iCloud backups inside out

February 25th, 2013 by Vladimir Katalov

It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release). Many customers all over the world are already using this new feature intensively, but we still get many questions about its benefits, examples of cases when it can be used and how to use it properly. We also noticed many ironic comments in different forums (mostly from users without any experience in using iOS devices and so have no idea what iCloud backups actually are, I guess), saying that there is nothing really new or interesting there, because anyone with Apple ID and password can access the data stored in iCloud backup anyway.

Well, it seems some further explanation is needed. If you are already using EPPB (and this feature in particular) you will find some useful tips for future interaction with iCloud, or even if you don’t have an iOS device (you loser! just kidding :)) please go ahead and learn how iCloud can be helpful and dangerous at the same time.

Let’s start from the very beginning. Once you got an iPhone (iPad or even iPod) you definitely should create backups on a regular basis. Just in case you get it stolen, lose it, or break it. I should confess that I personally have the 8th iPhone. No, not the Chinese-made 8th gen one with 3 SIM cards, removable battery and TV J. I simply had 7 of them before. And from those seven, I lost as many as three. One was left in a taxi in Vienna on my way to the airport, in just half an hour before boarding to Brussels where I was going to attend another security conference. The other one was lost in a cold Russian forest (please don’t ask me what I was doing there at 4 AM at 30 degrees below zero J). And the last one was dropped in the North Sea when I was yachting around Norway. And you know what? The very same day I got everything back. Well, not my iPhone itself, but all the contacts, SMS messages, pictures and whatever else that was stored in my iPhone. Even though I did not have a computer with me.

There is no magic here at all. I simply purchased a new iPhone and restored it from backup saved in the iCloud. As already noted, I did not have computer handy, and never cared to connect my phone to anything but the charger and Wi-Fi (or sometimes 3G only). Backups were created automatically, over the air, thanks to iCloud. Local backups are good (at least they’re faster), but in many situations iCloud backup comes like a life-saver. There are some security risks there (we will back to this later), but still it is extremely convenient. Please believe the owner of the 8th iPhone 🙂

There is a lot of valuable information about iCloud backups on Apple website; I would recommend you to start reading from the following articles:

However, all you can do with iCloud backup is just restoring your device from it. The same (well, similar) device; you can restore from iPhone to iPad (or from iPad to iPod and vice versa), but some information will not be available then. And this process only goes over the air, which means Wi-Fi. You should either get a new iPhone, or completely reset an available one. During the setup, you will be ask to enter your Apple ID and password to get the backup loaded into it. So, if you have both local (offline) and iCloud backups, you can choose between them to restore the most recent or complete one.

But what if you have Apple ID and password, but don’t have an appropriate i-device at hand or Wi-Fi connection? Well, almost nothing (it’s so typical of Apple. I really love them, but sometimes they think they know better what I really need, like my mom). You know that your information is stored in a safe place (well, the term “safe” is questionable, but that’s the other story: yes, Apple do have access to your backups, because though they are encrypted – read the iCloud: iCloud security and privacy overview – but the encryption key is stored along with the backup; the only exception is keychain encryption, see below). But you cannot reach it. You can only get to www.icloud.com and get your contacts, notes and documents, that’s all – you can get neither SMS conversations nor call logs, for example.

And what can you do using the EPPB? Simply download the whole backup. It is stored (and encrypted) the other way than the local one, but we do convert it to the same format as iTunes uses (well, in fact it creates hundreds of files with long unreadable names and encrypted contents, but keep on reading). Another option available in EPPB is to rename the files to their real names — so you will easily get your pictures, as well as SQLite databases with SMS and iMessages and whatever else you have.

By the way, did I also mention that EPPB downloads iCloud backups using any available (not just wireless) Internet connection? Well, now you know :).

However, using iTunes format is preferable, because instead of wasting your time browsing through hundreds or even thousands of files, it’s much easier to use a special software that works with iTunes backups. Here are my two favorite programs: Oxygen Forensic Suite and iBackupBot.

