Tag Archives: icloud

Document security and Apple iCloud

I have just set up iCloud on three Apple devices: a Mac, an iPad 2, and an iPhone 4.

image

On the iOS devices I was asked if I wanted to use iCloud, and when I agreed, watched as all my documents were transferred from the device to iCloud.com.

I then went to the iCloud website, signed in with my Apple ID – username and password – and saw that all my documents were there ready for download.

I also tried editing a document on the iPhone. In moments, the edited document was also updated on the iPad.

All very convenient; but I realised that I’d just sent up to the cloud a couple of documents that include information I do not want to share. How safe is it on iCloud? Does Apple encrypt the documents?

I looked at Apple’s iCloud information and on the support site and found nothing about security on a quick look, other than that traffic is SSL encrypted, so here are my own observations.

First, access to iCloud.com is protected only by the username and password which form your Apple ID. Sony recently reported a breach of 93,000 accounts on the PlayStation network, apparently based on a list of username/password combinations that a hacker found elsewhere. In other words, some other popular site(s) suffered a security breach, and the hacker automated an attack on the PlayStation Network on the assumption that the same credentials might be used there. The majority failed, but 93,000 succeeded, demonstrating that this is not a small risk.

Second, I wondered if I could mitigate the risk by encrypting my iCloud documents. I cannot find a way to set a password on a Pages document in iOS, but I can do so on the Mac. I password-protected a document, and then uploaded it to iCloud. Next, I opened this on the iPad. I was prompted for the password – good. However, I then modified the document in Pages on the iPad. This automatically updated the document on iCloud, but it was no longer password protected. I do not recall seeing a warning about the password protection being removed. It looks as if password protection does not iWork if you use iOS.

Third, I found this statement in Apple’s terms of service for iwork.com. It is repeated in the terms for MobileMe, and which I cannot yet find terms for iCloud.com it may well be the same there too:

Access to Your Account and Content

You acknowledge and agree that Apple may access, use, preserve and/or disclose your account information and Content if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce these TOS, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users or the public as required or permitted by law.

I guess what this means is that if you have confidential documents, iCloud.com is not a sensible place to keep them.

I would like to see some way of disabling cloud sync for specified documents, but as far as I can tell there is no such feature yet.

Further, if your Apple ID is the same username and password that you use on dozens of other sites on which you have been required to register, it would be worth changing it to something long and unique. I would also suggest reviewing the insecurity questions, which are not for your protection, but to reduce the number of password reset requests which support have to deal with. The best answers are those which are not true and therefore potentially discoverable, but made-up ones, as essentially these are secondary passwords.

Apple iCloud: i is for integrated

Apple has announced iCloud, smart cloud storage for Apple devices.

The iCloud will store documents, email, contacts and appointments, and synch the data to multiple devices including iPad, iPhone, iPod touch, Mac or PC. You get 5GB free with more available to purchase. Books are synched so that your place is saved from one device to the next, a feature borrowed from Amazon Kindle.

Apple has also exposed an API for developers:

Apple apps are seamlessly integrated with iCloud, and we’ve given developers the tools to make their apps work with iCloud, too. So you’ll be able to paint a masterpiece, play a game, create reminders, edit stock lists, and more — and have it all stay with you on all your devices.

This API allows for key-value pairs to be stored as well as documents.

The iCloud also backs up settings, including device settings and app data. If your iOS device is stolen, restoring it should be just a matter of reconnecting:

When you set up a new iOS device or need to restore the information on one you already have, iCloud Backup does the heavy lifting. Just connect your device to Wi-Fi and enter your Apple ID and password. Your personal data — along with your purchased music, apps, and books from iTunes — will appear on your device.

This is similar to what Google is promising for the Chromebook; in fact, there are quite a few parallels there.

Email is also synchronised, provided you use Apple’s me.com email account. Users of Microsoft Exchange or similar server-based systems already have the experience of email, appointments and contacts synched across all devices; now iCloud brings this to all Apple users.

There is also special provision for music. In this case you do not actually have to upload the tracks in most cases, since Apple will “scan and match” your collection. This applies to CDs you have ripped as well as iTunes purchases, which strikes me as a big concession from the music industry, since there is actually no way to tell if you ripped your own CD or copied it from a friend. You do have to pay $24.99 annually for this though, so it is a kind of music subscription. However it falls short of Spotify’s play-anything offer, since you have to acquire each track by some separate means first.

Taking each feature individually, there is little new here other than Apple’s deal with the music companies. Taken together though, this is a big deal. Apple iOS devices are no longer tied to an iTunes installation on Mac or PC; they are now cloud devices. If you think as I do that cloud+device is the direction of computing today, this is a key move.

One weak point is collaboration. The iCloud seems to be a private store, whereas with technology like Microsoft SharePoint or Google Apps you can publish documents to selected individuals or to the world.

I expect it is just a matter of time before Apple adds document sharing based on Apple IDs or me.com email identities. Another obvious move would be some sort of web site integration so you can publish certain kinds of data.

Another weak point is system requirements. Some features will require iOS 5 or OS X Lion. However, in the past iOS upgrades have been free so that is unlikely to be a problem; and even an upgrade to Lion will only be $29.00, provided your Mac is compatible – it needs Intel Core 2 Duo or better.

There is also the question of whether you want to store all your critical data on Apple’s servers. In my own encounters with Apple’s online security I have not been impressed. Someone managed to sign up for iTunes using my email address once; I could have had full access to his account and stored credit card details. Apple also uses the notorious “security questions” technique for resetting passwords. It is also not clear whether data in iCloud is encrypted.

That said, as with the iPad versus Microsoft’s Tablet PC, I am struck by how Apple has taken a feature which Microsoft has worked on for years but failed to implement sensibly and consistently. Microsoft had Live Mesh for example back in 2008 complete with an API for synchronising documents across PCs. The API was poor, there was an operating system component which could be problematic to install, and mobile device support never really came. Then in 2010 Microsoft scrapped most it and replaced it with a new Live Mesh based on SkyDrive which is now part of Windows Live Essentials. It is an optional extra for Windows users and aimed at consumers; business users can get some of this using Exchange and SharePoint as mentioned above, though these are usually privately hosted. Everything is an extra, some things free, some things paid for. In the confusion third party services like Dropbox have flourished.

Microsoft will learn from Apple and we will see a nicely integrated cloud story in Windows sometime around 2014, based on past performance.