How to use Apple’s advanced iCloud security tools

Apple recently rolled out new iCloud security features that could help protect mobile professionals when they’re on the road. The features include better iCloud data security, improved iMessage security, and more.

Here is how to use these new iCloud protections.

No one should doubt that protecting personal or enterprise data has become more important than ever. Apple introduced Lockdown Mode for iCloud in 2022, following this up with even more protections in December and, most recently, introducing free privacy and security sessions in Apple retail stores in 2023.

The December collection of iCloud privacy protection tools include:

What do they do, and how do you use them?

Apple has always encrypted some of the information you store in iCloud to protect it from prying eyes. With the introduction of iOS 16.3 and macOS 13.2, it locked things down even further, protecting more categories of information and making it possible to decrypt that data only on trusted devices. The caveat emptor is that once you put Advanced Data Protection for iCloud in place, you must also set up an alternate recovery method (device passcode, recovery contact or recovery key) in case you lose access to your account, as Apple cannot help you when you enable protection at this level.

Advanced Data Protection for iCloud encrypts the following additional sets of data that are not otherwise protected: Device backups, Messages backups, iCloud Drive, Photos, Notes, Siri Shortcuts, Safari Bookmarks, Reminders, Voice Memos, and Wallet Passes. These join the 14 categories of data iCloud has always encrypted, including Keychain and Health data.

Mail, Contact, and Calendar remain unprotected, as they need to interoperate with other systems

iMessages between Apple users have always been end-to-end encrypted, making it very difficult for man-in-the-middle attacks of message surveillance, as without the decryption cipher messages are gibberish until decoded. It isn’t impossible to decode these messages, of course, but it is very complex, expensive, and most people don’t need to worry about being targeted in such a way.

But some do. Think about journalists, human rights activists, high-value business users, ministers, and others whose communications may have significant importance.

iMessage Contact Key Verification is for just these users. It will alert them if it suspects a messaging session is being spied on. The feature also offers users the chance to compare a Contact Verification Code in person, on FaceTime, or through another secure call.

Deyails on this feature are not yet available. It’s possible it will be enabled in System Settings>Password & Security, where a setting will be added.

Some of the most secure entities in business or government use hardware-based security keys to protect critical services, data, or access to information. As Computerworld readers likely know, these consist of actual hardware, a dongle, that acts as the key. It basically has a unique identifier and contains a digital cryptographic key required to open the account. When this kind of protection is in place, a user must be in possession of the key, physically connected to the system they wish to use, and must enter a passcode.

That level of protection is now available to iCloud and means users must have both a hardware key and passcode to access data protected by their Apple ID. Apple explains it as an optional feature designed particularly for high-value targets who need additional protection against phishing or social engineering attacks.

If you enable this feature, two things happen: The first is that each time you access your account, you will need your security key to complete the process; the second is that as you try to set up a new device, you’ll no longer receive a 2FA code to authorize access; instead you’ll need to use your key. This makes you more secure, as it means others cannot try to phish you or use stolen devices to access your account, and it means you won’t have to use sometimes insecure SMS messages.

The bad thing?

If you lose your key, things will get weird. (Apple will require you to set up two FIDO Certified keys to use this service, the idea being that you keep one as a spare. You may link up to six keys to your account). You also need to enable 2FA on your account, and to sign into devices like Apple Watch or HomePod you also need an iPhone or iPad that supports the key.

In other words, while the protection is robust, you must really want to use it.

There are other limitations, too — you won’t be able to use iCloud for Windows, won’t be able to sign into older devices and the protection doesn’t work with Managed Apple IDs. That last limitation may be a deal breaker for any company that relies on managed environments.

Apple has a tech note explaining more information about how to use these keys; it’s available here.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss

Leave a Reply