The first one is for professionals. It gets everything from backups, even some data you never thought would be there). Not just the contacts, messages, and pictures, but also conversations in different messengers such as WhatsApp and Skype, GPS location data, deleted conversations, and much more. If you never used this excellent package before, you will be really surprised. Especially when looking at the contents of someone else’s iPhone (just kidding :)). This is probably the best software of this kind on the market – it just extracts everything and shows it in a very convenient way.

iBackupBot (available for both Windows and Mac, btw) is not so advanced as Oxygen software but still extremely worthy. This small goodie only shows SMS messages (including iMessage conversations, of course), as well as contact list, call logs, notes and media (pictures and videos). A must-have tool if you need to get the most important information from backup in just seconds.

There is one more important point worth mentioning: iCloud stores not just one backup, but the latest three – and EPPB can get all three backups. Backup process, btw, is very intelligent, for they are incremental. Once a backup is created, next time this smart device backs up only the changes, saving your time and traffic. So, downloading backups with EPPB also gets faster – you should be patient only when downloading your backup the very first time; after that it only gets the latest changes.

We also get questions how to get the password to someone else’s Apple account. Sorry, but we only give such advices to law enforcement. All I can say is that in most cases a password is stored in the device (particularly, in the keychain), and once you have the local backup (which should be password-protected, and you should know the password – if you do not, EPPB can help you to crack this password, too), you can extract it easily. That may sound like a “chicken and egg” problem, and sometimes it is, but there is still one of the ways to get the password – better than nothing.

Oh, one more thing, now it’s time for some bad news, sorry. In iCloud backup keychain is encrypted the same way as in local backup without password, i.e. using the hardware key unique for the device. That means that you cannot get some data from it, such as saved passwords to mail accounts, Wi-Fi access points, web sites etc.

And the last for today. How can you protect yourself from downloading your backup by someone else (from law enforcement agencies to your curious girlfriend)? Just keep your password safe. Nothing new. It should be long, complex, unique (that’s probably the most important!), with good security questions, and it is a good idea to change it from time to time; some tips are available at  iCloud: Change your iCloud account password article on Apple web site. Moreover, Apple has very strict requirements to passwords, as described in Frequently asked questions about Apple ID article:

(Interestingly, these requirements have been strengthened only recently. I still have one very old Apple ID with simple password that contains lowercase letters only, and it works just fine; however, I cannot use iCloud services with it)

You can even use different Apple IDs for Store purchases and iCloud services. Or you can just neglect iCloud backups at all and keep only the local ones, but as previously noted, this is not so convenient. As always, you should find your best balance between convenience and security – you can never have both to the full degree.

To my mind, Apple has done everything right – iCloud security is good enough. There are no vulnerabilities or security holes there. However, if I were Apple, I would add an extra layer of security by allowing users to set an additional password to iCloud backup, so even if someone knows your Apple ID and password, they still would not be able to access your backup. And though I personally trust Apple, they will not have a chance to read your private data either.

Conclusions? Please make them yourself. We only give you the tool, and that’s your choice how to use it. May be you don’t need it at all. In an ideal world, nobody loses or breaks their iPhones or forgets passwords. And there are no bad guys trying to get access to your private data. But once you find this world, please let us know – I have my credit card ready to get one-way ticket to this magic place :).


Tags: , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

139 Responses to “iCloud backups inside out”

  1. Fortunata says:

    Hello Vladimir,

    I bought Ibackup for iTunes, works perfect with ITunes Backup. but using the Icloud backup, (downloaded with EPPB) it shows, the total data in GB and can look at multmedia files, but it shows 0 apps in Ibackup for ITunes.
    Can you help me with this problem?

  2. Fortunata,

    Could you please create the ticket in our online support system? We may need to request some additional details from you.

    Also, make sure that you’re using the latest version of EPPB (2.20). Older versions did not decrypt some data from iOS 7 backups properly.

  3. Fortunata says:

    Thanks voor your support, idd i am running an older EPPB version 1.92

  4. mircea says:

    Hello Vladimir, can you please tell me how to use EPPB to recover my backup from iCloud? Or tell me where to search, please… I tried from File-Apple-Get backup from iCloud, they ask for the id and password and after that an error 4 shows up and thats all. Am I doing something wrong? Thanks in advance.

  5. Ferna says:

    Can i recover my icloud id and password?

