Many iOS Encryption Measures 'Unused,' Say Cryptographers

[Unregistered 4U]

Matthew Green is a highly respected security expert.

Their research focus is in cryptography, not security. I mean, for all we know this is just an ad for the Johns Hopkins cryptography program. I’d imagine there’s a lot of security experts looking at this report going, yeah, so? Cryptography is only one part of a security solution. And in the world of security, if you have a 100% secure solution that’s so onerous that your users don’t use it, then it’s effectively 0% security.

When you have a microscope on cryptography and ignore the big picture, then that leads to the creation of articles like this one.

 

[Apple_Robert]

The generic "other people" cannot access your icloud backup. Your icloud backup can be made available to authorized parties with the proper legal documentation. "Hackers" cannot decrypt your icloud backup, unless they hack the server where the keys are stored.

That is correct. And with 2 FA turned on and a very secure iCloud account password, I don't see anyone breaking in my account, unless, as you mentioned, there is a sever failure and the hacker happens to be at the right place at the right moment. Even if a sever goes down, there are other server backups that usually take the place of the troubled server.

If the feds have a warrant for someone's phone, more than likely, they are going to also have a warrant for any computers or iPads belonging to the same person.

A person that is doing illegal and nefarious things would be stupid to backup the cloud, much less use Face ID etc.

I have found that people turning on the siren about iCloud backups are often the same people that use Google and social media. lol

 

[Apple_Robert]

Yeah, but let's translate this into real world terms... Relatively few iOS users choose a very long and secure passcode. Far fewer are willing to do so at a time when mask use renders FaceID useless. And forget about "three letter agencies." State and municipal law enforcement now have access to devices that can help hack an iPhone, and if we've learned anything in the last few months and years it's that the law enforcement community cannot be trusted with the powers and privileges they already have.

I get the challenge from Apple's perspective. Balancing security, convenience, and ease of use is a very hard problem. But they should offer higher levels of security (with appropriate warnings about the risks of total data loss) to those who want it.

I agree with that. Unfortunately, I don't think Apple is going to take account security a step or two further. They have had the technology to do just that but, they haven't.

 

[Joseph C]

I have found that people turning on the siren about iCloud backups are often the same people that use Google and social media. lol

Not always.

I don’t use Facebook
Don’t use Twitter
Don’t use Instagram
Don’t use WhatsApp
Don’t use any social or third party messenger
Don’t use Google unless absolutely necessary (DuckDuckGo is default)

I use iCloud and iCloud Backups since I’m doing nothing “nefarious” and I trust Apple ...

... but I still think E2E encryption should be at least an option to enable for iCloud Backups and indeed the rest of iCloud like Notes, Photos.

 

[Apple_Robert]

Not always.

I don’t use Facebook
Don’t use Twitter
Don’t use Instagram
Don’t use WhatsApp
Don’t use any social or third party messenger
Don’t use Google unless absolutely necessary (DuckDuckGo is default)

I use iCloud and iCloud Backups since I’m doing nothing “nefarious” and I trust Apple ...

... but I still think E2E encryption should be at least an option to enable for iCloud Backups and indeed the rest of iCloud like Notes, Photos.

I agree with the latter. You need to work on number 6.