Calendar (iPad Air, iPhone 5s)

With the advent of iOS 7 and OS X Mavericks, Apple has enabled even tighter iCloud integration across its operating systems.

A good example is a new feature called iCloud Keychain which keeps your web site and Wi-Fi passwords, login and account information and credit card numbers in sync between any number of trusted Mac, iPhone, iPad and iPod touch devices authorized with the same Apple ID.

It’s also another example of Apple’s growing reliance on iCloud. But with great power comes great responsibility so privacy-minded users may ask themselves how exactly iCloud manages this growing mountain of personal information while keeping it safe and secure…

Apple’s had a dedicated support article on iCloud security and privacy up for some time.

It’s been updated alongside the Mavericks release earlier this week with the latest technical information pertaining to the security of Apple’s ever-growing cloud services.

The company distills iCloud security down into this easily digestible chart.

iCloud security and privacy chart

Just a few quick observations.

On iCloud sessions

When you access iCloud’s web apps at through a web browser, your sessions are SSL-encrypted, including traffic between your devices and iCloud Mail and Notes. Any data in iCloud web apps accessed through either the web interface or stock iOS/OS X apps is encrypted on server as indicated in this table.

icloud ios 7 1

The only exception are IMAP mail servers. “Consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers,” the FAQ underscores. If you need an added layer of protection for IMAP, consider using an optional S/MIME encryption which is supported in all of Apple’s email clients.

On secure tokens

Apple explains that accessing iCloud services via stock apps iOS/OS X such as Mail, Contacts and Calendar apps is handled via secure tokens that don’t require your iCloud password be stored on devices and computers.

“Even if you choose to use a third-party application to access your iCloud data, your username and password are sent over an encrypted SSL connection,” Apple details.

On Find My iPhone/Find My Friends

Apple says both features only send your location upon a request. Your position “is not transmitted or recorded at any other time,” claims the FAQ.

Find my iPhone 3.0 for iOS (iPhone screenshot 002)Find my iPhone 3.0 for iOS (iPhone screenshot 001)

Find My iPhone and Find My Friends use a minimum of 128-bit AES encryption.

Last known location data is stored on Apple’s servers in an encrypted format for only 2 hours for Find My Friends and 24 hours for Find My iPhone, and then permanently deleted.

You will be automatically signed out of the app (on device or on the web) after 15 minutes of inactivity unless you have a passcode lock set on your device.

On iCloud Keychain

For those concerned about passwords and credit card information being kept on iCloud servers, Apple is using 256-bit AES encryption and “elliptic curve asymmetric cryptography and key wrapping” to secure your private data. These industry-standard encryption techniques are being used both in transit and in the cloud.

As for credit cards, iCloud Keychain stores the numbers and expiration dates, but not the security codes which you’ll have to type in manually in web forms. Moreover, iCloud Keychain items are not part of your iCloud Backup for the sake of heightened security.

iCloud Keychain (image 001)

And should you want to avoid iCloud Keychain backing up your data in iCloud altogether, skip the step for creating an iCloud Security Code when setting up iCloud Keychain. This will ensure your keychain data is stored locally and only synced across your approved devices. Keep in mind Apple won’t be able to recover your iCloud Keychain if you don’t create an iCloud Security Code.

iCloud Keychain (teaser 001)

The company underscores it can’t access iCloud Keychain encryption keys and stresses they’re created only locally on your devices. “Only encrypted keychain data passes through Apple’s servers, and Apple can’t access any of the key material that could be used to decrypt that data,” reads the doc.

Mavericks iCloud Keychain

Wrapping up

You will need iOS 7.0.3 to use iCloud Keychain on your iPhone, iPod touch and iPad devices (Mavericks is required on Macs). The feature is region-dependent and Apple has a web page up detailing iCloud Keychain availability by country.

While we’re at it, do check out Apple’s Privacy Policy that covers iCloud and details how the company collects, uses, discloses, transfers and stores your personal information.

You’ll also want to read Apple’s tips on creating a strong password for your Apple ID account, or any other web service for that matter.

Do you trust Apple with your personal information?

  • Christian Mejía


  • mrgerbik

    ssl has been cracked by NSA – so really the whole process is pretty much moot if you are truly concerned with privacy
    apparently (what Ive heard) is that PGP is still a sore spot encryption wise with the powers that be….

  • Will Stone

    This explains very well what is protected and what is not. iCloud is fantastic for keeping my devices synced and the things it does, it does well. I wish it worked a little more like dropbox for document sharing, but maybe Apple is afraid of copyright infringements or something. Nice article.

    • Ted Forbes

      I think Apple needs Dropbox they should buy or partner. Dropbox is the 500 lb gorilla in the room. I love Apple and its iCloud but I don’t see any reason to quit Dropbox any time soon.

