“We take privacy very seriously” – Apple, we do not buy it, sorry

November 18th, 2016 by Vladimir Katalov
Category: «Clouds», «Did you know that...?», «Industry News», «Legal Questions», «Security», «Software», «Tips & Tricks»

Good news: Apple has officially responded.

Bad news: We don’t buy it. Their response seems to address a different issue; worse, some of the reporters just quoted what Apple said without real understanding of the actual issue. So let’s try to follow the story step by step.

Apple has an option to back up phone data to iCloud. Doing that for many years now. On our side, we have a feature to download iCloud backups. The feature has been there for years, too. We are also able to download everything from iCloud Drive (including data belonging to third-party apps, something that is not available by standard means). We can download media files from iCloud Photo Library (and by the way, we discovered that they were not always deleted, see iCloud Photo Library: All Your Photos Are Belong to Us). Then we started to research how iOS devices sync data with iCloud, and discovered that Apple stores more than they officially say. All iOS versions allow users to choose which bits of data are to be synced – such as contacts, notes, calendars and other stuff. Here is a screen shot from iCloud settings captured on iPhone running iOS 10:


icloud_drive

When analyzing traffic between the iOS device and iCloud, we noted that the call log is also being synced despite the fact that there is no setting for that.

(sorry, only for those who speak Russian)

In short, if iCloud Drive is enabled all your calls are being uploaded to the cloud, even if you disabled iCloud backups and syncing of all the other stuff.

What we did is added the feature to download those synced logs to our Elcomsoft Phone Breaker software – having valid iCloud credentials (Apple ID and password, or the authentication token), of course. Here is our news release published yesterday:

https://www.elcomsoft.com/PR/epb_161117_en.pdf

We also carefully investigated and analyzed ALL possible reasons for such OS functionality. We have also searched across various Apple-related forums, read dozens messages of Apple users, and talked to many of them. We also played with iOS settings on both our personal and test iCloud accounts, registered in different countries, enabled and disabled all (potentially related) ones in different combinations and tested, tested, tested. The results of our discovery are summarized there: iOS Call Syncing: How It Works.

Two weeks prior to our release, we have contacted with several reporters we trust, provided them with our results (and all supplementary stuff), then talked to them over the phone, explaining all the details, answering the questions (I was in fact surprised with the authors’ competence in technology), making notes etc. And below three articles (the last one is in Russian, but can be easily translated) are 100% technically correct, as well as most of the publications that used them as a source:

Last but not least, I spoke to Apple the day before the release – the author of one of the articles listed above asked Apple for comments (over the phone as well), and they wanted to talk to me directly. There were (at least) two persons on the other end of the line – one from PR department, and the other one from Privacy department. I explained them everything (as detailed as I can), and even followed them the draft of our two blog articles, where there is a very clear proof that this is NEITHER Continuity NOT backup issue. Now I think they still have not realized that.

apple_call
(you can easily google the phone number)

Well, it’s now the time to look at the official Apple statement:

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices.”

In fact, they refer to Continuity feature there, though do not name it. In the meantime, it is NOT – it can be easily verified, look at our blog post. Details on Continuity are available here:

https://support.apple.com/en-us/HT204681

We disabled FaceTime, never turned “Allow calls on other devices” option on, and did not connect to Wi-Fi. Call syncing still works, and all the calls go to the iCloud. And btw, you can also ask yourself how you can return calls from the other device if you only have a single one (connected to the given Apple ID). The other good question is what is the reason to save call data for as long as four (!) months or even more.

But that’s not all. Some of the reporters also refer to iOS Security Guide – in particular, the part that described iCloud backup. Oh well, there was no reason to search across that long technical document, there is an easier way. Here is the Apple Knowledge Base article that lists all the data included into backups (local/iTunes and iCloud ones):

https://support.apple.com/kb/PH12519?locale=en_US

Oh yes, of course backups (including iCloud ones) include the call history, as well almost everything else – messages, conmtacts, media files, application settings, web browsing history and much more. Yes, that’s not a secret for years. But the point is: we are speaking about data syncronization, but NOT backups. Once again: call log is uploaded to the iCloud even if iCloud backups are turned off. You can easily verify that yourself.

In the meantime, several reporters (including ones working for media I really like and regularly read) seem to not read our explanation in the blog, and stated that the call log syncing feature is related to Continuity or iCloud backups. Here they are:

As a side note, Apple continues in their statement:

“Apple is deeply committed to safeguarding our customers’ data. That’s why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

Oh well, one more “We take privacy very seriously” piece of crap. Why do they ever mention passcode there? It does NOT protect iCloud backups (only Apple ID and password do). But recommendation to use 2FA is still good, I have to confess 🙂

Finally, they forgot to mention the fact that although all data in the iCloud is encrypted, but encryption keys are stored along with the data (in case if you did not know that). That means that anybody with access to the iCloud data (physically, or with Apple ID and password) can decrypt it.

Conclusion: there are only are things we need from Apple, and they are quite simple:

  • Provide full details what data do they store in the iCloud
  • Provide information what data they reveal (well, MAY reveal) to law-enforcement, if different from the above. Yes, such document is already there on Apple’s web site, but now we know that it is not complete.
  • Allow “opt-out” for all categories of data saved in the iCloud, and/or provide an ability to delete the particular category (anything from web history to the list of iTunes purchases). That is not only about the call logs only. We do know that Apple stores even more. And Apple know, obviously. And all TLA know 🙂

Finally, that would be nice if media reporters carefully check all the facts prior to writing an article. Please also note we are available 24/7, and they will never get “Elcomsoft was not available for comment”, ever. We can provide all the details, from technical info to the software – by email, phone, Skype, WhatsApp, Viber, Signal or virtually any communication method or software you may think of (please just do not send us faxes :)). We never asked any reporter to confirm the aricle with us before publishing (though in fact it works well at least for fact-checking). We are absolutely OK seeing negative information on us – this is absolutely normal, we have nothing against that! Just be accurate and professional. The software we develop is intended mostly to profesionals, like forensic specialists, and it is not always easy to understand how it works and what is the real issue (if there is a privacy risk for example). But we are always here to assist! Thanks beforehand.