With the iOS 16.2 update, Apple introduced “Advanced Data Protection,” which finally introduced end-to-end encryption (E2EE) for most items backed up or stored in iCloud.
Apple has long been criticized, with good reason, over its iCloud service not providing E2EE (where the user has the decryption keys); for years, when enabled, for a good chunk of data iPhone syncs to iCloud, Apple held the decryption keys for some stored data, which included:
- Message backups
- Device backups
- Safari Bookmarks
This had privacy implications primarily because Apple had the keys for decrypting this data – Apple could access data they had the had/have the keys for stored via their iCloud service. This may seem implausible, but in reality Apple receives numerous third-party requests for access to user data.
With the introduction and enabling of Advanced Data Protection, custody of decryption keys for data like notes and message backups is passed to the user and their trusted devices. Now, Apple will not be able to decrypt this data “at will” or at the request of a third party – Apple also won’t be able to help users gain access to their data in the event they forget authentication details, but this isn’t as bad as it sounds.
Again, Apple’s Advanced Data Protection enables E2EE for most data stored in iCloud, including but not limited to:
- iCloud Backups (device and messages)
The full list can be found on Apple’s support website.
Even with Advanced Data Protection enabled, not everything synced or stored in iCloud is stored with E2EE (where the user has the decryption keys). Items in iCloud not stored using E2EE when Advanced Data Protection enabled include:
- iCloud Mail
For iCloud Mail: Users are encouraged to use
encrypted email providers
for most, if not all, of their email communications.
For Contacts: Users are encouraged to disable contact syncing to iCloud, if appropriate, This is easily done by opening the Settings app > iCloud > Apps Using iCloud > Switch the toggle next to “Contacts” to off. There may be some situations where users would need to sync contacts to the cloud in order to easily preserve data in the event of a lost device.
For CalendarUsers are also encouraged to use an encrypted email provider (instead of iCloud Mail) and an encrypted calendar. Most of the encrypted email providers recommended by avoidthehack offer free, private, and encrypted calendars.
To take advantage of the introduced Advanced Data Protection function, users must update their devices to at least iOS 16.2 – otherwise, the option to enable this will not be present.
If you have more than one device signed into iCloud, then you will also need to ensure every device is updated to the appropriate versions:
- iPhone with iOS 16.2
- iPad with iPadOS 16.2
- Mac with macOS 13.1
- Apple Watch with watchOS 9.2
- Apple TV with tvOS 16.2
- HomePod with software version 16.2
- Windows computer with iCloud for Windows 14.1
As a reminder, it is important to keep devices and software up to date – in many cases, in addition to bringing new feature, software updates regularly provide security and bug fixes. Running outdated software/firmware can leave you open to security risks, such as vulnerability exploitation or malware infections.
Devices only receiving “security updates” are confined to iOS 15, which does not have the Advanced Data Protection.
Enabling Advanced Data Protection on one device also enables this feature for other devices using/signed in with the same AppleID.
- Open the Settings app
- Tap on your AppleID
- Tap on iCloud
- Tap on Advanced Data Protection
Again, enabling the E2EE that comes with Apple will not have access (well, should not, anyway) to the keys required to decrypt/view/recover this data in the event you lose access to your account. This is a good thing – it means we have more control over our device data.
Apple’s first fallback is already selected for us – data can be recovered and account access restored by using your device passcode. In the event you forget your device passcode, you will need to fallback to the recovery option, which is what we are setting up in this specific section.
Here we have two “options.” You don’t necessarily have to choose between setting up a recovery contact (up to 5) or using a recovery key – you can do both. However, there are potential pitfalls to solely relying on contacts to help you recover your data, which should be considered:
How likely is the relationship with the recovery contact to change?
What happens if the recovery contact gets rid of their Apple device(s)?
Timeliness of your contact to generate a code
To alleviate these potential issues, avoidthehack recommends abstaining from a recovery contact altogether. Use the recovery key option instead. If users still want to use a recovery contact, then they should also set up the recovery key as a second option:
- Tap on Recovery Key
- Switch the “Recovery Key” toggle to on
- A prompt asking “Are you sure you want to create a recovery key?” will pop up and warn you of the event you lose your recovery key.
- Tap “Use Recovery Key”
- Enter your device passcode
- You will be presented with your recovery key… you should write it down and store it in a secure place. If wanted, you can transcribe it to a password manager or separate E2EE file with another cloud provider.
- The next screen prompts you to enter your recovery key
- If you were successful in entering the key, you should receive an email to the email address associated with your AppleID.
- Tap on “Turn on Advanced Data Protection”
Advanced Data Protection E2EE should be enabled!
Advanced Data Protection enables E2EE for most storage in Apple’s iCloud. This is massive boost in user privacy and security while using Apple products, even in face of the evidence that Apple is not as private as they had previously promised.
However, be aware iCloud Mail, Contacts, or Calendars are not E2EE even with Advanced Data Protection successfully enabled. iCloud Mail, Contacts, and Calendars can be considered sensitive information – and Apple holds the keys to this data stored on iCloud.
Users are still encouraged to explore other cloud storage storage providers which offer zero-knowledge encryption by default.
Stay safe out there!