I have just set up iCloud on three Apple devices: a Mac, an iPad 2, and an iPhone 4.
On the iOS devices I was asked if I wanted to use iCloud, and when I agreed, watched as all my documents were transferred from the device to iCloud.com.
I then went to the iCloud website, signed in with my Apple ID – username and password – and saw that all my documents were there ready for download.
I also tried editing a document on the iPhone. In moments, the edited document was also updated on the iPad.
All very convenient; but I realised that I’d just sent up to the cloud a couple of documents that include information I do not want to share. How safe is it on iCloud? Does Apple encrypt the documents?
I looked at Apple’s iCloud information and on the support site and found nothing about security on a quick look, other than that traffic is SSL encrypted, so here are my own observations.
First, access to iCloud.com is protected only by the username and password which form your Apple ID. Sony recently reported a breach of 93,000 accounts on the PlayStation network, apparently based on a list of username/password combinations that a hacker found elsewhere. In other words, some other popular site(s) suffered a security breach, and the hacker automated an attack on the PlayStation Network on the assumption that the same credentials might be used there. The majority failed, but 93,000 succeeded, demonstrating that this is not a small risk.
Second, I wondered if I could mitigate the risk by encrypting my iCloud documents. I cannot find a way to set a password on a Pages document in iOS, but I can do so on the Mac. I password-protected a document, and then uploaded it to iCloud. Next, I opened this on the iPad. I was prompted for the password – good. However, I then modified the document in Pages on the iPad. This automatically updated the document on iCloud, but it was no longer password protected. I do not recall seeing a warning about the password protection being removed. It looks as if password protection does not iWork if you use iOS.
Third, I found this statement in Apple’s terms of service for iwork.com. It is repeated in the terms for MobileMe, and which I cannot yet find terms for iCloud.com it may well be the same there too:
Access to Your Account and Content
You acknowledge and agree that Apple may access, use, preserve and/or disclose your account information and Content if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce these TOS, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users or the public as required or permitted by law.
I guess what this means is that if you have confidential documents, iCloud.com is not a sensible place to keep them.
I would like to see some way of disabling cloud sync for specified documents, but as far as I can tell there is no such feature yet.
Further, if your Apple ID is the same username and password that you use on dozens of other sites on which you have been required to register, it would be worth changing it to something long and unique. I would also suggest reviewing the insecurity questions, which are not for your protection, but to reduce the number of password reset requests which support have to deal with. The best answers are those which are not true and therefore potentially discoverable, but made-up ones, as essentially these are secondary passwords.
Same Q here. Short answer, yes encrypted storage, see http://support.apple.com/kb/HT4865 . I’m still unclear on what steps are taken to ensure security of the password itself. Dropbox policy sucks (“rare exception”?!?), amybe Apple is the same?:
http://www.dropbox.com/help/27
Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.