Friday, January 20, 2023

Local iOS Backups Repeatedly Prompt for Passcode

Adam Engst:

Instead of preventing AppleMobileBackup from backing up to custom locations without additional permission, Apple chose to mitigate the vulnerability by forcing the user to enter the device’s passcode on every backup or sync connection. And it works: Apple’s new approach prevents the backups from being directed to an unprotected location unless an attacker knows your device’s passcode. If they know the passcode, there’s far worse that they could do with your iPhone or iPad and the data stored on it.

Unfortunately, Apple’s solution is particularly ham-handed because it adds a non-trivial step to every USB or Wi-Fi connection attempt by every iOS/iPadOS user who backs up or syncs locally.

Update (2023-01-21): See also: Hacker News.

3 Comments RSS · Twitter · Mastodon

Aren’t the device backup passwords saved locally in the Keychain, and automatically filled in when prompted anyway (appearing as dots)?

Glad this issue is getting some much-needed exposure, because it's fucking annoying. My hope that it will be fixed in the near future, however ...

@Gord L Backups are streamed, already encrypted, from the device; there's no need for the Mac to have the password, just to request a backup. The risk is presumably in unencrypted backups, so instead of fixing the problem properly Apple just, let's be honest here, disabled backups for all practical purposes. See the article by iMazing (referenced in the linked Tidbits article) for more details.

Agree this is incredibly annoying, although I only perform weekly backups so at least I’m not constantly dealing with it.

I live in fear of the day Apple decides local backups aren’t a use case they want to support. Hopefully there are enterprise customers that rely on this feature that can keep it alive.

Leave a Comment