We are excited to share that we are set to begin a new chapter with Dropbox, Inc. Dropbox is acquiring our IP technology to embed natively into the Dropbox product, bringing end-to-end, zero-knowledge encryption to millions of business customers around the world. Check out our blog to find out more!

iPhone Backups in iCloud
Lisa

Lisa Figas | Marketing Manager

@meet_lisa

iCloud Backups Are Not Encrypted End-to-end: The Problem, a Solution, and the FBI’s Role in It

Were you aware that iPhone backups stored in iCloud are not automatically encrypted? We have created an instruction on how you can effectively secure the backup on your own. You will find it in the first part of this article.

In this article we explain, how you can create a secure backup for your iPhone. If you want to protect your iCloud, you can find further details here.

There is always speculation about the reasons for the lack of encryption. In the second part of this article, we will cover the case in detail.

How to Protect Your iPhone Backup

Basically, under one aspect, all types of data are in good hands in a cloud. You can rely on the top dogs like Google Drive, OneDrive, Dropbox – and even Apple – when it comes to the physical security of data. The servers are mirrored in different data centers so that a file is always available – even if natural disasters or power failures. This high level of protection cannot be guaranteed by private individuals or companies.

However, the situation is different when it comes to the readability of the files. The iPhone backups are not encrypted end-to-end, as we learned above. But even if other cloud providers advertise with encryption, there is still a risk. The data is encrypted in-transit and at rest, but still readable for the respective company because when they have the keys to encrypt your data, they can decrypt it as well.

Thus, if you use the automatic backup function that is already built into the iPhone, in theory, many people can gain access: Apple, employees of Apple and US authorities, since they can request data access with comparatively little effort.

Therefore, additional end-to-end encryption on the device – before uploading to the cloud – is absolutely necessary.

And this is precisely what we recommend for iPhone backups. Create the backup locally and then store it encrypted in the cloud of your choice.

Instruction: Create an iPhone Backup

We have run through the process using an iPhone, a Mac (Catalina), Boxcryptor, and the Dropbox as examples. In fact, you can use any cloud storage – as long as you only upload encrypted files using Boxcryptor.

  1. Connect the iPhone to your computer using a cable. The iPhone is now displayed in the Finder.
  2. Click on the iPhone icon in the Finder (on the left, under “Locations”) and open the menu. Under “General” you will find the settings options for backups.
  3. Create a local backup by clicking on “Back Up Now”.
  4. When the backup is complete, display the backup folder in the Finder by clicking on “Manage Backups…” and then on the top (most recent) backup. With a right click, you can go to the location of this file (“Show in Finder”). You can also navigate to this location manually: ~/Library/Application Support/MobileSync/Backup/
  5. Compress the folder and move the created archive to your Boxcryptor drive. All data stored in Boxcryptor, including your iPhone backup, can only be accessed and decrypted by you.

Now decide whether you want to keep or delete the local copy of your iPhone backup. What you have to do now is to take good care of the key to decrypt it. In other words: Save the iPhone backup in your Boxcryptor drive, and Boxcryptor will do the rest for you.

Instruction: Import an iPhone Backup

In case you need your backup, follow these steps to restore it:

  1. Drag the backup file from the Boxcryptor drive to your desktop. The copied file is now decrypted automatically.
  2. Unzip the file.
  3. Put the backup in this folder: ~/Library/Application Support/MobileSync/Backup/
  4. Connect the iPhone to your computer using a cable. The iPhone is now displayed in the Finder.
  5. Click on the iPhone icon in the Finder (on the left, under “Locations”) and open the menu. Under “General” you will find the settings options for backups.
  6. Click “Restore Backup…” and follow the instructions on the iPhone and in the Finder.

Set a reminder to regularly (e.g. every two weeks) synchronize a backup of your iPhone to the cloud. This way, you always have a (relatively) up-to-date mirror of your phone at hand in case of an emergency.

Background Information: iCloud Backups – Encrypted or End-to-end Encrypted?

Apple is known for the fact that data protection is an essential part of its corporate philosophy. For example, the company aggressively advertises with the keyword “security” and emphasizes the encryption of the iCloud at every available opportunity.

But careful: encryption is great. However, true privacy only comes with end-to-end encryption. It is important to know that for any kind of encryption, someone must have the key. End-to-end encryption can only be decrypted by the sender and receiver of messages. In case of the encryption offered by Apple (and many other cloud providers), however, the keys are in the hands of the respective company. A detailed explanation can be found in our article on end-to-end encryption.

