Health data is among the most important bits of information about a person. Health information is just as sensitive as the person’s passwords – and might be even more sensitive. It is only natural that health information is treated accordingly. Medical facilities are strictly regulated and take every possible security measure to restrict access to your medical records.
Since several versions of iOS, your health information is also stored in Apple smartphones, Apple cloud and various other devices. In theory, this information is accessible to you only. It’s supposedly stored securely and uses strong encryption. But is that really so? What if Apple uploads this data to the cloud? Is it still secure? If not, can we extract it? Let’s try to find out.
Apple Health collects a lot of highly sensitive information such as your activities, your sleep habits, heart rate and even blood pressure if you wear a compatible tracker. Apple Health gathers information from multiple sources including the iPhone itself, the applications (Nike+, Strava, Endomondo just to name a few), and many companion devices (Apple Watch, fitness trackers etc.) Since iOS 11, that data can sync across your devices through iCloud. The syncing option is enabled by default.
So how secure exactly is Health data in iCloud? Does Apple have access to your Health records, and can provide the data to Law Enforcement on request? Can somebody else access the data, and if they can, what do they use it for, and will you ever notice? What can you do to protect yourself?
Let’s start with the presentation of Apple Watch Series 4 by Jeff Williams (Apple COO) at Apple Special Event (September 12, 2018):
Apple Watch Series 4 is the ultimate guardian for your health, the best fitness companion, and the most convenient way to stay connected. And with all these amazing features, of course, your data is still protected. At Apple we believe your personal information belongs to you, you should decide who you share it with, and who gets to see it, period. All your health and fitness data, it’s encrypted on device and in the cloud.
Well, that’s what all vendors say, and no technical details are given. You can also read Approach to Privacy and iOS – Health at Apple, but I bet you will be disappointed.
Security of Apple Health Data on the Device
Speaking of iOS devices, all information including Health is encrypted. The obvious way of extracting this information would be through an iTunes backup (obviously, the device must be unlocked). It is important to note that you must set a backup password before you make a backup. If you don’t, then Health data will not be there at all; in other words, Apple Health data is only included in password protected backups. This in turn means that if you only have the backup and not the device, you will be unable to obtain Health data: it either is not there (backups without a password) or securely encrypted. For password-protected backups, you will have to break the password, which is virtually impossible for iOS 10.2+ backups due to extremely strong protection.
If you have the device on hand, it is much easier. If the backup password is not set, select your own password and make a backup. If the user already set a password and you don’t know it, just reset it (in iOS 11 and 12), and then again set your own password. The only thing that may prevent you from doing that is Restrictions password (iOS 11) or Screen Time password (iOS 12).
There is another way specific to Health: export right from Health application. With it, you get all the data in plain text (well, XML).
Security of Apple Health data in iCloud
Let’s proceed with cloud security. Again, some reading first – Apple’s iCloud security overview:
End-to-end encrypted data
End-to-end encryption provides the highest level of data security. Your data is protected with a key derived from information unique to your device, combined with your device passcode, which only you know. No one else can access or read this data.
These features and their data are transmitted and stored in iCloud using end-to-end encryption:
Health data
[..]
To use end-to-end encryption, you must have two-factor authentication turned on for your Apple ID. To access your data on a new device, you might have to enter the passcode for an existing or former device.
Does it look secure enough? Not really. Yes, all the data in iCloud is encrypted with industry-standard algorithms. The problem is that the encryption keys are stored along with the data. Well, they are not physically alongside. Encrypted data is physically stored on servers Apple leases from Google, Amazon and Microsoft, while the keys are always stored at Apple’s own data centers. But that does not actually matter since Apple has access to both. Even worse, anyone with proper credentials have access to both data and keys, and so can recover (decrypt) the data.
But wait, there is more – in Get a copy of the data associated with your Apple ID account:
Why does Apple store my Health data?
Health data is stored in iCloud to keep the data up to date across all your devices automatically and to allow you to recover your data if your device is lost. Apple doesn’t access or use this information for any other purpose. You can turn off this feature by turning off Health in iCloud settings.
How can I access my Health data?
There are two ways to access your Health data. You can download it as part of your data request, or you can access your data directly from the Health app on your iPhone. To access your health data directly from the app, tap your user profile in the upper-right corner of the home screen of the Health app and select Export Health Data.
We will be “back to end to end encryption” shortly, but just one more thing: Health Records. This data is even more private as it is not collected by your iPhone and wearable devices, but received from medical institutions. Public information on Health Records is even more confusing. For example, Easy come, easy go: What you need to know about Apple’s new Health Records feature says:
As for privacy, Health Records are encrypted on your device via your passcode. Your medical records are not stored on iCloud and not viewed by Apple, they’re directly on your phone. This works in a similar manner to how your fingerprint – or facial data if you have an iPhone X – is stored on your iPhone’s secure enclave.
