Take Control of Security for Mac Users (2015)
Manage iCloud Security
Because so many aspects of OS X depend on Apple’s free iCloud service for key functionality, I wanted to devote a brief chapter exclusively to iCloud security. Of course, iCloud works on mobile devices, Windows PCs, and even Apple TVs—not just on your Mac—but the more you know about iCloud security, the better you’ll be able to protect your Mac and its data from unwanted access.
Note: Portions of this chapter first appeared in my book Take Control of iCloud, which goes into considerably more detail about all iCloud features, including their privacy implications.
Understand Apple’s Security Policies
I believe what Apple says there—that is, I think the company’s corporate heart is in the right place. That’s not to say I trust Apple, or any company, 100 percent, because companies are composed of people, and sometimes people make mistakes or do bad things that are not at all in keeping with their employers’ policies. But it is certainly in Apple’s business interest to do what it claims to do with regard to privacy.
Turning more specifically to iCloud, Apple has an entire page detailing the extent to which the company encrypts your iCloud data and what other privacy and security measures are in place; see iCloud security and privacy overview. Again, it’s well worth reading.
The good news is that every type of data iCloud handles is encrypted while in transit, and almost every type of data is also encrypted while it’s stored on Apple’s servers. That’s fantastic, and it means that most of your iCloud data is safe from random hackers.
Interestingly, although the page specifies that Apple does not have the capability of decrypting your iCloud Keychain data, it doesn’t make the same claim about anything else—it only states that Apple never provides encryption keys to third parties. That means an Apple employee could, in principle, access any of your iCloud data other than iCloud Keychain. That includes your email and notes (which aren’t encrypted on the server anyway). It follows that Apple could provide your unencrypted email to law enforcement or government agencies if required to do so by law.
If you take Apple’s policies at face value, you should assume that the company is motivated to protect your data. However, “Apple wants to protect your data” and “your data is perfectly safe” are two different things. There are always weak spots.
One of those weak spots is your password. (Of course, you should make your iCloud password nice and strong—see Improve Your Passwords, and in particular, iCloud Password.) Anyone who can figure out your password can log in as you and get at any of your data! And that’s why Apple offers an optional (but highly recommended) method to increase your security.
Use Two-step Verification
Even the longest, strongest, most random password provides no security if someone else finds out what it is. Perhaps someone watches over your shoulder as you type your password at your local coffee shop. Or maybe a spam email message persuades you to enter your password on a phishing site that looks almost exactly like the Apple site. Or an as-yet-undiscovered security bug or exploit exposes your password to an attacker.
In fact, it gets worse—an attacker may not need your password at all! When you set up your Apple ID, you were prompted to choose a few security questions and enter their answers. These questions (like “What was the name of your first pet?” or “What is the name of your oldest niece?”) are supposed to be easy for you to remember but hard for an attacker to guess—so that if you forget your password, Apple can ask you these questions as a secondary means of verifying your identity. Answer correctly, and you can reset your password to something you’ll remember.
Trouble is, someone pretending to be you can claim to have forgotten your password—and if that person correctly answers your security questions, your account will be compromised. It’s surprisingly easy for a skilled attacker to find or guess the answers, assuming you answered the security questions truthfully.
Like many other companies (including Dropbox, Facebook, and Google), Apple offers an optional method to bolster your security by adding another factor—a dynamic code tied to a device you own. The idea is that you’ll need both your password and this special code to perform certain critical activities with your Apple ID, so that even if someone learned your password, that alone wouldn’t grant access. Apple refers to this optional feature as two-step verification.
It works like this: After you enable the feature, when you try to perform certain tasks (such as logging in to icloud.com, changing your password, or making a purchase on a new device), you enter your username and password as usual. Then you’re prompted to supply a numeric code that’s sent to an iOS device or via SMS to an ordinary cell phone. Only after you enter this code are you granted access. As a bonus, setting up two-step verification eliminates the security questions—an attacker can no longer use them to break in to your account.
All this may sound like an extra hassle, and it is—but it’s worth it for the extra security. And don’t worry, you won’t have to go through it very often. Just ahead, in Sign In with Two-step Verification, I list the situations that call for the extra verification step.
A side-effect of turning on two-step verification is that third-party apps that connect to your iCloud account (such as Outlook and BusyCal) will need new passwords, as will Messages and FaceTime; I say more about this in Use App-specific Passwords. It’s not a big deal, but you should be aware of the additional one-time setup steps you’ll have to go through.
Set Up Two-step Verification
In order to use two-step verification, you must have at least one device capable of receiving SMS messages. You can also, optionally, use an iOS device with the free Find My iPhone app installed as a “trusted device.” (An iPhone can be used in either way.)
Note: If you have more than one Apple ID, you can set up two-step verification for all of them using the same SMS number, but because you can be signed in to only one account at a time using Find My iPhone, you can’t use the iOS app-based method for more than one account on any given device.
