On Apple iCloud security and ‘deleted’ notes

May 19th, 2017 by Vladimir Katalov
Category: «Did you know that...?», «Elcomsoft News», «Tips & Tricks»

Apple, it’s not funny anymore.

Apple iCloud is a fantastic service. For me, it works far better than Google services, especially when it comes to cloud backups. I use it daily when working with my iPhone, iPad, Mac and MacBook at home. In the office, I still have to use the good old Windows PC, and I hate it. I use iCloud backups to keep my data safe (secured with two-factor authentication), and it really helped me on at least two occasions when I had my iPhone lost or broken far away from home. I use iCloud Photo Library to get my photos synced across devices. I actively use iCloud Drive when working with documents. I use iCloud syncing, including the keychain, to store my passwords and credit card data and have them all handy. I should say that I cannot work effectively without iCloud.

But we have a lot of security and privacy concerns. We completely understand that it is not possible to pick all three from the “security, privacy, usability” trio, but please give at al least two.

Here is a story from August 2016. When you delete the media file from iCloud Photo Library, it goes to the “Recently deleted” album first, and stays there for 30 days — unless you remove it from there manually. This is a good implementation (if it works), like the “Trash” in macOS or “Recycle Bin” in Windows. But we discovered that “deleted” files are not actually deleted, and we were able to extract them from the iCloud – even those photos that were deleted two years ago. Apple declined to comment, but in the next few days, older pictures and videos were silently removed.

Three months later, in November 2016, we made another discovery. There is an option to sync contacts, notes, calendars and some other data categories with the iCloud. We discovered that call logs (including information about all incoming and outgoing calls, as well as some calls made with VoIP software) are silently uploaded to iCloud. We informed the media about that in advance, and they asked Apple for comments. I had 10 minutes on the phone with two Apple engineers the day before releasing our software to extract call logs, I explained them all the details, and even provided with our materials, including some technical stuff. The next day, when the news became public, Apple issued an official statement that this is a part of ‘Continuity’ feature, though we know (and they know) that it is not, and we provided (again, in advance) a detailed explanation why. We even had to post a follow-up on that.

Three more months (February’2017), and yet another one. Syncing browsing history is a neat feature. Quite often I work on my iPhone or iPad, and instead of placing bookmarks (or adding links to the reading list) to the web pages of interest, I just open Safari history on my laptop, and all recent links are there. Once a link is deleted on one device, iCloud sends a push notification to all other devices to delete the particular record from there, too. Same if you clean the browser history completely. However, we found that all the records are still kept in iCloud and can be extracted from there, albeit not easily. Apple has not commented on that, but they simply purged ALL history records older than two weeks from iCloud, for all users. Let me stress that: Apple deleted ALL history records older than two weeks, and not just the records that were cleared from the device.

Apple representatives said the problem was caused by a bug they’ve since resolved:

“To further strengthen the protections we provide customers, we’ve fixed a bug that retained browsing history for longer than we intended,” the statement said. “Devices will now have access to this data for 14 days and it will be deleted from our servers within 60 days. Customers can also turn off Safari syncing features at any time.”

One of our readers made a nice comment on that:

Apple have to explain, if this was an intentional behaviour or a bug.
That they had silently “repaired” it over night, i guess it was either intentional or a development setting (to do a roll back if it doesn’t work) that was forgotten.
I’m aware that Apple is known to fix embarrassing bugs silently, but every time they do that, they didn’t look very good from a customer’s view. There is always one question: “What are you hiding from us?”

We all know, that Apple isn’t perfect. And that’s okay. But they should handle their mistakes in a more transparent way.

By the way, if you look at Legal Process Guidelines, which seems to be the only more or less trusted source of information about the types of data being stored in iCloud, you can find the following:

G.iv. Other iCloud Content. Photo Stream, Docs, Contacts, Calendars, Bookmarks, iOS Device Backups

iCloud only stores content for the services that the subscriber has elected to maintain in the account while the subscriber’s account remains active. Apple does not retain deleted content once it is cleared from Apple’s servers. iCloud content may include stored photos, documents, contacts, calendars, bookmarks and iOS device backups. iOS device backups may include photos and videos in the users’ camera roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail. iCloud content may be provided in response to a search warrant issued upon a showing of probable cause.

It mentions bookmarks but not browsing history; no information on storing call logs is provided; and it is said that deleted content is cleared. Oh, really?

I’ve got some bad news for you: this is far from truth. First your media files, then Safari data, and now the Notes. Yes, your Notes are also not being deleted from the cloud. It’s supposed to work exactly as iCloud Photo Library: once deleted, the note goes to the “Recently deleted” list first, stays there for 30 days, then completely disappears. Here is what Apple says (if you look into the “Recently deleted” folder in notes):

Notes are permanently deleted after 30 days.

You are able to manually delete any note from there. Or clear all those notes at once. You will not see the allegedly deleted notes on any of your devices anymore (syncing happens almost in real time) or on www.icloud.com. But you know what? There “deleted” notes are still there in the iCloud (for at least two weeks after so-called “permanent” deletion”), and we learned how to extract them; for some accounts, we were able to extract the notes deleted several months ago. More details here:

We Did It Again: Deleted Notes Extracted from iCloud

Again, this is not funny, Apple. I cannot believe that it’s just a bug. It already happened three times, and you should have learned. Looking forward to see an official statement on that. Please do not tell us that you keep deleted record just in case for syncing an occasional offline device, and you’ve been waiting till it goes back online: you have a list of all devices connected to the account, you have connection logs, and you keep deleted notes even if there is just one device on the account. I do not see any good reason to keep deleted data for even a single day – or even if such reason exists, please make a clear note on that (like at least “well, we are going to delete your data permanently, but cannot say how long it is going to take”, which is not perfect but at least something).

Oh well. It seems that Apple security engineers are too busy implementing additional “security checks” that force the iCloud accounts to be locked (fortunately, just temporary) once you download device backups from them. Yeah, “suspicious activity”, even if you download your own backups, or if you are the law-enforcement officer monitoring the suspect’s activities. Do you really worry about cloud security and want to prevent the next celebgate? We thought that 2FA is good enough, or if it is not, please let us know (may be we mу missed something).