  6. Mircea,

    You are doing everything right, but it seems that you are using an outdated version of EPPB. Please get the latest one (2.20); if the problem remains, please contact our technical support team at:


  7. Ferna,

    It is not actually possible. You can, however, reset your Apple ID password at:


  8. Victor says:


    I downloaded an iCloud backup using an old version of EPPB. Unfortunately my Whatsapp backup is behind the additional encryption.

    I realized I no longer have access to that old backup in the cloud, since it’s already been replaced by newer backups.

    Any ideas on how to recover the Whatsapp files? I’m trying to feed the previously downloaded backup into EPPB 2.0, but it is not being accepted since the backup is not encrypted as a whole.

  9. Victor,

    Unfortunately, no way. The encryption keys are stored in the iCloud as well, along with the data. Basically, for every chunk, the program send two requests, like “get the encrypted data” and “get the encryption key”; for every backup (andevery chunk in it), the encryptiomn keys are different. There is no way to retrieve the keys for the old data that has been already downloaded.

  10. Victor says:

    Thanks for your help, Vladimir!

  11. Kevin says:

    I am using the latest version for EPPB. Recently its not able to download my backup from icloud. It’s stuck at 20%, if I restart the application, it works for a couple of seconds then get stuck again. A backup of 100 MB has taken a like 6 hours to download, and not yet complete.

  12. Kevin says:

    Ok, the new version is crashing a LOT. Is there any fix coming up?

  13. Daniel says:

    Dear Vladimir, I am using version 2.22 Build 1823. Its no longer working and I am getting this message for some time now:

    Curl Error Message: Connection with server has been lost;curl error code: 28;curl res buf ; Connection timed out after 5070 milliseconds

    any idea whats going on here?

  14. Kevin,

    The fix is on the way! Sorry for the inconvenience.

  15. Daniel,

    We encountered such problem before (a couple of times), but I will consult with the developers. In any case, version 3.0 is on the way (to be released in about 3 weeks), and it should fix most network problems, even potential ones. Thanks for your patience!

  16. Daniel,

    About curl problem you have encountered: we need some details on your configuration. Please contact me at v.katalov AT elcomsoft DOT com, and I think I will be able to shed some light on that.

  17. John says:

    The invalid Data error has returned, Apple may have changed something, my backups after March 20th seem to be undownloadable.

  18. Rick says:

    So after purchasing the Pro version last night, it appears the iCloud download functionality is broken??! Invalid Data error message.

  19. Rick says:

    Additional comment: the download appears to be working with an iPhone 5s that was just updated to iOS 7.1

  20. In EPPB version 2.30, the problem with iOS 7.1 seems to be gone. If you still encounter any problems, please create the support ticket in our system, we will take care asap!

  21. Mike says:

    Vladimir, I am using version 2.30 and now (today) getting this error message after downloading a recent backup actually just Sunday:

    “Curl Error Message: Connection with server has been lost;curl error code: 28;curl res buf ; Operation timed out after 5039 milliseconds”.

    This is the first time I have seen this message, and it has just popped up in the past 48 hours

  22. Jarvis says:

    I have a backup of around 4 GB and when I try to download it finishes at some 300 MB and I can see this message in the logs.

    Snapshot with id 5 not completed

    How to get around this, to download my full backup?

  23. Jarvis says:

    By the way, I am using 2.30 Build 2690

  24. Mike,

    This error (about Curl) may occur if there is a (temporary) problem with connection to Apple servers. However, the software retries the operation again, and usually it completes normally, so it’s kinda warning. If, however, your backup has not been downloaded because of that, please contact our tech support with more detailed information.

  25. Jarvis,

    It means that the last backup in the iCloud is not full — if backup operation has been interrupted for some reason. Such (incomplete) backups cannot be downloaded at all. However, you should not get any problems downloading all other (previous/completed) backups.

  26. Jarvis says:

    Hi Vladimir, From my understanding, the incomplete backups should not show up in the list of back ups at all. If it’s showing up, it means its complete. And the download does start but breaks after some time. Is there a way to skip a snapshot and download the one that is complete?

  27. Jarvis,

    Yes, incomplete backups are not shown, and EPPB does not even try to download them — that’s what “Snapshot with id 5 not completed” tells. But EPPB always downloads all completed backups from the selected device — just check the output folder.

