New research asserts that the iPhone, iPad, and iPod’s encrypted backup options leak significant amounts of metadata that make the devices’ encryption much less secure than advertised, especially in the context of legal battles over encryption and law enforcement investigations into encrypted devices.
When Apple devices are connected to a computer, users have the option to strongly encrypt that backup by clicking a single checkbox in iTunes. (Encryption is not an option through iCloud backups.) Doing this adds extra security to the device.
The encrypted backup, however, is invariably coupled with a mass of unencrypted metadata that reveals a lot about the what’s on the device—information that could have significant legal consequences for unsuspecting users.
“People think they press the magic crypto button and all their data is hidden,” computer forensic investigator Hal Pomeranz told the Daily Dot. “That’s not true.”
Pomeranz has worked for decades on forensic investigations with both police and private corporations in the U.S. and Europe involving a range of Apple devices. His research on the iPhone, iPad, and iPod yielded revealing metadata in files like info.plist, Manifest.plist, and Status.plist that are included in all encrypted backups.
In a demonstration for the Daily Dot, Pomeranz used his own software on his own encrypted iPhone backup to parse the metadata that plainly shows a full list of every application ever installed, software versions, device identifiers, names of all the computers he’s ever connected the device to, file names (of contact cards, for instance, to help build a list of known associates), attachment file names for iMessages, file maps, permissions, phone number, hashes, and timestamps for when files are created, accessed, and modified.
That’s a lot of unhidden information that users probably think is protected by encryption.
“I encrypt my iPhone and I didn’t know it was leaking all that,” Hanni Fakhoury, an attorney with the Electronic Frontier Foundation, told the Daily Dot when he heard the list.
This means that anyone who gains access to the PC where your encrypted backup resides—police, courts, hackers, or intelligence agencies, to name a few possibilities—can know that information about your Apple device despite the strong encryption protecting the rest of the data.
Most people don’t understand the limitations of encryption and they especially don’t understand the potency of metadata.
The word ‘metadata’ crashed into the mainstream in 2013 with Edward Snowden‘s leak of National Security Agency (NSA) documents that revealed the way American intelligence stores billions of metadata records on targets around the world, including in the United States.
Metadata is all the information that surrounds the core data, like the content of an email, telephone call, or hard drive. Security experts have struggled to explain to the non-technical public just how immensely revealing metadata can be.
“Metadata is extraordinarily intrusive,” Snowden explained during an event last year. “As an [intelligence] analyst, I would prefer to be looking at metadata than looking at content because it’s quicker and easier, and it doesn’t lie.”
The fact that encrypted backups still contain observable metadata doesn’t mean the metadata from your Apple devices is necessarily being surveilled.
Instead, Pomeranz’s research means that significant amounts of very revealing information from your phone and tablet—information that encrypted-backup users likely think is private—is not hidden by those devices’ encryption options.
Encryption for smartphones and other mobile devices has been on the rise of late due in no small part to Apple’s proactive pro-digital privacy work. Apple iPhones with password protection turned on are encrypted by default, and Google has similar options for Android devices.
The only way to keep iOS backup metadata private is full-disk encryption for PCs, which is still a rare practice for the average consumer.
Perhaps most important are the legal implications: The unencrypted metadata leaked out of Apple devices have substantial legal consequences that can lead a court to quash a defendant’s Fifth Amendment objections against self-incrimination and force them to decrypt or head to jail.
Court decisions over recent years have shown that this metadata may be enough.
If the government can show with “reasonable particularity” that it knows what material it is seeking on a computer and where it resides, Fifth Amendment objections don’t apply.
“In other words, since turning over the data would not reveal anything to the government that it didn’t already know, no Fifth Amendment right comes into play because the testimony at issue is simply a ‘foregone conclusion,’” Fakhoury wrote.
Depending on the particulars of each case, metadata on an unencrypted iPhone backup may reveal exactly what the government seeks through file names, file maps, timestamps, and mountains of other data.
The metadata can also help to prove that a device is yours. In some legal situations, what protects defendants from being forced to decrypt is that they never admit to the device is theirs. Being forced to admit that by the court or police would fall under a Fifth Amendment violation.
The metadata, however, can make it easier for the government to prove the ownership of a device without any admission. File names, contact cards, data about photos, device identifiers, and even a device name (if, say, you name your iPhone “Jason’s iPhone”) can make the connection between device and owner much easier to make.
“Let’s say you’re walking down the street, sending a text message, and then you’re arrested,” Fakhoury explained. “The cops find out you have an encrypted phone, so they go get a warrant. Can they force you to decrypt? If they’ve already seen you use the phone, then it’s probably a foregone conclusion that it is your phone.”
In cases like these, there are no hard and fast legal lines drawn. The specifics of each case tip the scales one way or the other. There’s no question, however, that establishing ownership of an encrypted device can be a win for the government.
Pomeranz will be presenting his research at the BSides security conference in New Orleans on May 30, 2015, at a talk entitled “What your (encrypted) iPhone backup says about you.”
Apple declined to comment on the record for this story, but the company’s engineers “are certainly aware,” Pomeranz said, that their devices’ encrypted backups give away a ton of data. Forensic tools like Blacklight and others already exist to easily dive into data just like this.
So,how do you secure the metadata so that your iPhone encrypted backup is as hidden and secure as you’d like?
Encrypt your whole computer, Pomeranz advises. Use Apple’s own FileVault on a Mac or Bitlocker on Windows to lock down the entire machine so that the metadata itself is encrypted with everything else.
“Encrypt the whole disk,” he instructed. “Users should be doing this anyway, independent of the iDevice backup issue.”
Apple CEO Tim Cook has recently forcefully inserted himself into the intensifying global political debate over encryption and privacy, describing privacy as a “basic human right.”
Last year, Apple began to encourage users to encrypt their computers and mobile devices with FileVault by default. FBI director James Comey criticized the company, along with other tech firms pursuing similar privacy agendas, saying that encryption placed users “beyond the law.”
“None of us should accept that the government or a company or anybody should have access to all of our private information,” Cook said last month in response to law enforcement’s criticism. “This is a basic human right. We all have a right to privacy. We shouldn’t give it up. We shouldn’t give in to scare-mongering or to people who fundamentally don’t understand the details.”
Google CEO Eric Schmidt, whose company has also been advancing efforts to encourage mass adoption of encryption, responded by saying that “people who are criticizing this are the ones who should have expected this,” referring to the perceived government overreach against electronic privacy exposed by individuals like Snowden.
Illustration by Max Fleishman