Apple launches new Apple ID, iMessage, iCloud security protections

AppleInsiderAppleInsider
Posted:
in General Discussion edited December 2022
Apple has announced a series of three powerful new tools to protect users' most sensitive data, in new iCloud and iMessage features that will be rolling out between now and the end of 2023.




As far back as 2015, Apple was stepping up security with two-factor authentication on the App Store. For 2023, it's implementing a trio of further security options for all users.

"Apple makes the most secure mobile devices on the market," Ivan Krstic, Apple's head of Security Engineering and Architecture, said in a statement. "And now, we are building on that powerful foundation."

"Advanced Data Protection is Apple's highest level of cloud data security," continued Krstic, "giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices."

Apple's three new or expanded data protections are:

  • iMessage Contact Key Verification (coming 2023)

  • Security Keys for Apple ID (coming early 2023)

  • Advanced Data Protection for iCloud (in beta now, US by end of 2022, globally in 2023)

"At Apple, we are unwavering in our commitment to provide our users with the best data security in the world," said Craig Federighi, Apple's senior vice president of Software Engineering. "We constantly identify and mitigate emerging threats to their personal data on device and in the cloud."

"Our security teams work tirelessly to keep users' data safe," he continued, "and with iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications."

iMessage Contact Key Verification

With the optional iMessage Contact Key Verification, users who enable it will get alerted, says Apple, "if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications."

The same feature also allows users to compare what Apple calls a Contact Verification Code, "in person, on FaceTime, or through another secure call."

Security Keys for Apple ID

This takes Apple's existing two-factor authentication and strengthens it. by require one of those two factors, to be a hardware security key. Users will have the option to use this, and if they choose to, will then also get a choice of third-party hardware security keys.

"This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government," says Apple.

Advanced Data Protection for iCloud

Multiple categories of iCloud data, such as passwords in iCloud Keychain and health information, are already protected using end-to-end encryption. Once the new feature is available, users can choose to encrypt a further 9 categories.

Those new categories include iCloud Backup, Notes and Photos. Apple notes that only iCloud Mail, Contacts, and Calendar remain without end to end encryption, and says it's because of "the need to interoperate with the global email, contacts, and calendar systems."

Craig Federighi
Craig Federighi

Why Apple is adding extra security now

The Wall Street Journal's Joanna Stern asked Federighi why Apple has chosen now to do this, when security experts have been calling for it for years. He replied that Apple has been consistently working on the issue.

"Some of the steps we took over a decade ago and designing iCloud and the way we encrypted were necessary precursors to build toward this moment," he said, "and using end to encryption for the other types of data like passwords and browser history and so forth, help [improve] that technology."

Read on AppleInsider
nzugwcneoncatFileMakerFeller

Comments

  • Reply 1 of 11
    jas99jas99 Posts: 149member
    Bravo, Apple. 
    nzugwcwatto_cobratyler82JaiOh81
  • Reply 2 of 11
    bluefire1bluefire1 Posts: 1,302member
    Bravo, Tim.
    watto_cobraJaiOh81
  • Reply 3 of 11
    boboliciousbobolicious Posts: 1,146member
    "the need to interoperate with the global email, contacts, and calendar systems"
    A fuller explanation of this would be helpful, and if there is a complete and clear opt out option...
    Does S/MIME fit in to this...?  Core ML derivative data and the Siri 'learn from this app' that is on by default ?
    Does Apple also have a key to every iCloud account...?
    edited December 2022 appleinsideruser
  • Reply 4 of 11
    rob53rob53 Posts: 3,251member
    Third-party hardware security keys—it’s about time. I used RSA token hardware 29-30 years ago. I would live an Apple “copy” of RSA’s rotating keys using an iOS app connecting to an Apple server. 
    JaiOh81
  • Reply 5 of 11
    CalamanderCalamander Posts: 86member
    rob53 said:
    Third-party hardware security keys—it’s about time. I used RSA token hardware 29-30 years ago. I would live an Apple “copy” of RSA’s rotating keys using an iOS app connecting to an Apple server. 
    FWIW All RSA devices were compromised at some point. All hardware devices had to be replaced. 

    Likely today all these contain state actor backdoors, which then are obviously also found by other actors... 

    That being said, 2FA is a good thing in general, and I am pretty sure Apple will do a good job on it. 