In contrast, when it comes to protecting devices, Apple goes to great lengths to meet the highest standards. The measures Apple is implementing to protect iPhones are diverse: Interfaces to the outside world are being closed increasingly, which massively reduces access to unencrypted data. Even the device itself has built-in security barriers at all levels. For example, it checks at boot time which code may be executed. Certificates and encryption mechanisms are used to check that another version of the operating system is not loaded without permission. Every port and radio interface are secured to make unauthorized access as difficult as possible. The data in the memory (SSD card) is also fully encrypted.

However, it is difficult to maintain this high standard for the features that run on the internet. Specifically: Apple’s iCloud. Data storage in the cloud has numerous advantages, such as permanent availability and data access from different devices. Apple synchronizes contacts and appointments via the cloud by default, for example to ensure data consistency between a MacBook, an iPad, and an iPhone.

Currently, this data is accessible by authentication via Apple ID (i.e. e-mail address and password). The password is therefore the only secret that stands between a person and the data. End-to-end encryption is not provided by Apple.

This is especially important when not only selected data is synchronized, but a backup of the entire phone is moved to the iCloud. Apple has also opened up the iCloud to other app providers, which makes synchronization between devices so convenient (e.g. you can pause a podcast on the iPhone, and it continues playing at the appropriate place on the iPad). Everything that is synchronized via this interface is accessible via password, i.e. not end-to-end encrypted.

Summed up:

  • Backups of iPhones on computers: Are encrypted end-to-end.
  • Backups of iPhones in the iCloud: Are not encrypted end-to-end.

That is why some apps (e.g. the messengers Signal and Threema) deliberately do not use the possibility to synchronize to the iCloud. But if you make a device backup, the data from these apps end up there, nonetheless.

Apple’s own Messenger iMessage also reveals the paradox around the much-vaunted “security”: messages in iMessage itself are secured with end-to-end encryption – but once the messages are stored on the phone, they still end up on Apple’s iPhone backup without the protection of end-to-end encryption.

Based on the menu navigation when setting up a new iPhone, we can assume that many users save the backup of their iPhone in the cloud. This is a massive and unnecessary violation of the entire security concept. And this explains why the FBI is so keen on the iCloud because many tidbits for law enforcement agencies will certainly land on Apple’s servers unintentionally by users.

TLDR: The phone’s full backup is not encrypted end-to-end. This is strange as Apple is very invested in protecting data at every other location. In the end, all data ends up at Apple in plain text when the iCloud backup is set up. The iCloud backup feature is enabled in iPhones by default.

iCloud backups are enabled by default on iPhones.

Apple and the FBI

The whole issue of “unencrypted” iPhone backups has been annoying security-conscious users for a long time. Now it became public: Apple had plans to implement end-to-end encryption for backups. Reports have surfaced that the company buried these plans about two years ago. Explosive: The change was announced internally after a meeting with the FBI.

Apparently, there are six different sources saying that Apple wanted to upgrade to end-to-end encryption. However, Apple’s legal department then stopped this, and it is deduced that the discontinuation of this project is due to the FBI. Technically, there is no reason why Apple would not want to introduce true end-to-end encryption for iCloud backups.

The assumption that Apple stopped working on end-to-end encryption because of the FBI is strange. After all, the FBI is always mouthing off – what else can they do in their role as law enforcement agencies? To iPhone users, the reason why Apple acts this way should not matter. Regardless of what happens with the FBI, Apple should definitely upgrade their end-to-end encryption. Apple should be aware that they will receive fewer requests if they have fewer data to provide.

Share this article

Related Articles

graphics

A letter from our Founders: We’re joining Dropbox!

Almost 12 years ago, we set out to make complex security solutions easy to use. Now we are excited to share that we are set to begin a new chapter with Dropbox, Inc.

Dummies Book Cover and Back

CLOSED We Celebrate Our Book Release: Your Chance to Win

We have published our first book to get even more people excited about the cloud and data security. Celebrating the official launch, you can win printes copies and Boxcryptor licenses in our raffle. Read about the details in our blog post.

Ransomware 2

Recent Data Leaks at Uber And Rockstar Games' GTA6

Yet another series of cyber attacks on big player companies has drawn attention in September. Keep reading to find out what went wrong and what you can learn from their mistakes.