Apple users will be able to verify that their conversations are private with iMessage Contact Key Verification, use physical Security Keys for Apple ID authentication, and get complete protection for their iCloud data with end-to-end encryption. “Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation,” Ivan Krstić, the head of Security Engineering and Architecture at Apple, said. Apple will start rolling out end-to-end encryption on iCloud for US users by the end of this year, but Apple users across the world will have to wait until 2023 to enjoy these new security updates. In the wake of Apple’s announcement, privacy advocates have hailed the long-awaited move. However, U.S. law enforcement believes full end-to-end encryption will complicate digital forensics investigations.
Apple’s New Security Features
Apple’s new iMessage Contact Key Verification will particularly benefit individuals, like journalists, government officials, and activists, who are often the targets of cybercriminals. The new feature adds a layer of security to Apple’s iMessage, ensuring users can confirm their messages are secure and their conversations aren’t hijacked. Users can “compare a Contact Verification Code in person, on FaceTime, or through another secure call,” Apple explained. Also, users will automatically receive alerts if threat actors breach Apple’s cloud servers to monitor their conversations. The addition of Contact Key Verification to iMessage brings Apple’s messaging service on par with popular anonymous communication apps like Signal and Telegram. This new feature is noteworthy because, in December 2020, dozens of journalists were hacked due to a zero-day vulnerability in iMessage. Subsequently, in November 2021, Apple sued the NSO Group for targeting its users with the notorious Pegasus spyware. Apple’s new Security Keys feature allows users to secure their iCloud accounts with third-party physical security keys. Apple has been using SMS-based two-factor authentication for several years now. And, while it has its perks, anyone with access to your phone can retrieve your verification code and breach your account. Hardware security keys, which usually look like USB drives, depend on cryptography to authenticate a user’s identity. They’re much more secure than SMS-based two-factor authentication and can effectively prevent phishing attacks. Apple recommends third-party security keys for celebrities, diplomats, journalists, and others whose accounts may be under threat from cybercriminals. Meanwhile, Apple’s Advanced Data Protection for iCloud addresses the rising threats to consumer cloud data. This feature increases the data categories iCloud already encrypts from 14 to 23, including iCloud Backup, Notes, Photos, and several others. However, iCloud Mail, Calendar, and Contacts cannot be protected with this feature “because of the need to interoperate with the global email, contacts, and calendar systems,” Apple explained. According to the New York Times, Apple users in China will be able to use this feature as a Chinese company will store their iCloud data. “As threats to user data become increasingly sophisticated and complex, these new features join a suite of other protections that make Apple products the most secure on the market,” Apple’s statement said.
The Response to Apple’s New Features
Several pro-privacy organizations, including the Electronic Frontier Foundation (EFF), Signal, and the S.T.O.P project, have welcomed Apple’s new security features. “For years, Apple has touted its privacy record while leaving its users vulnerable, particularly to police surveillance,” Privacy advocacy group Fight for the Future tweeted. “With these changes, Apple will keep up with the privacy best practices that other companies have followed for years.” However, it’s disappointing that users have to “opt-in” for some of these new protections, which may leave many at risk, the group said. Meanwhile, Sasha O’Connell, former section chief at the FBI, expressed concern about how comprehensive encryption will impact investigations, namely “decreasing law enforcement access to digital evidence.” In 2020, the European Union considered banning end-to-end encryption for the same reasons, while the Five Eyes alliance urged technology manufacturers to include a “backdoor” into end-to-end encrypted data transfers so that authorities can access user data if necessary. Although Apple’s security is top-notch, it is not airtight. In October, researchers discovered that some system apps bypass VPN tunnels on iOS 16, even in Lockdown Mode. Interested in learning more about securing your data on iCloud? Our detailed guide to iCloud security contains everything you need to know.