Archive for December 7, 2022

Wednesday, December 7, 2022

Advanced Data Protection for iCloud

Apple (MacRumors, Hacker News):

Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.

[…]

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.” For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.

John Gruber:

It’s off by default, primarily, I believe, for customer support reasons. With standard iCloud data protection, customer data is encrypted in transit and in storage on iCloud’s servers, but Apple holds keys that can be used for recovery in case a customer loses access to their account.

I’m guessing it also can’t be enabled if your account has devices with older OS versions, though I haven’t seen any documentation about this.

Apple:

Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.

With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 23 and includes your iCloud Backup, Photos, Notes, and more.

This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in.

If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key.

It seems not great that it’s all protected by the device passcode. Mine is shorter than I’d like because I have to thumb-tap it in frequently when Face ID fails. Presumably there’s a key stored in the cloud in case I lose all my devices, and I wish that could be encrypted with a longer password. [Update (2022-12-08): Apple doesn’t quite say this in writing, but the video with Federighi strongly implies that a passcode is not enough; if you lose your trusted device you need a recovery contact or recovery key.]

Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves.

[…]

iWork collaboration, the Shared Albums feature in Photos, and sharing content with “anyone with a link,” do not support Advanced Data Protection. When you use these features, the encryption keys for the shared content are securely uploaded to Apple data centers so that iCloud can facilitate real-time collaboration or web sharing. This means the shared content is not end-to-end encrypted, even when Advanced Data Protection is enabled.

[…]

When Advanced Data Protection is enabled, access to your data via iCloud.com is disabled by default. You have the option to turn on data access on iCloud.com, which allows the web browser that you're using and Apple to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information.

Robert McMillan and Joanna Stern:

Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”

[…]

Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.

Possible next steps:

Previously:

Update (2022-12-14): Rosyna Keller:

The new optional end-to-end encryption features requires that you have all devices using an iCloud account be on iOS 16.2/macOS 13.1/watchOS 9.2/audioOS 16.2/iCloud for Windows vNext/et fam or later. If a device doesn’t comply, you must de-iCloud it.

Matthew Green (tweet):

While every single one of these is exciting, one announcement stands above the others. This is Apple’s decision to roll out (opt-in) end-to-end encryption for iCloud backups. While this is only one partial step in the right direction, it’s still a huge and decisive step — one that I think will substantially raise the bar for cloud security across the whole industry.

[…]

I am struggling to try to find an analogy for how crazy this is. Imagine your country held a national referendum to decide whether most citizens should be compelled to photocopy their private photos and store them in a centralized library — one that was available to both police and motivated criminals alike. Would anyone vote in favor of that, even if there was technically an annoying way to opt out? As ridiculous as this sounds, it’s effectively what we’ve done to ourselves over the past ten years: but of course we didn’t choose any of it. A handful of Silicon Valley executives made the choice for us, in pursuit of adoption metrics and a “magical” user experience.

[…]

I wish I could tell you that Apple’s announcement today is the end of the story, and now all of your private data will be magically protected — from hackers, abusive partners and the government. But that is not how things work.

Dan Moren:

But as good as those protections are, there are still a few more places where the company could enact additional security and privacy measures to help make sure that your data stays in your control.

Sami Fathi:

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud , governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it’s “deeply concerned with the threat end-to-end and user-only-access encryption pose.” Speaking generally about end-to-end encryption like Apple’s Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests “lawful access by design.”

See also: MacRumors, Slashdot, TidBITS.

Security Keys for Apple ID

Apple (MacRumors):

Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.

Apple (via Maxwell Swadling):

A recovery key is a randomly generated 28-character code that you can use to help reset your password or regain access to your Apple ID. While it’s not required, using a recovery key improves the security of your account by putting you in control of resetting your password. Creating a recovery key turns off account recovery. Account recovery is a process that would otherwise help you get back into your Apple ID account when you don’t have enough information to reset your password

Previously:

Apple Abandons CSAM Scanning

Apple (via MacRumors):

After extensive consultation with experts to gather feedback on child protection initiatives we proposed last year, we are deepening our investment in the Communication Safety feature that we first made available in December 2021. We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos. Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all.

This is kind of surprising because it seemed designed to work on-device, alongside the end-to-end encrypted iCloud Photo Library that just arrived.

Lily Hay Newman:

The company told WIRED that while it is not ready to announce a specific timeline for expanding its Communication Safety features, the company is working on adding the ability to detect nudity in videos sent through Messages when the protection is enabled. The company also plans to expand the offering beyond Messages to its other communication applications. Ultimately, the goal is to make it possible for third-party developers to incorporate the Communication Safety tools into their own applications.

Previously:

Update (2022-12-14): See also: Slashdot.

MarsEdit 5

Daniel Jalkut (tweet):

MarsEdit 5 features a beautiful new icon, a “Microposting” feature for streamlined short-form blogging, enhanced plain-text editing with built-in Markdown syntax highlighting, a completely rebuilt rich text editor based on Apple’s latest WebKit2 technologies, and a variety of nuanced improvements to make your blogging workflow smoother, and more enjoyable than ever.

It costs $59.95 for new users or $29.95 to upgrade.

I like the new find bar and the smaller font for the metadata at the top of the window, as this lets me see more tags before they get clipped.

The new New Micropost command has a default shortcut of Command-Control-P, which overrides my longstanding shortcut for formatting with <p> tags. I was able to change that in System Settings, and then my shortcut worked again.

The Edit with BBEdit feature seems to be broken—MarsEdit doesn’t detect when I close the BBEdit window—but hopefully can be fixed soon. (I think it’s an interaction between BBEdit’s sandboxing and MarsEdit’s new bundle identifier.)

Previously:

Update (2022-12-14): Daniel Jalkut:

It’s been an exhilarating week releasing @MarsEdit 5. The last thing I expected was that I’d be facing the end of the week still wondering why the app is stuck in Mac App Store app review. Unfortunately I don’t when or if it will be approved. The opacity is very frustrating.

Daniel Jalkut:

MarsEdit 5.0.1 is now available on the MarsEdit site and on the Mac App Store.

BBEdit 14.6.2:

Added MarsEdit 5’s bundle ID to the sandboxing entitlements, so that its “Edit in BBEdit” support works correctly.