iCloud is Apple’s cloud storage and computing platform. It was launched in October 2011. Today, it has more than 782 million users. However, it has suffered from breaches in the past which may leave you wondering whether iCloud has gotten safer. We’ll see below whether you can trust Apple’s cloud security with your private data.
iCloud provides users with cloud storage to host all kinds of data and more or less backs up your iDevices. In addition, it’s also a platform for Apple’s email servers and calendars. It also provides an API for third-party programmers looking to implement iCloud in their apps. You can read about the file-hosting service in our iCloud Drive review.
However, not everything was always fine for iCloud and iCloud Drive. Security was lacking because connections to the iCloud servers were vulnerable to man-in-the-middle attacks, and there was the famous breach, of course; these are only some of the reasons why the service scored so low amongst our best cloud storage providers.
The Fappening: A Security Fail
In August 2014, nude photos of multiple nude celebrities started circulating on the internet. It was concluded that the photos had been stolen from their respective iCloud accounts. The hacked celebrities included Jennifer Lawrence, Ariana Grande, Kate Upton, Kaley Cuoco and many others; the whole affair quickly gained the name of “the fappening” (because, well, you know, just read our best VPN for porn piece for penis-related jokes).
However, Apple quickly dismissed the claims and stated that no one had technically hacked its system. Instead, the company has stated that those celebrities targeted were victims of a phishing attack.
Phishing is a method in which careless users are fooled into giving up their credentials. Usually, this happens because they are led to believe they are communicating with an authorized person rather than a cybercriminal. Even though Apple provided a two-step verification process, a good way to thwart phishing, it was difficult to access and rarely used by iCloud’s users.
Subsequently, Tim Cook, Apple’s CEO, promoted the use of two-factor authentication days after the attack. When someone tries changing an account password, restoring iCloud data to a new device, or when a device logs into an account for the first time, Apple will alert users through email and push notifications, according to The Wall Street Journal.
On top of that, Apple increased users’ awareness about the importance of creating a strong password and the dangers of hackers trying to target their accounts.
Apple’s Security Improvements
Apple did increase its security measures, starting with patches after the breach, and its two-factor authentication represents a standard feature, today. Using it, whenever you try to sign into iCloud on a new device for the first time, you’ll be asked to provide your password and a six-digit code (a complex alphanumeric code, or a generated random code). If your device is “trusted,” the code is displayed automatically.
Even better, when you use built-in apps (Mail, Contacts and Calendar on iOS or macOS) to access iCloud services, authentication is handled by using a secure token. Utilizing it, there’s no need to store your iCloud password on your computer and devices.
When data travels between your device and server, it’s protected with a TLS/SSL tunnel using 128-bit AES. It’s not the best AES encryption algorithm (there’s the AES 256-bit), but it’s safe for the foreseeable future.
At-rest, your data is also encrypted, but Apple doesn’t provide the information about what encryption level it uses. There’s also no information on whether it encrypts metadata, but since the company doesn’t employ zero-knowledge encryption, it’s reasonable to assume it doesn’t. File metadata is often used for indexing, helping to speed up file movement.
Zero-knowledge would theoretically prevent even Apple’s employees from reading your data. That’s a big bonus, even if Apple leadership isn’t very cooperative with law enforcement in general. Technically, your password could still be stolen via a phishing attack, of course, so keep that in mind with what we say next.
iCloud Keychain and Password Security
First, while zero-knowledge encryption is not natively available for the whole of your iCloud account, it is available for the iCloud Keychain. iCloud Keychain manages your passwords, credit card number and others sensitive information in iCloud.
Keychain can also keep the accounts you use in Mail, Contacts, Calendar and Messages up-to-date across your Mac computers. When you sign into Facebook, Linkedin, Twitter and other internet accounts, iCloud will automatically add your usernames and passwords to all devices that you’ve approved.
iCloud and Boxcryptor
Going back to iCloud file encryption, there is a third-party option if you want to add zero-knowledge security to your account: Boxcryptor. Boxcryptor provides zero-knowledge protection for services that don’t typically offer it, not just iCloud, but Google Drive, Dropbox and OneDrive, too.
Check out our Boxcryptor review for more information on that service, what it costs and how you can use it to secure your iCloud data. You can also try out a free version capable of protecting one cloud service and two devices.
iCloud and End-to-End Encryption
iCloud provides end-to-end encryption, as well, which is a type of encryption that’s designed to prevent third parties from reading your data. Only those communicating directly have access. Home data, iCloud Keychain, payment information, Siri and WiFi network information are stored using end-to-end encryption. You need to have two-factor authentication enabled to be able to use it, though.
Messages in iCloud also use end-to-end encryption. If you turn iCloud backup on, you will have a copy of the key protecting your messages included in your backup. This enables you to recover your messages if you’ve lost access to iCloud Keychain and your trusted devices (iPhone, iPad, or iPod touch with iOS 9 and later). If you turn off iCloud Backup, a new key is generated on your device and it’s not stored by Apple.
You can also control how your documents, photos, health information and other data are shared between your devices and iCloud. Individual iCloud services can be turned on or off. In iOS, you can find these in iCloud settings. On a Mac, go to the iCloud section of System Preferences
iCloud Drive has improved greatly in recent years, but it still isn’t the most effective tool in the shed. Sync speeds are far from impressive, sharing is tailored to Apple’s apps and it doesn’t offer zero-knowledge encryption natively.
If you require a service that improves upon that, read our best zero-knowledge cloud storage services overview or refer to our article about the best storage for Mac.
Apple iCloud still struggles with backup, too, as it doesn’t provide features that the competition does, and backup processes can hang and appear bugged. We’ve a list of the best backup for Mac if you wish to stop using iCloud as backup.
Do you think the security upgrades make iCloud safe enough? What’s your preferred cloud storage and backup service? Let us know in the comments below. Thank you for reading.