Monday, January 25, 2016

Apple Can Still Read Your End-to-End Encrypted iMessages

By on 1:15 AM

If you are backing up your data using iCloud Backup, then you need you watch your steps NOW!

In government fight against encryption, Apple has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products.

When it comes to Apple's iMessage service, the company claims that it can't read messages sent between its devices because they use end-to-end encryption, which apparently means that only you and the intended recipient can read it.

Moreover, in case, if the federal authorities ask Apple to hand over messages related to any of its users, there is nothing with Apple to offer them.

"If the government laid a subpoena to get iMessages, we can't provide it," Apple CEO Tim Cook told Charlie Rose back in 2014. "It is encrypted, and we do not have a key."

But Wait!

There are still hundreds of Millions of Apple users whose data are stored on Apple's servers in plain text even after Apple's end-to-end encryption practice.

Apple Stores Your Backup in Encrypted Form, But with its Own Key


It turns out that Apple forgets to offer its so-called privacy benefits to users with iCloud Backup enabled.

If you have enabled iCloud Backup on your Apple devices, the copies of all your messages, photographs and every important data stored on your device, are encrypted on iCloud using a key controlled by the company, and not you.

This allows Apple, and hence anyone who breaks into your account, to see your personal and confidential data.

In past, we have seen incidents like The Fappening in which hackers broke into Apple's iCloudaccounts to steal nude selfies of over hundred famous celebrities and thus circulated them on the Internet.

Apple allows you to switch off iCloud Backup whenever you want, but it doesn't offer a way to locally encrypt iCloud backups that would allow the company to store your personal data, including iMessage and SMS messages, on its servers but not access it.

Give the Encryption Keys in Hands of Users


Yes, it is possible to do encrypted non-cloud backups locally through iTunes, though it isn't always a so obvious choice to average users.

No doubt, Apple provides end-to-end encryption for your messages that even Apple can not access or read it, but only if you avoid the backup feature that it encourages its customers to use every time.

In fact, the company asks users to set up an iCloud account as soon as they activate their new iPhone or iPad.

However, Apple doesn't clearly states that by doing so, users otherwise 'unreadable' iMessages and other personal data become very much readable to the company as well as to anyone – whether it's law enforcement agents with a court order or hackers with access to your account.

Also Read: FBI Director Asks Tech Companies to At least Don't Offer End-to-End Encryption.

Although it's difficult to say how many Apple users are affected, the most recent estimation from Asymco indicates there were around 500 Million iCloud users in March of 2014.

However, the exact number of users actually using iCloud Backups isn't clear yet.

Motherboard reached out to the company, but neither Apple told the estimated percentage of people using iCloud backup, nor it gave a reason for not giving users the option to store cloud backups that are encrypted locally.

One reason could be: 

By allowing such backups, Apple doesn't want that its users who forget the passcode could not decrypt their data.

How to Turn Off iCloud Backup on the iPhone


We know, there is a war against the federal authorities and Apple over encryption. The law enforcement agencies are not at all happy with Apple using stronger encryption in its devices that makes it impossible for them to collar criminals.

In this situation, if Apple ignores such critical loopholes in its products, it would be possible for the federal officials to force the company to hand over its users data citing law orders.

Also Read: Would Encryption Backdoor Stop Paris-like Terror Attacks?

For many users, the encryption offered by Apple is more than enough. However, if you do not want the company to access your data, the only solution is:
  • Backup your personal data locally through Apple's iTunes.
  • Turn off iCloud Backup. Go to Settings → iCloud → Storage & Backup → iCloud Backup.

Now, tap the OK button to confirm that your iPhone will no longer be backing up your data automatically to your iCloud storage.

0 comments:

Post a Comment