(Bloomberg) -- Apple Inc. is upgrading security protections on its devices, adding the ability to encrypt iCloud data backups for the first time alongside new safeguards for iMessage and account logins.
The most significant new feature, Advanced Data Protection for iCloud, will end-to-end encrypt the storage of iCloud backups — a nearly full copy of the data on a user’s iPhone and iPad — in addition to notes, photos, files, voice memos and messages. Previously, only some features, such as health data, passwords and payment information, were end-to-end encrypted.
End-to-end encryption means that the encryption keys are stored only on a user’s devices instead of in data centers. That means that a hacker can’t get the decryption key by breaching a server and then accessing a user’s data.
The changes help fulfill longstanding customer requests and bolster an iCloud services business that has been a growth area for Apple in recent years. The iCloud offerings helped contribute to more than $78 billion in services sales for the company in the last fiscal year, up 14% from 2021.
While Apple’s physical devices — like iPhones, iPads and Macs — already offer high-end encryption and advanced security tools, cloud storage has long been seen as more vulnerable. The latest moves aim to close that gap. Still, the end-to-end encryption won’t support iCloud email, contacts and calendars. The company said that’s because those features rely on legacy technologies and are used within third-party apps.
In the Messages app, Apple is adding Contact Key Verification. This feature, which is also offered by encrypted messaging apps like Signal, will let users verify who they are messaging with. The mechanism shows both texters the same code, which they can use to ensure their identities. The Messages app will notify users if a contact’s code changes so they can verify it is indeed still the same person.
“Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications,” Apple said in a statement.
In some cases, there are trade-offs to using the enhancements. The extra security in iCloud means that Apple can’t restore a user’s account because it no longer holds the encryption key. Instead, a user would need to use a recovery contact or save a recovery key. Another compromise: Access to iCloud data via the web needs to be manually enabled.
Apple is also joining companies such as Alphabet Inc.’s Google in offering support for physical security keys for logging into accounts. This feature will allow users worried about online threats to have a physical key inserted into their devices — in addition to using their Apple account password — before they can log in. This would replace a notification or text message with a code, the most common form of two-factor authentication for online accounts.
Both the new iCloud and iMessage features are launching for all US users this month and will begin rolling out globally next year, Apple said. The physical security key feature is also coming next year. The first two features will come as part of iOS 16.2, iPadOS 16.2 and macOS Ventura 13.1. New beta versions with support for the enhancements were released Wednesday.
Along with the new security features, Apple said it’s fully canceling a plan to apply detection of child sexual abuse material, or CSAM, to photos stored in iCloud. The company first announced that plan last year, but then paused the launch after an outcry from security researchers and privacy advocates. The company has, however, launched CSAM detection in its Messages app and added new features in Siri to educate users about the issue.
“We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos,” the company told Wired, adding that it is deepening its investment in communication safety features. “Children can be protected without companies combing through personal data,” Apple said, and it will continue working on ways to protect children and preserve their privacy.
(Updated with Apple fully canceling child abuse image scanning plan in 11th paragraph.)
©2022 Bloomberg L.P.