But I thought iCloud (and other cloud systems) is not so secure? There have been hacks of all those celebrities' accounts...
I don't feel comfortable talking about the security level of other cloud platforms, but having written a paper on iOS security, I think I can safely speak a bit about iCloud - granted, my paper focussed more on local data, but I did research iCloud a fair bit too.
Nothing is entirely secure. That's just a fact. I do however trust iCloud as much as I could ever come to trust a service. In fact, I personally store my keychain in iCloud. My keychain literally contains my passwords for everything. So in essence, iCloud would be my single point of failure. Gain access to my iCloud and you have access to my everything. Now if I were handling highly confidential government or business data, I might do things slightly differently, but even for the most sensitive of personal data, I trust iCloud. It gets independently security audited, all data is encrypted E2E, there's no data-mining, and the platform uses dedicated security chips on the servers (similar to the secure enclave) with distributed keys that are destroyed after setup, to ensure that the system cannot be altered after it is setup properly. That does have the downside however that if the system needs to be updated in one way or another it is not exactly a trivial process - a simple software update would require hardware changing so no malicious software can inflict the servers.
Regarding the celebrity "hacks" you mention... Well, they weren't hacks. Those were phishing schemes, were the celebrities in question were fooled to give their iCloud passwords and usernames to third parties. iCloud was not compromised in itself, but when the usernames and passwords were given to bad actors, there was obviously nothing preventing access. For this reason, the two-factor authentication became more strongly enforced. It is obviously still not impervious to phishing schemes, since the 2-factor code can also be obtained from victims, but it helps alleviate the issue somewhat.
Let us however assume that iCloud's password database was leaked though. The whole list is placed on the dark web. If your password is not sufficiently strong, it'll be cracked fairly quickly (remember, passwords themselves are 'encrypted' (hashed) so even if you have the list of passwords, you can't just read people's passwords, you need to crack them first). However, even with the cracked passwords, there's still the barrier of 2-factor.
Okay, so let's take a different approach. Instead of getting the password list, the attacker gains a higher level of priviledge in the system, and is able to download user data directly from the server without logging in as a user, just downloading from the server.
Well, the data is encrypted so the attacker has an issue. Well, let's say that the attacker couldn't figure out a way past 2-factor authentication, but did manage to crack your password - You might think this password could then unlock the files, since logging in with it and 2-afctor is enough to unlock the file.... But no. The data you store on iCloud is not only encrypted with your password, but a combination of your password and a device key. This is where 2-factor comes into play. It's not just used for logging in, but actually a part of the encryption. Now keep in mind, the 2-factor code is not what is used in the encryption itself, but it is used as a user-level gateway to the device encryption key (since the actual key is way too long for convenience). Each trusted device is capable of decrypting your files with your password, but a non-trusted device is not without the assistance of a key generated by a trusted device. It's quite a brillant protocol really.
But then Google or Facebook, does it really make a difference? ha ha!
A very small one. I think both companies are equally likely to deliberately **** you over with respect to privacy of data... But I think Facebook has shown less aptitude on a technical level. Mind you, the Signal protocol that Whatsapp uses to encrypt messages in flight between devices is a sound protocol providing excellent security. I don't know about longer term server-side storage, but for messages between devices I feel comfortable saying that 1-1 Whatsapp is as secure as iMessage. Though not so for group chats. Whatsapp chooses so relax their security policy a bit when it comes to group messaging (they do this knowingly, and they have reasons that, whilst I disagree lowering security, do make perfect sense. For group messaging, iMessage uses more data - on all participating devices - and requires more processing, but of course maintains a higher level of security too)
Of course, I have "Find my iPhone" on so I guess Apple does know all the time where I am. But then that can't helped.
Find My iPhone is as well protected as your other iCloud associated information
. It can of course be shared through Find My Friends, but Apple does not keep track of your location, and as the system is implemented right now, cannot even if an employee wanted to. If you've agreed to share usage data with Apple, location data may be collected, but never directly or with high accuracy. Your device might tell Apple's servers "I was in the region of place x or at least within a distance of this much to it at some point today". It is never fully live tracking. Furthermore, your device will ocationally lie to Apple's servers to maintain privacy. It will not do this often enough to skew the statisticks gathering, but often enough to make fingerprinting way more difficult if not impossible. You see, the system is meant to be such that all the information collection is done without any of the data being associable to a single device or individual. For instance, if the location data gathered says "I am in Los Angeles!" Apple's servers may note that some device is in Los Angeles, but it should not be possible to then deduce who is in Los Angeles or to whom the device belongs. So your device sometimes lies - though when enough data is gathered, the noise will statistically disappear with the way it is implemented. Again, an ingenious system.
