Earlier this month, Apple announced several important new data protection features for general availability in 2023 that have numerous implications for security teams in all industries and geographies. Here is the Forrester security and risk team’s collective analysis of these new features.
- The announcement is not particularly noteworthy in terms of the newly announced capabilities — this announcement was an expansion of existing technologies, some of which have already been available from Apple’s competitors.
- The more interesting part is how these security capabilities are being deployed, enforced, and marketed and the implications on the ongoing big government vs. big tech debate.
The announcement is most significant for a relatively small percentage of Apple users — those most at risk from nation-state hacks and other sophisticated cyberattacks where privacy and integrity are essential.
For the typical Apple user, this announcement is good marketing. In an era when consumers are paying attention to companies’ values and the social, moral, political, and environmental impact of a company’s decisions, Apple placed a stake in the ground on data privacy — the number one battleground for influencing value-based buying from consumers.
Here is further analysis of the three announced capabilities.
iMessage Contact Key Verification
Available globally in 2023, this capability provides a visual alert to the user that someone is eavesdropping in an iMessage conversation and helps detect man-in-the-middle attacks. What Apple seems to be promising is a way for users to explicitly exchange public keys out of band — outside of iMessage — and be able to verify the identity of the other party. This is how PGP-style public/private key cryptography functions, but it’s an interesting idea in P2P communications. This contact key verification could still potentially be circumvented by hackers if they compromise the user’s iPhone, iPad, or Mac endpoint.
Organizations that have concerns about eavesdropping, and that require verification of the identity of the other party in communications, already have options in a variety of enterprise secure communications tools today. What Apple has done is bring this capability as an option that makes this more accessible — when both parties are using Apple iMessage — outside the use of a dedicated technology solution for secure communications, which the average user may not have available to them.
Security Keys for Apple ID
Available globally in early 2023, this capability enables authenticating a user’s Apple ID optionally via configuring a physical third-party hardware security key, such as a Yubico-style NFC hardware token, for Apple ID authentication instead of using traditional (push/OTP combo) multifactor authentication messages to the user’s device. This feature is equivalent to Google’s existing Titan FIDO U2F/YubiKey implementation. Adding a “something you have” factor increases the authentication strength on the user’s iCloud account by making the log-in credentials even more phishing-resistant. The CISA has recently touted phishing-resistant MFA as the “gold standard” for MFA and urged its use by “high-value targets,” which includes users who may have access to personnel records or highly sensitive information coveted by threat actors.
Advanced Data Protection
The new Advanced Data Protection capability is a phased rollout, with initial, immediate availability for members of the Apple Beta Software Program and general availability for US users by the end of 2022; Apple’s rollout to the rest of the world is planned to start in early 2023. This opt-in capability expands the data categories that use end-to-end encryption to 23 (from 14) and will now include your iCloud Backup, Photos, Notes, and more. This allows Apple users to use client-/device-side encryption key storage not only for Keychain, Health, and other sensitive data as they have done in the past on their basic Data Protection scheme but also allows client-/device-side storage of keys for iCloud Backup, Photos, and Notes and other types of data as outlined in Apple’s iCloud data security overview. Advanced Data Protection will be available on the iPhone, iPad, and Mac starting with iOS 16.2, iPadOS 16.2, and macOS 13.1.
Third-party solutions such as Cryptomator, Boxcryptor, and pCloud already offer client-side encryption and key storage (keep your own key). This Apple security feature gives customers full encryption control, which results in at least the following: 1) Apple can only provide limited recovery options (trusted contact or preprinted/generated security keys) and 2) Apple cannot comply with a court’s subpoena to hand over a user’s iCloud-stored data (not surprisingly, the FBI has already expressed its concerns about this feature). Forrester expects that some governments may try to restrict Apple’s ability to offer Advanced Data Protection in their country due to concerns about losing ability to access customer data.
Conclusion: The Announcement Renews Focus On The Big Tech Versus Big Brother Debate
Apple is positioning itself as a champion for user privacy in a world where user concerns about access to and abuse of personal data is growing. By offering these capabilities, Apple continues to raise the bar for consumer privacy and security and is another important step toward giving users greater control of their personal data.