Apple’s Advanced Data Protection and Other Features Harden Security
Posted on
by
Kirk McElhearn and Joshua Long
Apple has announced a trio of new security and privacy features for its operating systems and devices. Advanced Data Protection for iCloud, iMessage Contact Key Verification, and support for security keys as a two-factor option for Apple ID, will further cement Apple’s reputation of making some of the most secure devices available.
These three features will be rolling out throughout 2023. Here’s what they are and how they will work.
In this article:
- iMessage Contact Key Verification
- Support for security keys for Apple ID 2FA
- Advanced Data Protection for iCloud
- When will each feature become available?
- How can I learn more?
iMessage Contact Key Verification
iMessage has always been a secure messaging platform; messages to and from Apple users are encrypted and cannot be intercepted. (However, green-bubble SMS text messages that you can send and receive via the Messages app are not secure. Additionally, until now, iMessage conversations backed up to iCloud could be accessed by Apple employees, for example if compelled to do so by law enforcement; more on this later.)
iMessage Contact Key Verification ensures that the person you are messaging is who they say they are. Apple says that “Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.” Since multiple devices can use the same iMessage account, this alert will let you know if someone has managed to defeat account protections and intercept messages.
Most users don’t need this feature, but Apple is rolling it out for “users who face extraordinary digital threats — such as journalists, human rights activists, and members of government” whose messaging is especially sensitive.
Support for security keys for Apple ID 2FA
While Apple’s two-factor authentication is robust, it depends on other devices to authenticate new devices. If someone gets access to one of your devices, they can then access your Apple account. Apple will allow users to add an additional factor, a hardware security key, to authenticate new access to that account. As Apple says, “This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government.” This would prevent, for example, hacking into iCloud accounts, as has happened in the past, to retrieve sensitive photos, but also provide additional protection for messaging and email.
Security keys are available with a number of different connection methods, and some work with NFC (near-field communication) so they don’t need to plug into devices. Given that Apple devices are available with USB-A, USB-C, and lightning connectors, an NFC security key would be the best choice, but some keys are available with both USB and NFC, and some come with adaptors so you can use different types of USB ports.
It wouldn’t be surprising if Apple starts selling a security key in their retail and online stores next year in conjunction with the rollout of this new feature.
We previously looked at security keys in How to Use a Security Key to Protect Sensitive Online Accounts.
How to Use a Security Key to Protect Sensitive Online Accounts
Advanced Data Protection for iCloud
Many users have been clamoring for end-to-end encryption for iCloud accounts for years. Data is encrypted on your iPhone or iPad, and on your Mac, assuming you’ve enabled File Vault, and in transit for all iCloud services, and on Apple’s servers, but the company still has encryption keys, and can access some of your data when requested by law enforcement. Apple says that this new feature gives users the “highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”
Apple explains what will be encrypted if Advanced Data Protection is enabled. “iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos. The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.”
This Apple support document explains what is currently end-to-end encrypted and what is not. It’s important to understand two terms here: “encrypted in transit and at rest” means that the data is encrypted, but that Apple has a key to decrypt the data when you need it, “such as when you sign in on a new device, restore from a backup, or recover your data after you’ve forgotten your password. As long as you can successfully sign in with your Apple ID, you can access your backups, photos, documents, notes, and more.” End-to-end encryption means that Apple cannot decrypt your data at all.
One of the most significant changes with ADP for iCloud is that Messages in iCloud can now be fully end-to-end encrypted while backed up via iCloud Backup. With the default setting (which Apple now calls “standard data protection,”) if iCloud Backups are enabled for Messages, “your backup includes a copy of the Messages in iCloud encryption key to help you recover your data.”
Note that Apple’s choice of words is deliberately vague. It doesn’t make clear that certain authorized Apple employees, namely those who handle law enforcement and government data requests, can access your Messages backups at any time. However, with the new Advanced Data Protection for iCloud enabled, Apple says that you can now enable iCloud Backup for Messages in iCloud, and even your encryption key is now end-to-end encrypted (and therefore your Messages backups are supposedly inaccessible to Apple employees).
Privacy advocates, such as the EFF, are praising this initiative, but the FBI is unhappy. In a recent statement to The Washington Post, about end-to-end encryption in general and not specifically about the new Apple features, the FBI said, “This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism.”
It’s important to note that Advanced Data Protection is not without risk. Users must set up a recovery contact or ensure that they have a recovery key to access their data if they forget their Apple ID password. See How to Set iCloud Account Recovery Contacts, Legacy Contacts, and Trusted Phone Numbers for more on this.
How to Set iCloud Account Recovery Contacts, Legacy Contacts, and Trusted Phone Numbers
The biggest drawback to ADP for iCloud is that it’s a per-account setting, which means every device logged into your iCloud account must be upgraded to the latest OS first. If you have older devices that cannot be upgraded to the latest OS, you may be unable to opt into this advanced protection feature until you permanently sign out of your Apple ID on the older devices. (If your older device is a Mac, you might be able to upgrade to macOS Ventura even if Apple doesn’t officially support it.)
We discuss Advanced Data Protection in depth on episode 270 of the Intego Mac Podcast.
When will each feature become available?
Apple says that iMessage Contact Key Verification “will be available globally in 2023,” the least specific timeframe. It will presumably be available first to Mac, iPhone, and iPad users who have opted into the Apple Beta Software Program, followed by a public release as a feature of new macOS, iOS, and iPadOS updates.
Security Keys for Apple ID will also be available globally, in “early 2023.” This likely means within the first few months of the year.
Advanced Data Protection for iCloud is available in the U.S. now for members of the Apple Beta Software Program, and will be available to U.S. users by the end of the year. (Update: The option for U.S.-based users to enable ADP for iCloud arrived on December 13, with the introduction of iOS 16.2, macOS Ventura 13.1, etc.) According to Apple, “the feature will start rolling out to the rest of the world in early 2023.”
Apple releases macOS Ventura 13.1, iOS 16.2, and more; fixes zero-day vuln
How can I learn more?
A complete side-by-side comparison of “standard data protection” vs. the opt-in Advanced Data Protection for iCloud can be found in this Apple support document. Additional information about the three new Apple security and privacy features can be found in Apple’s press release.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
We discuss Advanced Data Protection for iCloud in depth on episode 270 of the podcast:
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
