Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Many iOS Encryption Measures 'Unused,' Say Cryptographers
- Thread starter MacRumors
- Start date
- Sort by reaction score
I use a NextCloud server who respects privacy. I prefer not to mention the server I'm using.
There's many options including setting your own and using wireless sync.
And don't give access to your Contact List to apps like WhatsApp!
Or just long-press the power button, until you get the "slide to power off". If you hit cancel, it will remain on, and accept phone calls. But you will need to enter the Passcode to wake up the computer aspects of the phone again. The same end result, but at least in my opinion more convenient.
Anyone that believes that virtue signalling needs a slap around the face. I'm not saying they're any worse than anyone else either, just that they aren't the angelic company they market themselves to be.
This method also prevents the emergency SOS call from being triggered, which you definitely need to be careful about.
It doesn’t matter. Because the law seems to allow your contacts to agree to sell your personal contact information without your consent. And if enough of your contacts do that, those third parties have a pretty good idea of who you are and who you know anyway.
What ”spin”? (edit: please be specific and cite facts)
What lie? (edit: please be specific and cite facts)
Last edited:
In theory, the sky could fall as well.. Lets be realistic here...:-
We all want the best security because at some point in time it "may" happen. If everyone was more trustworthy, then it would be different.
Its an attempt to get at it because its less secure area.... At some point it must be less secure/decrypted in order to retrieve/seen by the user.
We all want the best security because at some point in time it "may" happen. If everyone was more trustworthy, then it would be different.
Its an attempt to get at it because its less secure area.... At some point it must be less secure/decrypted in order to retrieve/seen by the user.
Last edited:
What virtue signaling? I ask because virtue signaling is about looking good, not doing good.
To be clear. You have plenty of privacy if you use iCloud. Just not when you use the backup portion of iCloud.
Does anyone actually believe Apple surrounding message privacy? It’s like Snowden never happened... what, did the NSA just give up after that?
Right, and you would be the first one to hire a lawyer and sue Apple if your data was compromised becasue YOU chose to turn off security measures.
Why have you sent that link in response to people who question things?iCloud data security overview – Apple Support (UK)
iCloud uses strong security methods, employs strict policies to protect your information and leads the industry in using privacy-preserving security technologies, such as end-to-end encryption for your data.support.apple.com
iCloud Device Backups are NOT end to end encrypted. This is indisputable. Therefore if you use iCloud Device Backups on iOS, in theory these are accessible to people other than yourself.
Furthermore: "Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages." so if you use iCloud Backup and Messages in iCloud, neither are really that protected.
The generic "other people" cannot access your icloud backup. Your icloud backup can be made available to authorized parties with the proper legal documentation. "Hackers" cannot decrypt your icloud backup, unless they hack the server where the keys are stored.
I wasn't disputing the (non) E2EE claim. My point is that comments such as "neither are really that protected" are misleading. This isn't Facebook or one of its "partners." Apple has implemented layers, almost all encrypted in some way.
What @I7guy said plus more...
Apple, FBI and iPhone Backup Encryption: Everything You Wanted to Know
Shame on us, we somehow missed the whole issue about Apple dropping plan for encrypting backups after FBI complained, even mentioned in The Cybersecurity Stories We Were Jealous of in 2020 (and many reprints). In the meantime, the article is full of rumors, guesses, and unverified and technically du
blog.elcomsoft.com
P.S. As you say, "in theory these are accessible to people other than yourself." True, but how many news reports of Apple being breached, which doesn't include phished iCloud/Apple ID accounts, or evidence of employee misconduct with user data have we seen? I don't recall any.
Last edited:
Yeah, but let's translate this into real world terms... Relatively few iOS users choose a very long and secure passcode. Far fewer are willing to do so at a time when mask use renders FaceID useless. And forget about "three letter agencies." State and municipal law enforcement now have access to devices that can help hack an iPhone, and if we've learned anything in the last few months and years it's that the law enforcement community cannot be trusted with the powers and privileges they already have.
I get the challenge from Apple's perspective. Balancing security, convenience, and ease of use is a very hard problem. But they should offer higher levels of security (with appropriate warnings about the risks of total data loss) to those who want it.
Well, pure PR from the Security Researcher....
Matthew Green is a highly respected security expert.
Fair counter.
Again, I get the need and that there are many possible implementations, and Apple could look into improving theirs (possibly).
For example, in the first full-scale programming course assignment/project we had, I implemented a system with three links of security. Basically, the only way to reveal user encrypted data was if you had the full database, client software source code, and user's password. Not even the database owner could easily view users' passwords. In fact, they'd need the client software source code and full database just to start decryption attempts. Was it flawless? Probably not, but I thought it was good for an initial, basic implementation.
Genuinely curious, such as...? Are we mainly talking "end-to-end" encryption for all cloud-type services?
Again, I get the need and that there are many possible implementations, and Apple could look into improving theirs (possibly).
For example, in the first full-scale programming course assignment/project we had, I implemented a system with three links of security. Basically, the only way to reveal user encrypted data was if you had the full database, client software source code, and user's password. Not even the database owner could easily view users' passwords. In fact, they'd need the client software source code and full database just to start decryption attempts. Was it flawless? Probably not, but I thought it was good for an initial, basic implementation.
End to end encryption of everything in the cloud (opt in) would be a start.
As an option. You would turn it on and have 10 pages of "If you lose this key, your data is lost" "Are you absolutely certain you've noted down that key? If you lose it and forget your password, your data is lost" "Please type 'I understand my data will be lost forever if I lose this encryption key and forget my password'" "Please click confirm"...
This whole argument that it's to balance ease of use with security falls apart when the option isn't given to users who do desire 100% encrypted data. iCloud Backups should at the very least have an end-to-end encrypted option. But quite frankly I think things like Notes, Photos should too.
My data is my data. It's not interesting, but it's personal. It absolutely should be possible for me to end to end encrypt data, with encryption using a key I alone possess.
In case I didn't make it clear enough, it should be an optional choice and informed decision people can make to have full end to end encryption for everything in iCloud, including iCloud Backups. If they forget their key and password, they've f**ed it and it's their fault.
I can agree with that.
By the way...
From what I recall reading, the primary complaint wasn't for people forgetting their password but about accessing the accounts of deceased family members and other loved ones. However, my counter to that argument is if the now deceased wanted others to access their stuff, they could have included the password or something similar in a will, etc.
I agree!
Sad as it is when people can't get into their deceased relatives' accounts, I don't think it's a good reason to justify not fully encrypting something (or offering the option). What if people don't want their family members snooping through all their messages, notes and photos if they die?
Some people are just private and I think that's a human right. It's not about hiding anything, it's about choosing not to share things.
By all means keep the current setup as the default, but an additional layer (end to end encryption via a key only you have) should be offered to those who wish for it, with explicit warnings that it's game over if you forget the key and password. Totally.