But at Apple’s Healthcare – Health Records, we can see the following:
When health record data is transferred from a healthcare institution to the Health app, it is encrypted and does not traverse Apple’s network. When a user’s iPhone is locked with a passcode, Touch ID, or Face ID, their health data in the Health app is encrypted on-device. If a user chooses to sync their health data with iCloud, it is encrypted while in transit and at rest.
End-to-End Encryption
There was an interesting discussion is iCloud backup/storage really end to end encrypted? at Reddit with a lot of thoughts and assumptions, as well as many links to other articles. Another good reading is Has iCloud Gotten Safer? Apple’s Cloud and Security.
What “end-to-end encryption” actually stands for? That term is widely used when speaking of messaging security; all major developers of instant messaging software (WhatsApp, Viber, Facebook Messenger, Signal etc.) encrypt the data “in transit”, and decryption can be only performed by the intended recipient. The implementation is about the same: only the target device has the proper decryption key.
It is not the same with Health. Health data is not just being sent from one device to another – it is actually stored in the cloud, and synced across all devices connected to the same cloud account.
The reality is: Health data may be stored in two separate containers in the cloud. The first one is, well, just the “usual” iCloud thing with no additional encryption. It’s like most other data categories (Contacts, Notes etc.) The second container (referenced by Apple as “end to end encrypted”) is protected much better, similar to synced messages (see iMessage Security, Encryption and Attachments). For some accounts, there is only one container (secured or not); for others, there are two, and they somehow overlap – a part of data exist in both containers, while the second/secured container usually has significantly more records.
To access the data in the first (unsecured) container, we only need the user’s Apple ID and password (and second factor if set) or an authentication token. The data in the second (secured) container cannot be accessed with a token at all. Even with the password and second factor, there is one more thing that you will need: the passcode of one of the trusted devices to access the keychain holding the encryption key for Health data. No, Elcomsoft Phone Breaker does not add itself to the list of trusted devices – but just enters into the trusted circle through a kind of backdoor, so other devices do not notice. Yes, you still need the passcode. If you don’t know it, you can skip that step and only obtain data from the first, unsecured container. If you know the passcode, you will obtain more information.
You may ask, why is it so complicated and insecure? Should not Apple always keep all the data in that secured container, accessible only from trusted devices (or with our software, with the passcode to the trusted device)? We don’t know for sure, but it appears that the old unsecured container may only exist if some Health data are collected by older devices (prior to iOS 11), and/or with iCloud Keychain disabled.
Btw, if you are ever using Heath data sync, we strongly recommend you to download your data without entering the passcode first, to see whether some of your Health data is stored in old-style unencrypted container. If yes, you are at risk.
Using Health Data as Evidence
Anything from the iPhone or iCloud can be used as evidence, but Health data is often overlooked and underestimated. The situation is going to change quickly; here is some news on that:
Can you trust evidence obtained from an iPhone? Or, rather, can you rely on that evidence, and is it admissible to the court? As with most bits of information extracted from the iPhone, you cannot make conclusions based solely on that evidence. As an example, during our extensive testing phase (which lasted several months), we’ve seen bits of data “received” from the particular Apple Watch timestamped before we even connected the watch to the iPhone. We’ve also seen several smaller discrepancies even if Apple Watch was not used. As always, due diligence is required with all digital evidence.
Protecting Your Health Data
The good news for everyone but Three-Letter Agencies and hackers: Health data cannot be synced with iCloud if you are not using Two-Factor Authentication. And Two-Factor Authentication is quite secure, even if still allowing to send the code by an SMS (which is not so secure).
More good news: for the majority of new devices (subject to iOS version), most Health data is properly secured and requires a passcode to access.
Now the bad news: some Health data may not be stored securely, and could be even accessed with a token (that may be easy to obtain in many cases).
Can you make it more secure? Sure you can. First, update your devices the latest version of iOS and macOS. Note that iOS 10 and older (as well macOS 10.13.4 and older) do not include some system components required for proper (strong) encryption of iCloud data. Also, make sure to enable iCloud Keychain. And yes, that’s assuming you’ve been using Two-Factor Authentication for a while.
But even more important, keep your devices physically secure, with a 6-digit passcode that would be hard to guess. Never re-use that passcode. That sounds obvious, but you should always remember that your iPhone is actually the key to your iCloud account, while the cloud may keep more data than you think.
Take care! We’ll be back soon, with an ability to recover some deleted Health data from the cloud.