    The most interesting statement up there is about state actors. Apple realized in 2013 with the Snowden files that all their servers were compromised. The NSA literally had a backup of every single server at Apple and google, and could do that very easily by intercepting traffic on the backbone which corporations used to sync data across data centers. 

    I remember one of Apple's senior members saying - our security was designed to defend against hacking groups and botnets - not against state level actors! 

    I would think Apple would actually try, and potentially succeed making iMessage impenetrable by state adversaries, also their end to end system is basically the best on the planet. No one else has end to end security that works as seamlessly as iMessage. 

    Whtsapp and Signal lose all history when switching devices or when a device is lost - Apple has E2E that can onboard and offboard devices without losing data. That's really impressive. 

    I guess the main threat to Apple devices at this point is the endless flood of new zero day exploits. I don't think that can be fixed - millions of zero days still lie hidden in code that is sometimes many decades old. Other than rewriting their entire stack from scratch, there's no way to find all these before hackers do. 

    Maybe that's what they should do? I mean they have 100s of Bns in profit a year...
    h4y3s
  • Reply 6 of 11
    radarthekatradarthekat Posts: 3,842moderator
    Calamander said:
    rob53 said:
    Third-party hardware security keys—it’s about time. I used RSA token hardware 29-30 years ago. I would live an Apple “copy” of RSA’s rotating keys using an iOS app connecting to an Apple server. 
    FWIW All RSA devices were compromised at some point. All hardware devices had to be replaced. 

    Likely today all these contain state actor backdoors, which then are obviously also found by other actors... 

    That being said, 2FA is a good thing in general, and I am pretty sure Apple will do a good job on it. 

    The most interesting statement up there is about state actors. Apple realized in 2013 with the Snowden files that all their servers were compromised. The NSA literally had a backup of every single server at Apple and google, and could do that very easily by intercepting traffic on the backbone which corporations used to sync data across data centers. 

    I remember one of Apple's senior members saying - our security was designed to defend against hacking groups and botnets - not against state level actors! 

    I would think Apple would actually try, and potentially succeed making iMessage impenetrable by state adversaries, also their end to end system is basically the best on the planet. No one else has end to end security that works as seamlessly as iMessage. 

    Whtsapp and Signal lose all history when switching devices or when a device is lost - Apple has E2E that can onboard and offboard devices without losing data. That's really impressive. 

    I guess the main threat to Apple devices at this point is the endless flood of new zero day exploits. I don't think that can be fixed - millions of zero days still lie hidden in code that is sometimes many decades old. Other than rewriting their entire stack from scratch, there's no way to find all these before hackers do. 

    Maybe that's what they should do? I mean they have 100s of Bns in profit a year...
    Well, not quite 100s of billions in profit each year.  But yeah, huge absolute profits in the many tens of billions of profits each year.  
  • Reply 7 of 11
    mc1rmutantmc1rmutant Posts: 7member
    Calamander said:


    Whtsapp and Signal lose all history when switching devices or when a device is lost ...
    FYI: Signal has had a migration tool built into the app for several years now. I've done at least three or four annual iPhone upgrades without losing any of my data.
    FileMakerFeller
  • Reply 8 of 11
    JaiOh81JaiOh81 Posts: 60member
    And the fbi is already crying about this 
    waveparticle
  • Reply 9 of 11
    waveparticlewaveparticle Posts: 1,497member
    Who is going to be affected most by this? China or US? The answer is US. US is world's most snoopy nation. LOL
    FileMakerFeller
  • Reply 10 of 11
    FileMakerFellerFileMakerFeller Posts: 1,546member
    The Wall Street Journal's Joanna Stern asked Federighi why Apple has chosen now to do this, when security experts have been calling for it for years. He replied that Apple has been consistently working on the issue.
    Because of course the "security experts" have only been calling on Apple to do this.
    /s
  • Reply 11 of 11
    22july201322july2013 Posts: 3,570member
    Don't forget that Apple also complies with all local laws, so if any local law prohibits a security feature, it likely won't be rolled out there. I suspect that many countries won't allow some of these features. Apple already blocks some iOS features (and apps) in dictatorships like China, in order to "comply with local laws."

    So the irony is that these new security features won't be available in the countries where they are most sorely needed, but will be available in the countries where they are least needed.
Sign In or Register to comment.