Advanced Data Protection for iCloud

"It seems not great that it’s all protected by the device passcode." I don't think this means what you seem to think it means. Everything on your device is protected by the device passcode, including, I presume, an iCloud recovery key stored on your device. But the iCloud recovery key is cryptographically strong. If you lose access to your Apple ID account, then the only way to recover your iCloud is via one of your own devices. The point is that you can recover with your device even without your Apple ID.

@Jeff I’m talking about losing access to my device, not losing access to my account. Are you saying that if I only have one phone and I lose it, everything is gone forever even if I know my passcode? I presumed that they were still keeping the key in the cloud for recovery, encrypted with the passcode.

"I’m talking about losing access to my device, not losing access to my account." But that's not what the Apple document was talking about: "If you lose access to your account". And the Fleishman article was talking about enrolling a new device, where the first step is to sign in successfully with your Apple ID, so that can't be the same process as this, if you've lost access to your Apple ID.

Unfortunately, System Settings is so bad that there is no way I can update to Ventura for these protections. These kinds of things should be backported, especially since they just cut off support for a number of Macs that are still completely usable.

@Jeff My original claim was based on logic, not a document. I don’t think they would remove the recovery feature, and they didn’t mention another password or mechanism, so I assume they are using the device passcode unless they publish something that says otherwise. It seems like you are disagreeing and saying that there is now no way to do recovery without a trusted device, but I don’t know what you are basing that on.

@Brad Yeah, I would like to know what the plan is for older devices and OS versions. Are you not allowed to enable Advanced Data Protection if any older devices are signed in? Or do they get to sign in but lose access to certain classes of data?

This is why Advanced Data Protection is disabled by default. The user has to take all responsibility for recovery. When you enable ADP, Apple forces you to choose a recovery contact or recovery key. Thereafter, you can only recover with a trusted device or with your chosen recovery method. You said "Presumably there’s a key stored in the cloud in case I lose all my devices", but I don't see the basis for that presumption.

I am pleased, despite myself, and that awful bug. Good of Apple to look after recurring revenues with the speed and alacrity that they don't for usable encrypted local backups that they just casually broke, eh?

This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in.

Mmm, but Apple can still decide what keys a conversation participant will correspond to, and thereby insert themselves (on behalf of the fuzz) into your exchanges. We've got to have indicators of keys and user-managed trust, to fix that.

"Apple can still decide what keys a conversation participant will correspond to, and thereby insert themselves (on behalf of the fuzz) into your exchanges. We've got to have indicators of keys and user-managed trust, to fix that."

Those features are literally included in the same announcement, as iMessage Contact Key Verification.

> Conversations between users who have enabled iMessage Contact
> Key Verification receive automatic alerts if an exceptionally
> advanced adversary, such as a state-sponsored attacker, were
> ever to succeed breaching cloud servers and inserting their own
> device to eavesdrop on these encrypted communications. And for
> even higher security, iMessage Contact Key Verification users
> can compare a Contact Verification Code in person, on FaceTime,
> or through another secure call.

"This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in."

Which should be expected and unsurprising: you're sending someone else data, and it's then their responsibility to protect that data as they see fit. That'd even be the case if you sent someone an RSA encrypted email, as there's nothing stopping them from decrypting it and saving the plaintext on their drive. This also mirrors some other collaboration cases:

> Advanced Data Protection is designed to maintain end-to-end
> encryption for shared content as long as all participants have
> Advanced Data Protection enabled. This level of protection is
> supported in most iCloud sharing features, including iCloud
> Shared Photo Library, iCloud Drive shared folders, and shared
> Notes.

@Jeff That’s a possible interpretation, but it could also just be that the recovery contact/key requirement is because Apple being able to reset your account is incompatible with E2E, so they are forcing you to use the same more secure recovery that was available before. The basis for my presumption is that: (1) they say that you need your passcode but don’t say you need a device, (2) they don’t warn that losing your lone device means you would lose your data, (3) I think they are much more worried about people losing data than having a less secure key.

@Person It is kind of surprising, e.g. the part I quoted about how iWork Collaboration and shared albums are not E2E even if all participants have it enabled.

"(2) they don’t warn that losing your lone device means you would lose your data"

They don't because that's not true. You have a recovery contact or a recovery key.

@Jeff They also say that you need your passcode or a recovery contact or recovery key, which to me implies that the latter two are optional.