      • ✪ aidan harris ✪

        I can’t remember when this was but I’m pretty sure Apple tried to buy Dropbox but were basically told “Not even if pigs fly”…

  • mafish

    Apple is colaborating with NSA (as google/microsoft/…) even if they say they are not…
    And 128bit AES its not that safe as the article said, the only thing i use icloud is for notes/reminders (no photos, no mail, etc)
    User data its like a toy in the internet, companies do what they want with you, and not what you want them to do.

    • Yash Gorana

      WHAT ! Who said 128bit AES is not safe !

      Possible combinations for 128bit AES key is 3.4 x 10^38

      Fastest supercomputer (as per Wikipedia): 10.51 Pentaflops = 10.51 x 10^15 Flops [Flops = Floating point operations per second]

      No. of Flops required per combination check: 1000 (very optimistic but just assume for now)

      No. of combination checks per second = (10.51 x 10^15) / 1000 = 10.51 x 10^12

      No. of seconds in one Year = 365 x 24 x 60 x 60 = 31536000

      No. of Years to crack AES with 128-bit Key = (3.4 x 10^38) / [(10.51 x 10^12) x 31536000]
      = (0.323 x 10^26)/31536000
      = 1.02 x 10^18
      = 1 billion billion years

      Similarly, for 256-bit AES key to be cracked, it will take 3.31×10^56 years.

      • ✪ aidan harris ✪

        Depends on the password used to encrypt the data. No matter what algorithm is used I guarantee that if the data was encrypted using the password “password” it will be cracked almost instantly…

  • chumawumba

    Except for the fact that half the time icloud severs are down

  • Dao Sasone

    Nope. Alrdy lied once.

  • Mohammad Ridwan

    Only has a little backdoor for NSA… no big deal…

    • The Squirrel

      just a little backdoor

  • s0me

    IDB is starting to be more and more biased.

  • xSeriouSx

    “Do you trust Apple with your personal information?”

    Of course not, I use their service for minor stuff (like every other cloud service provider I use), important stuff is backed up locally. Can’t trust ANY US giant, they’re all collaborating with NSA to avoid breaking the “law”…

    • Ted Forbes

      So you don’t connect that device to the Internet I hope? But if they want that information whats to stop them from getting it anyway?

      • ✪ aidan harris ✪

        Exactly! If Apple wants your information they can get it but why would they? If it was found that they were looking at your information left, right and centre it would reflect badly on them as a business. Apple follows US law, US companies follow US law. As a result US companies are compelled to give information to the government and their agencies. When this happens don’t blame the company (Apple, Google, Microsoft, etc) but blame the law…

      • xSeriouSx

        Never expected you to realize it, but connecting to the internet isn’t the same as using an online service numbskull. Internet just sends/receives website data (including IP/Cookies), a service may include sending/receiving personal data (app data/contacts/calendars).

      • Ted Forbes

        Hey numbskull, if that’s really your real name, if you know something just say it. Or maybe you just got lost trying to find the forum on anger management? Well if you trying to find it keep going straight cause this ain’t it. If you know something tell it. If you are brainstorming from a book or listening to a silly politician tell you stuff then i excuse your ignorance, only anger can be your result. Nuff said.

      • xSeriouSx

        Looks like you’re lost and haven’t got reasoning behind what you typed, just blindly defending whatever shit your herd master does, ’cause you’ve totally gone off topic with that ignoramus post.

    • marcus1324

      I am not hiding anything, it’s bad that the NSA knows everything about you but I am not hiding anything so I don’t really care. Think about it before you dislike this comment. Guys they only are doing this to prevent bad things from happening.

      • xSeriouSx

        There should be a limit on power/freedom, too much of either will result in corruption….

      • Ted Forbes


  • Hyr3m

    Shame on you Christian!

  • Dao Sasone

    Nope. Alrdy lied once and thats allit takes.

  • Ted Forbes

    Our iCloud data is safe? How safe? Well as safe as keeping my secrets from my wife, or my kids secrets from me. But how safe are we from governments hacking? As safe as the aristocrats and the emperor Nero were from each other insanity. As safe as the Republicans and Democrats are from each other deceptions. As safe as Russia and US are from each other plots. We’re somewhat safe, but not totally safe after all.

    • marcus1324

      I’m pretty sure that the NSA has been hacked before, I would be more comfortable with all of this if we knew for sure the US Government could not be hacked but there is always a loophole.

  • The Squirrel

    Heh heh I’m at school right now and I’m supposed to be working but iDB is cooler.

    • marcus1324

      Your such a badass

  • Freier Maurer

    Mr. Zibreg, nice try. I love the innocence of apple-kids, too. Cloud in the head or cloud in the net – no difference.