iCloud security in 2017: what comes next?

Published March 8^th, 2017 — Updated over a week ago

By

Aidan Fitzpatrick Ethics & fact-checking

Reincubate helps companies and individuals build value with their own data in an ethical and transparent manner, and as such it is important that the underlying data and platforms are themselves secure. Aside from some of the broader cloud security elements, there are four key trends and areas of positive change for the iCloud in early 2017.

Two-factor authentication: promoted heavily in iOS 10.3

The first is the escalating roll-out of 2FA. This is an excellent step from Apple to increase the security of iCloud accounts. In an effort to encourage adoption of the standard, Reincubate released free support for 2FA, 2SV, and tokenisation for all of its users in 2016. Excitingly, Apple have built a number of features into iOS 10.3 to promote 2FA more heavily, from a badged indicator on the settings icon, better documentation and regular notifications to users to enable it. The release of 10.3 later this month will drive a surge in adoption of 2FA, which from Reincubate’s own data is still low.

Decreased storage of dynamic data in backups

Whilst in 2015, Apple stored most of their own data in iCloud backups, that is increasingly not the case. 2016 saw iOS 9.3 move Safari’s browser history into Apple’s CloudKit synchronisation service, and the release of iOS 10 moved call logs out to CallKit.

The increasing complexity of these systems deters hackers and reduces the significance of iCloud backups as a single set of master data, whilst at the same time presenting a mechanism whereby some data is synchronised more often than every 24 hours. Reincubate’s Cloud Data API has supported every stage of this process.

Account access notification, constraint & feature extraction

Whilst Apple built account notification systems for some elements of the iCloud, not all access is disclosed and accountable to users. The team at Reincubate believe that this should be the case, and so are working to define and deliver the industry standard for this mechanism in the Cloud Data API. There will be more announced on this in the coming months as the standard develops.

There are techniques to be used in limiting the amount of cloud data flowing through systems. Reincubate's API provides critical functionality to restrict the volume and nature of data that clients can access, such that they can be safeguarded in the event of breach of their own systems or credentials. Similarly, machine learning (ML) techniques such as feature extraction act as great ways for clients to surface insight from the cloud without needing to store or reveal the underlying data.

Reliance on trusted systems and environments

Finally, as with the techniques used in Apple Pay and TouchID, Apple will be doing more in 2017's big iOS update to take advantage of the secure environments available in iOS and macOS. For hackers trying to get in, this work will significantly increase the complexity and cost of finding and maintaining access to these systems, hopefully to the extent that they target other, weaker platforms — which in turn will need to improve. Apple delivered another glance of this in 2016, when they patched local encryption of iOS 10 iTunes backups to be remarkably costly.

Noted security expert and Little Flocker author, Jonathan Zdziarski writes in more detail on how the closed technology in macOS and iOS is used to deliver a secure experience with Apple Pay, and how those techniques can be extended to tackle phishing.