How Safe Is iCloud?

Published on
28,014 Points
6 Endorsements
Last Modified:
Justin Pierce, CEH, CNDA, Stanford ACS
Dream not of today. ~ Jean-Luc Picard
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
"Hey, Hun…Can you make sure my pics are in the cloud? I took some beautiful shots of my mom and Lilia today, and I just want to make sure they’re there. Thanks.” my wife says before she begins her intense at-home workout routine. 

"Sure Love, but I can tell you they’re already there.” 

That’s a quick scene of how things tend to play out in my house when my wife wants to make sure the technology we're using is syncing up all of the precious moments she has captured. 

So the question that begs to be asked is, how did I know that her pictures were already in the cloud.

I knew that they were in the “Cloud” because we use Apple’s ultra-convenient iCloud to sync all of our information, but how secure and reliable is iCloud?

Didn’t ‘Celebgate’[3] in 2014 show that Apple was hacked and that iCloud isn't as secure as Apple says it is?
These are great questions, but are very serious and in-depth, and need to be discussed one at a time.

Cloud Basics

Before we dive headfirst into the details, let’s quickly go over some foundational knowledge. Here is what iCloud truly is...a room full of servers. It’s owned by Apple, and runs these services: Calendars, Contacts, Bookmarks, Notes, Reminders, Photos, iCloud Drive, Backup, Find My iPhone, Find My Friends, iCloud Keychain, and Mail.

So, it’s just a server? Yep. There’s nothing magical about the “Cloud”. It’s a server that has dedicated services running to keep your digital life in sync across all of your Apple devices (iPhone, iPad, and Mac).You access these services with your AppleID (which is your email) and password. 

Apple has made it easy for you to access your portion of the iCloud, by letting you jump on any device that connects to the Internet by visiting “icloud.com”. From here you type in your AppleID, ex. joeschmoe@gmail.com (it doesn’t have to be an Apple email, just the one you signed up with and use to buy apps in the App Store) and password (which consist of a 12-13 combination of upper and lowercase letters and special characters). 

Is it Safe?

Now we can go back to the matter at hand, is Apple’s iCloud secure and safe for you to use. 

Since we are dealing with how electronic data travels, let’s have you keep an image in your mind to make it a bit easier to visualize. Let the image be your house, your street, and then Apple’s HQ building in Cupertino. There are actually many more buildings with routers and switches that you go through, but this image will suffice. Also, every time you go down your street (connecting to iCloud.com) you get to ride in the Batmobile. The Batmobile, in this case, is called a secure sockets layer (SSL), which is why the address in your browser starts with “https" (the “s” means that you’re riding in the Batmobile, instead of your clunky, unsecured Prius). 

Alright, let’s start with the simple process of accessing the information from the Calendar app on your iPhone. You tap the app and up comes your information for each day of the year that you need to remember. By tapping the Calendar app you essentially jumped into the Batmobile, sped down your street (called “In transit”), and skidded (why not) into Apple’s HQ to access your part of server. The “In transit” (going from your house down the street to Apple’s HQ) is encrypted, as well as the information sitting on the server (information like the birthday event for your significant other). 

What is your information encrypted with? 128-bit AES encryption is what Apple uses for all of their services, minus the iCloud keychain, which uses 256-bit AES encryption. 

Isn’t 256-bit AES better than 128-bit AES? Yes, but 128-bit is plenty safe and here’s why. 

That birthday that’s coming up soon will need at least one gift to make it an awesome party, but you’ll need to hide this gift from prying eyes until the big day comes. In 128-bit AES you have the option to hide this gift behind 2128 doors. 

How big is that really?

