Apple Introduces New Data Protections to Increase Cloud Security
Apple has introduced three new security features focused on protecting users against data theft in the cloud.
According to a blog post published on Wednesday, the first of the new capabilities is iMessage Contact Key Verification, which enables users to verify the identities of the person they are communicating with.
Apple said users with iMessage Contact Key Verification enabled would receive automatic alerts if threat actors managed to breach cloud servers and insert their devices in their communications. Users can also compare a Contact Verification Code in person, via FaceTime or through another secure call.
“While iMessages sent between Apple devices were [already] end-to-end encrypted […], not all information backed up to iCloud, Apple’s cloud server, had the same level of encryption,” explained Erfan Shadabi, a cybersecurity expert at comforte AG.
“So these new updates seem to address such issues, but we have to wait and analyze the details and implications as they become available.”
The second feature, called Security Keys for Apple ID, introduces support for using hardware security keys to sign in to Apple ID accounts as a two-factor authentication option.
“Apple’s new data protections – especially the integration of security keys – are a welcome addition to the platform for security-conscious users,” said Keeper Security CTO Craig Lurey.
“[This is particularly true for] those who already use a YubiKey device to encrypt their data on iOS devices or want to use a security key but need more incentive to make the investment. Hardware security keys provide one of the highest levels of security for MFA [multi-factor authentication] setups.”
Finally, Advanced Data Protection for iCloud brings end-to-end encryption to cloud security. This feature can be turned on for individual elements within the iOS ecosystem, including iCloud Backup, Photos, Notes and more.
“By leveraging these features, you can know that your data is encrypted; even if the company holding the data is breached, you have additional assurance that you will not be a secondary victim,” explained Melissa Bischoping, director of endpoint security research at Tanium.
“However, before rushing into enabling these settings, make sure you understand the recovery capabilities and instructions, and treat your recovery keys like you would any sensitive passphrase or identity document,” she added.
The new features will be globally available in 2023, but Advanced Data Protection for iCloud is already available in the US for members of the Apple Beta Software Program.
The news comes weeks after Apple sued Israeli spyware developer NSO Group to hold it accountable for targeted attacks that compromised users’ devices.