Advanced Data Protection for iCloud is a good start, but Apple has more work to do
Monday December 12, 2022. 12:30 PM , from Macworld UK
Security and privacy have been two of Apple’s main selling points in the modern era, especially as the company positioned itself against rivals like Google, Meta, and Amazon, all of whom offer a variety of free and cheap products and services, generally because user data is the real treasure trove.
With the announcement that it will be rolling out Advanced Data Protection for iCloud in the latest updates to its software platforms this week, Apple took another step forward in the realm of security and privacy, closing loopholes that could still allow access to your data by third parties, whether they be malicious hackers or law enforcement.
But as good as those protections are, there are still a few more places where the company could enact additional security and privacy measures to help make sure that your data stays in your control.
Perhaps the most significant type of data not covered by Apple’s latest security measures is email. In Apple’s announcement, it notes that “The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.”
Which is fair! There are a lot of mail systems around the world, and most of them don’t use end-to-end encryption. Apple’s own mail services do offer security in the form of encryption in transit and on servers, but notably, those keys are held by Apple instead of by users.
But secure email isn’t an impossible improvement to make. Take, for example, Proton Mail, which is probably the best-known secure email service. It offers end-to-end encryption, in addition to the ability to send password-protected emails to any recipient. (As a note, Proton also offers secure calendar and contact services as well.)
Apple could do a lot more to make Mail more secure.Foundry / IDG
There have long been ways to encrypt email and Apple’s own mail clients support both encryption standards as well as allowing third-party add-ons (on the Mac, at least) that enable this feature. But email encryption has always been a confusing and sometimes convoluted process that requires managing keys and using other channels to exchange sensitive information with your contacts.
This seems like a place ripe for improvement and user-friendliness, the kind of thing Apple generally excels at, even if it only allowed you to, say, send encrypted email to other iCloud mail accounts. The related technology of digital signatures would perhaps be even more useful: it could help bring peace of mind in ensuring that those you’re corresponding with are who they say they are—a big potential boon in this age of phishing and other email-based scams. (Apple’s new iMessage Contact Key Verification, coming next year, will allow this type of feature for its messaging app.)
For better or worse, much of the world still runs on email. The company’s made great strides with privacy by allowing features like Hide My Email, but taking on email encryption would be just one more way that Apple could ensure the privacy and security of this key technology.
One of the best security features that Apple has implemented is iCloud Keychain, which lets you easily generate strong individual passwords (and now passkeys) and store them. But one of the biggest frustrations with that feature is in those cases where you need to share passwords with other people.
For example, most households probably have a variety of streaming services running on different devices—iPads, iPhones, Apple TVs. And most households have probably at one time or another run into an issue where a new device needs to be logged into a service, or an existing device has somehow gotten logged out. But if the account is tied to a single person—and thus to the password stored in their iCloud Keychain—how is the rest of the household supposed to get access to it?
Yes, iCloud Keychain does support sharing via AirDrop. But since AirDrop only works in close proximity, you often end up having to fall back to the next best solution: copying the password out of iCloud Keychain and pasting it into an iMessage or, worse, an email. This removes a lot of the security protections (and convenience) of iCloud Keychain; more problematically, as passkeys become more popular, won’t really be an option: a passkey is a lengthy string of characters, more complex than any password, that you can’t really send via iMessage.
iCloud Keychain needs to improve its ability to securely share a password.Apple
Building on the success of the rest of its Family Sharing features and, most specifically, iCloud Shared Libraries, Apple should offer a way for people in a family group to designate certain passwords and passkeys that will be shared with others. That way not only would everybody in a household be able to access those specific passwords/passkeys, but they would even be automatically synced, so when a password is changed, everybody automatically has the updated version. I’m sure more than a few parents would be happy not to have to answer “What’s the password?” texts from their kids ever again.
Trust but verify
These improvements would be well and good, but in order to maintain its users’ trust, Apple also needs to continue to walk the walk when it comes to security and privacy. One positive move in that direction is that Apple has said the aforementioned Advanced Data Protections will be rolling out worldwide, including in China, where the company has often struggled to navigate the local laws of the authoritarian regime while also protecting its users’ data. If ADP does indeed end up going into effect there, that could be a big win for Apple’s reputation.
Apple should also be transparent about all security and privacy concerns. For example, a recent report suggests that the company’s devices continue to send information back to Apple even when users opt-out. While this might be a bug or a misunderstanding, it behooves Apple to clearly address these issues so as not to tarnish its reputation when it comes to the rest of its security; there’s nothing more important than trust: It’s easy to lose and hard to win back.
Email Security, Encryption, iOS Security, Password Managers, Passwords, Security
Mar, Fri 31 - 01:25 CEST