Archive for February 21, 2025

Friday, February 21, 2025

Apple Pulls iCloud Advanced Data Protection From UK

Zoe Kleinman (Hacker News):

Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data.

Advanced Data Protection (ADP) means only account holders can view items such as photos or documents they have stored online through a process known as end-to-end encryption.

[…]

Apple would not comment on the notice and the Home Office refused to either confirm or deny its existence[…]

[…]

It is not clear that Apple’s actions will fully address those concerns, as the IPA order applies worldwide and ADP will continue to operate in other countries.

John Gruber:

More insidiously and outrageously, they are apparently forbidden by UK law, under severe penalty (imprisonment), from even informing the public about this demand, or, if they were to comply, from telling the public what they’ve done.

[…]

Re-read Apple’s statement above, which I’ve quoted in full, including the hyperlink. What stands out is that Apple is offering no explanation, not even a hint, why the company “can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature”. On issues pertaining to security and privacy, Apple always explains its policies and features as best it can. The fact that Apple has offered no hint as to why they’re doing this is a canary statement of sorts: they’re making clear as best they can that they’re under a legal gag order that prevents them from even acknowledging that they’re under a legal gag order, by not telling us why they’re no longer able to offer ADP in the UK.

Matt Birchler:

It is crazy that Apple would seemingly rather close down the company than let people install apps from outside the App Store, even running an extended PR campaign against it, but they roll over immediately for this.

Even if they didn’t want to risk acknowledging the notice—which I was hoping they would—you’d think Apple could say something in general about the law and the process. On the other hand, I guess Apple is so far doing more than other companies that presumably also received the notice. Are they silently building in backdoors?

Tim Hardwick:

Note that the loss of Advanced Data Protection in the UK does not affect the existing end-to-end encryption of several other Apple features available in the country, including iMessage, FaceTime, password management and health data.

Dan Moren:

As of February 21, users in the country can no longer enable the feature; those users who currently have it on will have to disable it in the near future.

[…]

According to Apple, this change won’t affect data that is end-to-end encrypted by default, such as health data and iCloud Keychain. That does, however, leave one longstanding loophole: though Apple’s Messages in the Cloud system is end-to-end encrypted, the encryption key for those messages is backed up in iCloud Backups, for which Apple holds the keys. Those are, in turn, accessible to law enforcement under the proper procedures.

Previously:

Icons in Passwords.app and App Privacy Report

Mysk:

The Passwords app now categorizes the network requests to download the icons as “websites visited in app” and this way the number of requests sent isn’t included in the main count in the #privacy report.

This new categorization makes the requests less visible to privacy-conscious as the app won’t show spikes of 130+ requests as we demonstrated before in iOS 18 and iOS 18.2.

[…]

iOS still doesn’t provide an option to disable downloading the icons, which is the best way to tackle this issue.

[…]

If the app directly contacts the websites, which is the case with Apple Passwords, the app might be at risk of receiving a malicious payload from remote web servers.

It was using unencrypted HTTP, but that’s fixed in iOS 18.2.

Previously:

Orion’s Password Manager

Kagi:

Orion includes a built-in Password Manager that makes it easy to store and automatically fill your usernames and passwords.

[…]

As an alternative to importing passwords from Safari into Orion, you can also access your Safari passwords in Orion directly. To enable this, first go to Orion > Settings > Passwords, and then disable the Use Orion’s Keychain checkbox.

However, I don’t think there’s a way for Orion to add new entries to the Apple password manager.

Orion 130 (tweet, issue):

Added support for passkeys on macOS 14+ to enhance secure authentication.

Previously:

Secrets 4.4 and Passkey Credential Exchange

Paulo Andrade (Mastodon):

One major issue preventing some users from adopting [passkeys] is that neither Apple’s Passwords app nor many password managers offer an option to export them, making it harder to switch platforms or password managers.

Secrets, on the other hand, has always allowed users to export any passkeys it stored. However, since no other password manager could import them, this feature was primarily useful for backups rather than migrations.

The good news is that the FIDO Alliance has been working on a standard to address this issue, and Apple has shipped its initial implementation in iOS 18.2 and macOS 15.2.

[…]

As of this writing, Secrets supports importing items exported from eight different password managers. That requires a lot of code and reverse engineering to handle mostly undocumented file formats.

With this new API, password managers that adopt it will become compatible with each other.

[…]

Additionally, given the preview nature of this API, Apple still has it behind developer toggles[…]

See also: Miles Wolbe.

Previously:

Copyright © 2000–2025 Michael Tsai.