Photo by Medhat Dawoud on Unsplash

How Secure Is iCloud?

Spoiler: it’s not perfect.

Bob Kfir
Bob Kfir
Jul 19 · 5 min read

iCloud is what makes all the magical features of backups and syncing happen, on Apple devices anyways. But, just how secure is your information stored in Apple’s cloud?

“In Transit” vs “At Rest”

These two terms are rather important for understanding the remainder of this post, so it’s important to understand what they mean with regard to encryption:

In Transit

Data is in transit when it’s moving from one device to another, typically through the internet. This term can be used to describe both communications from a client (e.g. your browser) to a server, or the other way around. For example, whenever you visit a website that’s using HTTPS, the contents of the web page are encrypted in transit by TLS.

Once information reaches its destination, it must be decrypted for the server or client to understand the data (e.g. when you visit a website, the browser needs to “see” the HTML in plain text in order to display it properly, not in its encrypted form). In transit encryption protects from attackers on the network between the client and server; anyone except the sender and recipient will need to crack the encryption to read the data, which is pretty much impossible (assuming modern, secure encryption algorithms are used).

At Rest

Although it’s much harder for attackers to gain physical access to your device than your internet connection, there are still situations in which you want data to be encrypted when on your device, i.e. when the data is at rest. This is of more concern on mobile devices, which are easier to forget and leave behind. Speaking of which, modern iOS devices encrypt most of your locally stored data in a way which no one without the password can access (assuming your password is secure enough). However, this applies only to data stored on your phone; the data stored in iCloud or other cloud services may not be as strongly secured.

Breaking It Down

“How Secure Is iCloud?” is a pretty big question to handle all at once, so I’ve decided to break it down into simpler questions before arriving at a conclusion. Unless otherwise stated, all of the quotes come from the iCloud security overview.

Can Apple access iCloud data?

At first, it seems like they can’t, based on the following statement:

iCloud secures your information by encrypting it when it’s in transit, storing it in iCloud in an encrypted format, and using secure tokens for authentication.

However, it’s important to remember the difference between standard encryption and end-to-end encryption. With end-to-end encryption (in this case, where there is only one party involved), the data is only ever decrypted on your device. This means that as long as data is encrypted on your device before being sent, and can only be decrypted with a key only you have, you’re the only individual that can access that data. Such encryption can be done rather seamlessly nowadays, and it provides the maximum security possible; even if the company hosting the data wanted to access it, they couldn’t without the key, which only you have.

On the other hand, standard encryption uses keys known by the company hosting the data. This is easier to set up and allows for customers to be able to access their data even if they forget their own key. Should the storage media containing the data be compromised, the data should still be safe as long as the company stores the keys properly (i.e. on a different device than the data).

With that being said, the following data is end-to-end encrypted(source):

  • Home data
  • Health data (requires iOS 12 or later)
  • iCloud Keychain (includes all of your saved accounts and passwords)
  • Payment information
  • Quicktype Keyboard learned vocabulary (requires iOS 11 or later)
  • Screen Time
  • Siri information
  • Wi-Fi passwords

Virtually everything else stored in iCloud that isn’t listed above is still encrypted, but just not end-to-end, such as your device backups.

Does Apple control all the servers used for iCloud?

Since it’s not always feasible for a company to build their own data centers, many rely on renting VPS’s (Virtual Private Servers) from IaaS (Infrastructure as a Service) providers. Many companies with their own data centers still rent VPS’s for various reasons, including Apple. In particular, “iCloud data may be stored using third-party partners’ servers — such as Amazon Web Services or Google Cloud Platform,” the latter of which concerns me a bit more than the former. That concern is largely unfounded since Google states that “Google Cloud does not process your data for advertising purposes,” but I still don’t like that Google specifically says “for advertising purposes” and not “at all”. To be fair to Google, I didn’t read through the entire Google Cloud Platform privacy policy, but I think that they would want to advertise if they didn’t use their customer’s data at all.

I have much less of a problem with iCloud data being stored within Apple’s own data centers than having my iCloud data stored on Google or Amazon servers. Fortunately, Apple encrypts your data before shipping it off to Amazon or Google servers, and they keep the keys on their own infrastructure. Even if Google and/or Amazon wanted to access your iCloud data for some reason, they can’t get it in any usable form.

Is iCloud data encrypted in transit?

In this regard, Apple does a perfect job. All data transmitted back and forth between your device and Apple is encrypted in transit. This means that even when the path between your device and Apple is compromised, there’s a layer of encryption protecting your data from anyone who may be snooping.

Is iCloud data encrypted at rest?

All data, except for your emails, are encrypted at rest. Apple claims that emails aren’t encrypted at rest “consistent with industry standard practice”. While you probably don’t use email to send extremely sensitive information, it would still be nice to know that it’s encrypted at rest. Apple does encrypt it in transit, but once it reaches their servers, it’s no longer encrypted. I can understand not end-to-end encrypting emails, but I can’t think of any reason to not encrypt emails at rest. Perhaps it has something to do specifically with the IMAP protocol, with which I’m not too familiar.

So, How Secure Is iCloud?

I still consider iCloud to be secure, but not as private as I believed. Everything is encrypted when in transit, and the vast majority of data is also encrypted at rest. But for everything that isn’t end-to-end encrypted, Apple could still access if they wanted to. In all fairness, they aren’t exactly worse than other similar services, but I expected Apple to put more measures in place to ensure only you can access your data.

You can learn more about Apple’s approach to privacy here and here.

Bob Kfir’s Tech Blog

A technology blog with an emphasis on cybersecurity and privacy.

Bob Kfir

Written by

Bob Kfir

I’m a writer and a programmer. Most of what I write is about technology (often privacy and cybersecurity) and/or writing. You can learn more at www.bobkfir.com

Bob Kfir’s Tech Blog

A technology blog with an emphasis on cybersecurity and privacy.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade