I admit being deeply distrustful of cloud storage generally. Cloud storage servers containing large amounts of data are natural targets for hackers. This was famously demonstrated with the 2014 breaches of over 100 celebrities’ iCloud accounts. Information stored in the cloud may also be vulnerable in transit, is stored on hardware you do not control, and may be impossible to fully delete. Choosing to use a cloud storage service greatly increases your attack surface. Further, anything stored in iCloud is accessible to Apple employees or through legal means. However, iCloud has some tremendous advantages, so I leave it to the reader to decide his or her comfort using this service, and if it fits within his or her personal threat model.
iCLOUD ACCOUNT SECURITY
Before you trust any data to iCloud you should ensure that your iCloud account is secure. Your iCloud account may contain your contacts, iMessages, calling history, emails, photos, and other very sensitive information. Apple offers good security for its accounts and this is managed through your Apple ID. To check up on your security settings navigate to https://appleid.apple.com. Enter your username and password and login.
On the next screen, scroll down to the Security section and click the blue “Edit” button on the right-hand side of the page. This will open up the security options. First, if you have not done so recently, this is probably a good time to change your password. Apple requires a password between eight and 32 characters. It is strongly recommended that you use a password of the maximum allowable length. Next, scroll down to two-factor authentication and click “Turn On”. You will be required to provide a phone number.
It is also possible to change the email address used as your Apple ID. If you are using a predictable, easily-guessed username you should change it. Having a username that is not easily guessed or obviously yours will make an attacker’s job much, much harder by denying him or her a starting point for an attack. I recommend using unique usernames for all online accounts. I use a service called Blur that provides masked email addresses. These email addresses all forward to a single inbox (the email account of your choosing) negating the need for you to check multiple accounts. Additionally, they are obscure and do not leak information about you. An example of a Blur address is firstname.lastname@example.org.
iCloud Drive: This setting allows you to enable Apple’s cloud storage platform. This allows file sharing between devices. Compatible apps on your iOS device will be able to store and access information in iCloud. If you choose to use iCloud drive you should disable all apps and services you do not need or wish to have access to iCloud. I recommend avoiding the use of iCloud drive if possible.
WARNING: The following settings under iCloud allow you to modify settings for individual functions in iCloud. Be extremely careful with turning these settings off. Some, including Contacts, and Notes, will produce a pop-up with two options: Keep on My iPhone or Delete from My iPhone. If you select Delete from My iPhone your contacts or notes will be completely deleted from both your device and your iCloud account. This can result in a total loss of this information.
Backup: This setting allows you to back up your iOS device to iCloud. One major advantage that iCloud backups enjoy over iTunes backups is that they occur more regularly without user intervention. Anytime your phone is on a trusted Wi-Fi network and connected to power, it is backing up to iCloud (if you have iCloud backups enabled). It is easy to forget, and hard to be disciplined, to manually connect your phone to your computer on a regular basis.
Keychain: Keychain is an attempt to bring integrated password management to Apple devices and have them work seamlessly across devices. The security design of Keychain is extremely solid. Keychain data is not available to Apple, and Apple cannot surrender unencrypted Keychain data to others. Though I don’t recommend using cloud-based password managers, this option may be acceptable for some users.