iOS that doesn't include the ten limit try for passcodes, removes the forced time delay between passcode attempts, removes the data self destruct feature, and adds a way to automate passcode entry attempts.

Apple is fighting the order saying it falls outside the government's authority, unnecessarily strips away privacy and security, and sets a dangerous precedent where companies could be forced to strip away encryption protection from their products. The company is scheduled to appear in court on March 22 along with the FBI to argue their cases.

In the mean time, Apple is actively working to remove the security weak points the FBI and others have been exploiting to get at our personal data. For iCloud, that's going to be a tricky balance because it could make using the service more difficult for end users.

Currently, Apple holds the encryption keys for iCloud, which makes it possible for the company to reset lost passcodes, and makes using the Web-based versions of Numbers, Pages, and Keynote easy. Taking away its own encryption keys and relying only on user's codes—just as it does with iOS—could make it much more difficult to keep iCloud's Web features easy to access, but would also take away the option to hand over unencrypted backups of our personal data to law enforcement agencies.

Sources speaking with the Wall Street Journal said that's the balancing act Apple is trying to sort out right now. Once Apple sorts that out and updates its iCloud services, law enforcement requests for data from our accounts will get little more than a "We can't do that" response. The trade off will be that forgotten passwords can't be recovered, and any data stored in our iCloud accounts will be lost forever.

Apple isn't saying what it's time frame is for hardening iOS and iCloud security. For iOS, that may include hardware changes in future iPhone and iPad modes. For iCloud, however, Apple may be able to beef up security and privacy through server and software updates, and those could come sooner than new mobile device upgrades.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

The encryption fight is on with the government on one side and our digital privacy and security on the other. Apple is stepping up its game to better protect our data from prying eyes, and hopefully other big tech companies are actively working on doing the same, too.

Popular TMO Stories


Scott B in DC

I wish everyone would stop calling it the “encryption battle.” The battle is not over the encryption. The battle is over the security of the infrastructure that supports the encryption. It is a battle of who holds the keys, creates the secure storage to prevent tampering, and the processes to protect that infrastructure. You cannot defeat encryption. It’s math. Math is hard. You cannot defeat the math.

If the encryption can be defeated using cryptanalysis it was a weak equation that did not follow certain rules to make it unbreakable. Otherwise, encryption has been not been broken. The keys and passcodes have been figured out using brute force attacks or social engineering. This is why the math is changing to use longer keys, bigger ciphers (buffers), and other methods to make the permutations for a brute force attack more difficult.

“But they figured out that RC4 was weak. How did they do that?” By taking a known message, encrypting it using RC4, use the brute force methods to run various attacks, and study the math to figure out how it is done. But in actuality, they didn’t “break” RC4. They only figured out ways to make the brute force methods more deterministic because of the infrastructure that is required to support RC4. Cryptanalysis showed how to program the short cuts and the rest requires today’s faster processors less time to iterate through fewer steps.

It is not a war on encryption. It’s a war on preventing you from putting a strong lock on your digital front door then asking the company that made the lock to break it because you died before giving away the key. It’s putting a lock on your digital safe that was designed to keep your most valuable valuables safe and asking the safe company to break open the safe with the combination you set. It is a war on your privacy. It is a war on your rights. It is the realization of George Orwell’s “1984” and if anyone does not see that then they deserve the telescreens in their bathrooms!

Benjamin Franklin once said: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

Lee Dronick

  Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither

Ben Franklin

“According to Wittes, the words appear in a letter widely presumed to be written by Franklin in 1755 on behalf of the Pennsylvania Assembly to the colonial governor. “The letter was a salvo in a power struggle between the governor and the assembly over funding for security on the frontier, one in which the assembly wished to tax the lands of the Penn family,” he explains.

The letter wasn’t about liberty but about taxes and the ability to “raise money for defense against French and Indian attacks. The governor kept vetoing the assembly’s efforts at the behest of the family, which had appointed him.”

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account