How iCloud keeps your data safe

With the advent of iOS 7 and OS X Mavericks, Apple has enabled even tighter iCloud integration across its operating systems.

A good example is a new feature called iCloud Keychain which keeps your web site and Wi-Fi passwords, login and account information and credit card numbers in sync between any number of trusted Mac, iPhone, iPad and iPod touch devices authorized with the same Apple ID.

It’s also another example of Apple’s growing reliance on iCloud. But with great power comes great responsibility so privacy-minded users may ask themselves how exactly iCloud manages this growing mountain of personal information while keeping it safe and secure…

Apple’s had a dedicated support article on iCloud security and privacy up for some time.

It’s been updated alongside the Mavericks release earlier this week with the latest technical information pertaining to the security of Apple’s ever-growing cloud services.

The company distills iCloud security down into this easily digestible chart.

Just a few quick observations.

On iCloud sessions

When you access iCloud’s web apps at iCloud.com through a web browser, your sessions are SSL-encrypted, including traffic between your devices and iCloud Mail and Notes. Any data in iCloud web apps accessed through either the web interface or stock iOS/OS X apps is encrypted on server as indicated in this table.

The only exception are IMAP mail servers. “Consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers,” the FAQ underscores. If you need an added layer of protection for IMAP, consider using an optional S/MIME encryption which is supported in all of Apple’s email clients.

On secure tokens

Apple explains that accessing iCloud services via stock apps iOS/OS X such as Mail, Contacts and Calendar apps is handled via secure tokens that don’t require your iCloud password be stored on devices and computers.

“Even if you choose to use a third-party application to access your iCloud data, your username and password are sent over an encrypted SSL connection,” Apple details.

On Find My iPhone/Find My Friends

Apple says both features only send your location upon a request. Your position “is not transmitted or recorded at any other time,” claims the FAQ.

Find My iPhone and Find My Friends use a minimum of 128-bit AES encryption.

Last known location data is stored on Apple’s servers in an encrypted format for only 2 hours for Find My Friends and 24 hours for Find My iPhone, and then permanently deleted.

You will be automatically signed out of the app (on device or on the web) after 15 minutes of inactivity unless you have a passcode lock set on your device.

On iCloud Keychain

For those concerned about passwords and credit card information being kept on iCloud servers, Apple is using 256-bit AES encryption and “elliptic curve asymmetric cryptography and key wrapping” to secure your private data. These industry-standard encryption techniques are being used both in transit and in the cloud.

As for credit cards, iCloud Keychain stores the numbers and expiration dates, but not the security codes which you’ll have to type in manually in web forms. Moreover, iCloud Keychain items are not part of your iCloud Backup for the sake of heightened security.

And should you want to avoid iCloud Keychain backing up your data in iCloud altogether, skip the step for creating an iCloud Security Code when setting up iCloud Keychain. This will ensure your keychain data is stored locally and only synced across your approved devices. Keep in mind Apple won’t be able to recover your iCloud Keychain if you don’t create an iCloud Security Code.

The company underscores it can’t access iCloud Keychain encryption keys and stresses they’re created only locally on your devices. “Only encrypted keychain data passes through Apple’s servers, and Apple can’t access any of the key material that could be used to decrypt that data,” reads the doc.

Wrapping up

You will need iOS 7.0.3 to use iCloud Keychain on your iPhone, iPod touch and iPad devices (Mavericks is required on Macs). The feature is region-dependent and Apple has a web page up detailing iCloud Keychain availability by country.

While we’re at it, do check out Apple’s Privacy Policy that covers iCloud and details how the company collects, uses, discloses, transfers and stores your personal information.

You’ll also want to read Apple’s tips on creating a strong password for your Apple ID account, or any other web service for that matter.