  28. Georgiana says:

    Greetings! This is my first visit to your
    blog! We are a group of volunteers and starting a new project in a community in the same niche.

    Youur blog provided us beneficial information to work
    on. You have done a marvellous job!

    Also visit mmy page … Cleaning Insurance

  29. Elsworth says:

    Hi vlad,

    Is there a chance that icloud saves my skype conversation? And if so is there a chance to delete it?

  30. Rafael says:

    Is this blog still monitored? I have an issue with EPBB that I have been trying to figure out for a while now. Let me know Vlad if you still check this.

  31. Rafael says:

    I have my backup downloaded with EPBB latest version, but none of my pictures stored in Apps like KeepSafe are visible to see! They seem to be encrypted. Are we working on to get a fix for this?

  32. Elsworth,

    Yes, Skype saves the conversation log in backup (in iTunes — always, in iCloud — depending on iCloud settings on your iPhone). It is there:

    AppDomain-com.skype.skype\Library\Application Support\Skype\\main.db

    As far as Skype data is a part of backup, you cannot delete just it, but you can turn off including it into iCloud backup just by unchecking an appropriate option at:

    Settings | iCloud | Storage & backup | Manage Storage | Skype
    Settings | iCloud | iCloud Drive | Skype

    For more information:

  33. Rafael,

    Of course I do 🙂

    Well, all iOS applications can encrypt their own data (especially if it is included into backup, which is not always the case) — they way they want. We only deal with “standard” (built-in) encryption that affects the backup itself; to work with KeepSafe (or any other app of that kind), we need to investigate what particular algorithm it uses, how secure is the implementation etc. Sometimes the encryption key is simply stored along with the data and so it is fairly easy to decrypt; or brute-force or dictionary attack might be required.

  34. Rafael says:

    Glad to know you still do 🙂

    Well, I do remember the key for my KeepSafe. It’s just that, how do I decrypt it is beyond me.

  35. Rafael,

    Well, we still need to reverse-engineer the application in order to understand how encryption is implemented — it is not enough to know the password. Parsing the data forma is also needed. I have added this task to our “todo” list, but cannot promise that we will implement that soon.

  36. iska service says:

    I have a backup. I can get a password ilcoud

  37. Hector Sala says:

    Hello Vladimir,

    I keep getting “Connexion with server has been lost” even though the icloud website and internet is working fine on my computer. Any idea on how to solve this ?

  38. Greg says:

    I just started using the trial version, and I’m also getting timeouts and “curl errors” when trying to download an iCloud backup. I have another tool I use for these downloads, and it has stopped working as well. I think Apple changed something and broke compatibility with all of these tools. Would love to know if a fix is coming, and when.

  39. Greg,

    We started receiving such errors yesterday — yes, it seems that Apple has changed something. Our engineers are taking care, we are doing our best to provide fix asap.

  40. Russ says:

    Same issue: Curl error when Downloading Backup from cloud. Multiple retries with no success.

    Please advise asap, as downloading backups from the clould is the sole reason I own this product.

  41. Russ,

    Working hard on that. Yes, iCloud protocol has been changed, and we are working hard to provide an update ASAP!

  42. John says:

    If we have purchased the software over a year ago and no longer eligible for updates, will a patch be provided or will we be required to repurchase?

  43. Mike says:

    I would expect it would be a free update. New features such as a new GUI, improved/reworked acquisition times, or added features are fine to require payment, but the program should always work. Right now it doesn’t work, so it should definitely be free.

  44. John,

    Please create a ticket in our support system, mentioning your order ID or registration code — we will take care.

  45. Mike,

    The update will be free for most users, but please create the ticket on our support web site.

  46. Mike says:

    Now, or once the update is released?

  47. Mike,

    It does not actually matter. Best of all, just drop me a line at v.katalov AT elcomsoft.com, I will take care.

  48. Fortunata says:

    Same Curl problem over here.

  49. The problem has been fixed (we’ve been working 24/7), new version is ready and will be released later today! Thanks for your patience.

  50. Markus says:

    What time should we expect the update? (moscow local time)