iTunes backups: secure again in iOS 10.1
iOS 10 has reached 65% adoption rate amongst all Apple users according to a near real-time user adoption report from Mixpanel. Adoption rate for iOS 10 started slower after launch, and picked up speed over the past 2 weeks. Official stats on Apple’s developer page show that only 54% of devices are currently running iOS 10. That’s roughly half a billion active devices.
In iOS 10, Apple made a number of changes to encrypted, password protected iTunes backups. Changes included encrypting key pieces of information known as metadata about backups, such as the date on which files were last modified, their size, and additional information needed to decrypt them.
Backup encryption is enabled by users who wish to encrypt data including wi-fi settings, browser history, health data and passwords, and we strongly recommend users do this. The only thing that stands between private information and hackers is that password. Hence, the security flaw affecting iTunes passwords caused such a stir earlier in September.
iOS 10 backups included a password hash used to verify if the user has entered the correct password to decrypt the backup. This made it much easier for hackers to use brute force to crack the passwords of encrypted backups. To break the encryption, an attacker was able to try thousands of passwords in quick succession until they found one that matched the password hash.
Theoretically, the security flaw introduced for encrypted iTunes backups might have affected a reasonable proportion of the half a billion devices or so devices on iOS 10.
The security flaw in iOS 10 is fixed in iOS 10.1 beta
We’ve discovered Apple introduced a fix in iOS 10.1 beta 2 and 3 that addresses this issue: by reverting the encryption method to the one from iOS 9. In the latest beta of iOS 10.1, Apple have fixed this security flaw by removing the new password hash from encrypted iOS 10.1 backups.
Arguably, alternative encryption methods exist for scenarios where authentication is required. Thus, the easiest and fastest solution was to essentially roll back the security mechanism to how it was before the flaw was introduced.
In any case, one thing is important to remember: encryption strength is always dependent on the strength of your password. Always use randomised characters and non-alphanumeric ones to increase your password’s strength. Cracking a password using a password hash is made much more difficult if you use a strong password.
iPhone Backup Extractor works with the newest iTunes encrypted backups
As ever, our team has already dug into the changes to encrypted iTunes backups, and updated iPhone Backup Extractor to be compatible with the latest iOS betas.
If you’re already using iPhone Backup Extractor, and are updating to iOS 10.1, please upgrade iPhone Backup Extractor, to continue recovering deleted or missing files from iTunes backups made with the most recent iOS version. iPhone Backup Extractor continues to be compatible with older iOS versions as well.
As a company, data privacy and security are in our DNA. The iPhone Backup Extractor is built to ensure compatibility with all extra security measures made available to Apple users, ensuring that our product is used by legitimate iTunes and iCloud users who pass all authentication stages associated with accessing a backup either locally or in the cloud.