My Disappointment with Apple's Advanced Data Protection for iCloud
As a security professional, the annoucement of Apple's Advanced Data Protection for iCloud was fantastic and exciting news. Unfortunately, my initial excitement shortly dissipated when I realized that I was not able to easily switch over to Advanced Data Encryption. Let me explain.
Upon updating my iPhone 11 to iOS 16.2, I immediately began the process to switch over to Advanced Data Protection for iCloud. You'll find this option by going into Settings, tapping on your name (your Apple ID, iCloud, Media and Purchases), then tapping iCloud. From there, scroll down and tap on Advanced Data Protection. The first thing you'll need to do is set up a recovery key.
To my surprise, after creating my recovery key and attempting to enable Advanced Data Protection, I was presented with the page shown in the screenshot above. Because I have older devices that cannot support the latest versions of iOS and WatchOS, I cannot enable Advanced Data Protection until I remove them from my iCloud account. This leaves me with somewhat of a dilemma. Do I disassociate these devices from my iCloud account (rendering them pretty much unusable) or do I continue to use Apple's standard data protection? To come to a resolution to this dilemma, the details of what is actually offered by Advanced Data Protection for iCloud, whether or not I really need these older devices anymore, as well as my personal threat model must be taken into account.
First, let's look at what Advanced Data Protection for iCloud actually offers over Apple's standard data protection. This Apple support page provides a good comparison of the two offerings. No matter whether you choose the default standard data protection offering or whether you choose to use Advanced Data Protection for iCloud, your data is encrypted in the cloud and over the Internet. The difference is whether Apple maintains the keys to decrypt your data or whether you maintain the keys to decrypt your data on your trusted devices.
By enabling Advanced Data Protection for iCloud, there are some additional iCloud services where the keys to be able to decrypt that data will no longer be under Apple's control, including:
iCloud Backup (including device and Messages backup), iCloud Drive, Photos, Notes, Reminders, Safari Bookmarks, Siri Shortcuts, Voice Memos, and Wallet Passes.
Apple calls this “end-to-end” encryption, and it means that in theory, Apple will no longer be able to decrypt your data while it is stored in their cloud.
Interesestingly, no matter which option you choose, per Apple, the following iCloud services are encrypted “end-to-end” anyway:
Passwords and Keychain, Health data, Home data, Messages in iCloud, Payment info, Apple Card Transactions, Maps, QuickType Keyboard learned vocabulary, Safari (your History, Tab Groups, and iCloud Tabs), and Siri information.
Also interesting is the fact that, per the support article, iCloud Mail, your calendar entries, and your contacts are never “end-to-end” encrypted, no matter which option you choose.
With an understanding of what data is actually “end-to-end” encrypted with iCloud Advanced Data Protection, let's see if the benefits outweigh disassociating those older devices from my iCloud account.
First, the older iPhone on the list above I can live without. It is a first generation iPhone SE running iOS 15, and it's now out of Apple's operating system support window. (Sure, Apple is still technically updating iOS 15 (for now), but it has been proven that not all older macOS and iOS versions receive all the necessary security patches, even when technically supported. And lest you feel like I am just picking on Apple here, Google has been just as bad, but getting better, with their Chromebook Auto Update policies.) Bottom line, I have not used that old iPhone SE in a very long time, and the battery is shot. I also have my wife's old iPhone XR that I can use as a backup phone in case something happens to my iPhone 11. So while I hate to see that first gen SE go, it can go.
The Apple Watch Series 3 is a slightly different matter. It also no longer receives updates, but I no longer regularly wear it, chiefly because the battery is nowhere near good enough to get through the entire day enymore. However, I still wear my Series 3 to go on the occasional run.
So, is it worth not having iCloud Advanced Data Protection just so I can track the occasional run?
In terms of the services that iCloud Advanced Data Protection now allows to be encrypted “end-to-end”, I don't use iCloud Photos. So that one is easy. I also don't use Reminders, Siri Shortcuts, or Voice Memos. Lastly, I don't use Safari (and please don't get me started about iOS's lack of true browser choice).
That said, I do use Notes quite regularly, and although I don't have anything particularly sensitive in there, it would be nice to have that data encrypted “end-to-end” such that if an attacker were to compromise iCloud, they would not be able to view the actual contents of my Notes.
However, I think one particular line from this Apple support article is quite intriguing:
“You can turn off Advanced Data Protection at any time. Your device will securely upload the required encryption keys to Apple servers, and your account will once again use standard data protection.”
So, wearing my conspiricy theory hat here for a moment... You don't technically own your phone, and you really have no control (at the root level) over iOS — by design. This is both good and bad. It's good from a security perspective. However, again, wearing my tin foil hat, who is to say that Apple could not get a request from, say a three-letter federal agency (with proper warrants) for iCloud data that is “end-to-end” encrypted, and simply remotely issue a command to your iPhone to simply “securely upload” your keys to Apple's servers? This does not really impact my threat model, as I am in the “nothing to hide” camp. But still... food for thought.
I think for me, the benefit iCloud Advanced Data Protection would provide in allowing my iCloud Notes to be “end-to-end” encrypted does not outweigh my desire to track my occassional run. Especially since I do not want to buy a new Apple Watch right now.