"They also say that you need your passcode or a recovery contact or recovery key, which to me implies that the latter two are optional." Yes, your passcode on a trusted device.

@michael Tsai - It's worth the 6 mins to listen to Ferdereghi explain it here https://www.youtube.com/watch?v=M4ZOkWaDxfw

I believe you can get yourself in a situation where you are totally dependant on a single device however you can set a recovery key that you hold, and Apple doesn't, which doesn't require the device and there is also the idea of a recovery person who can (and it's not exactly clear how) help recover your account. At least that's what I got from what Craig said.

Default is for Apple to hold the keys, as they do now, so you can hope that Apple will be willing to unlock your account.

The Platform Security Guide was also updated yesterday with more details, and yes it requires the latest OSes on all devices: "Devices where the user is signed in with their Apple ID must be updated to iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, and the latest version of iCloud for Windows. This requirement prevents a previous version of iOS, iPadOS, macOS, tvOS, or watchOS from mishandling the newly-created service keys by re-uploading them to the available-after-authentication HSMs in a misguided attempt to repair the account state."

https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web

@Liam Thanks. Yes, the video strongly implies that Apple stores the key encrypted with the recovery key and/or something from the recovery contact. So it is more secure than only requiring your passcode, and if you lose your devices, your recovery contact, and your recovery key you are out of luck.

@Brendan I suppose this means those of us who do testing with previous OS versions will need to create separate test Apple IDs.

Re: "recovery contacts", I'd really like to see Apple embrace 3rd party folks like myself whom, while perhaps "professional" I.T. in our day jobs, often end up moonlighting as I.T. staff for family and friends (or, in my case, also my day job!), such that we could be listed as "proxy" agents on an Apple ID. Yes, I realize this could become a vector for fraud and abuse, however I'd be willing to pay the (ubiquitous) Apple $99 "tax" to be an "Apple Specialist" or "Apple Expert" or whatever they want to call me, and get vetted, if there would be an all-in-one place for me to be invited and act as a "recovery contact", "Legacy contact", official AppleCare point of contact, and account password resetter for "clients". Because I'm dealing more and more with older Apple users—and, not to be agist, but also many younger!—who simply cannot navigate all the intricacies of the various "features" that Apple has rolled out over the past decade. Anyone who has had the displeasure of trying to get back into a "lost" Apple ID "protecting" an iCloud Photo Library of their life, multiple that by 10+, and that's my life. And those who would say "Just have them call Apple" or "Go to an Apple Store", you've clearly not actually watched how that unfolds in real life. Apple isn't as bad as Google (who moronically uses "what date did you open your Google account" as a security mechanism, without actually TELLING users they should be notating that information when they sign up), but it is often frustrating, heartbreaking, and anxiety-inducing working with these poor folks who simply cannot remember all the passcodes, passwords, and 2FA codes/pop-ups they get. (How many others of you have seen dozens of crossed out 6-digit 2FA codes in that 'little book' of passwords next to the word: "Password"??) Because while it is nice, GREAT that Apple is doing these things, users aren't always discovering them, often not, and, from my humble experience, usually not until too late. And even if they do discover them, they simply don't understand what they/do, nor fully grasp the extent of the repercussions of losing/failing to notate that information.

Has anyone been able to access iCloud.com from a Windows PC web browser after turning on ADP? I can access the Calendar (because that's not encrypted), but to access Photos and Notes it says it will send an "access request" to one of my trusted devices -- presumably my iPhone, iPad, or Macbook Pro which are all up to date. But I receive nothing. However when I try to access iCloud.com from Chrome on my Mac, it works fine... though it's completely pointless because a Mac already has dedicated apps for Notes and Photos. Surprisingly, I cannot find anyone else having the same problem when I search Google. My PC is totally up to date and has the latest version of iCloud 14.1

The error that I see in Chrome on Windows 11 is: "There was no response to the request sent to your devices. Your photos can’t be displayed until you grant iCloud.com access from one of your devices."

I do not have the same problem with Apple's regular 2FA, where it prompts me to approve access via my iPhone and gives me a 6-digit passcode to enter. Something is strange with the access to iCloud.com from a PC if ADP and web access are enabled. Surely this would have been the most popular use case to test, since accessing iCloud.com from an Apple device is pointless.