Apple has announced a collection of new security measures that will be released in late 2022 and 2023.  These new measures range from additional iCloud end-to-end encryptions, to an expansion on two-factor authentication, and a new iMessage security feature.  

Up first is an Advanced Data Protection setting that will enable end-to-end encrypted (E2EE) data backups in the iCloud service.

iCloud already protects 14 data categories using E2EE.  Users who enable Advanced Data Protection will no receive protections on 23 data categories including device and message backup, Photos, and Wallet Passes to name a few.  In fact, the only major iCloud data categories not covered are iCloud Mail, Contacts, and Calendar.

Advanced Data Protection ensures that a user’s personal iCloud data can only be decrypted on their trusted devices, which retain the encryption keys, protecting information even in the case of a data breach in the cloud.

Please note, however, if Advanced Data Protection is enabled and you lose access to your account, Apple won’t have access to the encryption keys and will not be able to assist with recovery.  Instead, you will need to use your device passcode or password, a recovery contact, or a personal recovery key in order to recover the data.

Apple is also introducing Security Keys, an expansion of the already existing two-factor authentication (2FA) for Apple ID, giving users the option of using a third-party hardware security key as one of their authentication steps. 

For users facing extraordinary digital threats - journalists, human rights activists, and government officials for example – comes the new iMessage Contact Key Verification feature, which provides a much needed extra layer of security to ensure that the user is messaging only with the people they intend. 

Users who have enabled iMessage Contact Key Verification would receive an automatic alert should a nation-state adversary successfully breach its cloud infrastructure and add a rogue Apple device to eavesdrop on the encrypted communications.  And for even higher security, Contact Verification Codes can be compared by users in person, on FaceTime, or through another secure call.

Now here’s the bad news.  Because the features described above are exclusive to the Apple ecosystem, the protections will be of no use when communicating with Android users.  Messages sent between the two operating systems are delivered in the form of regular, unencrypted SMS/MMS messages.  Apple has also dismissed the idea of upgrading to Rich Communication Services (RCS), which is an improved messaging standard with features like E2EE and high quality media sharing.

From The Hacker News and Apple.com