A brilliant man named Jeffrey Goldberg at AgileBits (the people who made the wildly popular app called 1Password) wrote it out, "three hundred forty undecillion, two hundred eighty-two decillion, three hundred sixty-six nonillion, nine hundred twenty octillion, nine hundred thirty-eight septillion, four hundred sixty-three sextillion, four hundred sixty-three quintillion, three hundred seventy-four quadrillion, six hundred seven trillion, four hundred thirty-one billion, seven hundred sixty-eight million, two hundred eleven thousand, four hundred fifty-six” [1]. 
What this means, is if your significant other had a billion friends, it would take them 10 quadrillion years to search only half of the doors (by the way, checking every door is what’s called a brute force attack)[1]. In short, your information is safe with 128-bit AES encryption. 

Now that your brain hurts, let’s continue on. As I said above Apple uses 128-bit AES encryption for all services (Contacts, Bookmarks, Notes, Reminders, Photos, iCloud Drive, Backup, Find My iPhone, Find My Friends, and Calendars) and that encryption takes place going from your home, down the street, all the way to Apple’s HQ (this is what Apple means when they say “In transit”)[2]. In addition, all of your information from these services (from your contact named Bob to that photo you took on your iPhone, all which sync-up with your iCloud account on Apple’s server) is encrypted again as it rest on the server waiting for you to make the journey from your home to Apple's HQ. 

Other Security Features

Apple also uses secure tokens for authentication purposes. For brevity’s sake, think of the secure token as a code word that you would use to get into a speakeasy (those secret clubs during the 20-30s). Since we’re not living in the 20’s or 30’s your "code word" is your fingerprint. Yep, that’s why Apple gave the iPhone's Home Button the ability to read your fingerprint (it’s called two-factor authentication). Of course, there are other types of secure tokens but this article would triple in size if I wanted to explain them in detail. Oh, if you have an older iPhone then the numbers you type in to get into your iPhone (your PIN) is also a type of secure token (meaning, Apple didn’t forget you).

Whew! Now that you understand why your iCloud account is safe, you might ask “Why does iCloud Keychain use 256-bit AES encryption.” You had to ask, didn’t you? 

Well, there are probably a billion different reasons, but I bet my old boss (Mr. Tim Cook) would say “money”. iCloud Keychain is used to house sensitive information like your passwords to all the sites you go to (if you let it store your login information) and most importantly the credit card information you use for payment (again if you allow Keychain to store it). To be brief, Apple loves its customers, understands that no one wants their information stolen, or their hard earned money to be spent on a yacht for some thief to be cruising the Azorean islands on. So, bumping the encryption from 128 to 256 allows for Apple to defend your information against future machines (that hackers will eventually use) that will have quantum computing capabilities (much faster than today’s supercomputers)[1]. 

The Weak Link

Wow! So, with all of these secure tokens and 128/256-bit AES encryption, hackers were still able to grab indecent pictures of Hollywood stars from Apple’s servers? Yes and no.

Yes, they (actually one guy) stole the pics, but he didn’t “hack” Apple’s iCloud server by breaking the encryption or cutting off some actor/actresses pinky finger to scan on their iPhone. He simply did what’s called “Phishing”[3]. 

This ultimately means he sent one of those fake emails that you’ve seen in your inbox and asked them for their login information. Once he got the info, he logged in with their credentials and stole private photos.

You’ve heard the phrase that a chain is only as strong as its weakest link, right? Well, you (the user) are the weakest link. Apple can give you a Batmobile to drive, a “code word” to use at the door, encrypt your data on their server, and it still isn’t enough protection because you can give it all away. 

To sum all of this up, iCloud is safe to use. But for the love of goodness, don’t go giving your username or password to anyone.


1) Guess why we're moving to 256-bit AES keys Jeffrey Goldberg- https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/ 
2) iCloud security and privacy overview https://support.apple.com/en-us/HT202303 
3) Stealing Nude Pics From iCloud Requires Zero Hacking Skills -- Just Some YouTube Guides, Thomas Fox-Brewster - http://www.forbes.com/sites/thomasbrewster/2016/03/16/icloud-hacking-jennifer-lawrence-fappening-apple-nude-photo-leaks/#1c8a10767b88 

Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free