With the necessary device(s) in hand, do this:
1. In your Mac’s Web browser, go to appleid.apple.com.
2. Click Manage Your Apple ID.
3. Sign in with the username and password you normally use for iCloud.
4. Click Password and Security. If you are asked to answer any special security questions, do so.
5. Under Two-Step Verification, click Get Started and follow the prompts.
Note: If your Apple ID password does not already meet Apple’s password requirements—that is, at least 8 characters long, including upper- and lowercase letters and at least one digit, among other rules—you will be prompted to change it before continuing.
In the process, you’ll receive a 14-character Recovery Key. Be sure to keep this in a safe place, such as your password manager. From now on, you must have your username and at least two of the following items to access iCloud:
· Your password
· A device you’ve authorized to receive verification codes
· Your Recovery Key
With any two of these, you can use your iCloud account, change your password, and access all your data. If you lose all three, you’re completely out of luck—your account will be inaccessible and not even Apple can unlock it for you.
Sign In with Two-step Verification
With two-step verification enabled, you won’t need to use both steps every single time you access iCloud, but you will need them in the following situations:
· Signing in to appleid.apple.com to manage your account
· Signing in to iCloud for the first time on a new Mac or iOS device
· Signing in to your account at icloud.com (although you can check Remember This Browser to avoid being prompted for verification in the future when using the same browser on the same device)
· Making a purchase from iTunes, the iBooks Store, or the App Store for the first time on a new Mac or iOS device
· Contacting Apple for support with your Apple ID
In any of these situations, the process goes as follows:
1. Enter your username and password as usual.
2. From the list provided, choose a device to verify your identity:
§ If you choose an iOS device, the device displays the code in an alert. (You don’t have to open Find My iPhone manually, but remember, Find My iPhone must be installed on the device.) If your device is locked, you must unlock it to see the code.
§ If you choose a phone number, the code is sent to that number by SMS. (If your devices are set up for SMS forwarding, that SMS message could also appear on another device, including your Mac, which is convenient but partially defeats the purpose of two-step verification.)
3. Click Send and wait for your code to appear on the selected device.
4. Enter the number you received in Step 3.
From then on, you can use the app, site, or service as usual.
Use App-specific Passwords
Enabling two-step verification also activates another security feature: app-specific passwords. This feature applies to Messages, FaceTime, and many third-party apps (such as Outlook, Thunderbird, BusyCal, and BusyContacts) that access your iCloud account—but not to other Apple apps (such as Mail, Safari, and Find My Friends).
Because third-party apps can’t prompt you for a second verification step, Apple asks you to generate a special, unique password for each one—your ordinary iCloud password no longer works for third-party apps when two-step verification is active. You can create app-specific passwords only after going through the two-step verification process, so you’re still protected by both steps—but once you’ve done this for a given app on a given device, you are normally not prompted to do so again.
To generate an app-specific password:
1. Open a third-party app that connects to your iCloud account. (If you’re doing this for the first time after enabling two-step verification, you’ll likely see an error message stating that your password wasn’t accepted.)
2. Locate the app’s settings for username and password (often in the Preferences window). Leave the window open.
3. In a Web browser, visit appleid.apple.com. Sign in, verify your identity, and click Password and Security.
4. Click Generate an App-Specific Password.
5. Type a name for the app (like “BusyCal iMac”) and click Generate.
Note: You need a separate password for each app on each device; a password created for BusyCal on your iMac won’t also work on your MacBook Air. So I suggest including the device in the name you type here. Apple lets you create up to 25 app-specific passwords.
The new password appears on screen. Copy it and paste it into the window you opened in Step 2.
Note: Apple provides no way to view your app-specific passwords after the fact. You can see their names, but not the passwords themselves, under the logic that you can only use a given password once per app, per device.
If a device is lost or stolen, you may later want to revoke an app’s password. Doing so prevents that app, on that device, from accessing your iCloud account. Follow the same steps but when you get to Step 4, instead click View History. You can then click Revoke to revoke a single password or Revoke All to revoke them all.
Tip: To learn more details about two-step verification, read Apple’s FAQ.
Use iCloud Features Selectively
Most people turn on every iCloud feature (in System Preferences > iCloud on a Mac, or in Settings > iCloud on an iOS device). Doing so is logical, and there’s nothing necessarily wrong with it. But you’re not obligated to use all iCloud features—and if you need only some, you can reduce your exposure to potential security risks by turning off the rest.
In fact, I’ll go further and say that—depending on your risk level—you may want to turn off some of the features that are useful to you, to give up convenience for security. In order to make wise decisions, you should be aware of the consequences of using (or not using) each iCloud feature.
I’ve listed the major iCloud features alphabetically (more or less).
Back to My Mac
Back to My Mac lets you connect to your Macs, AirPort base stations, or AirPort Time Capsules remotely for file sharing or screen sharing. In order to connect to a device, it must be logged in to your iCloud account, have Back to My Mac enabled, and have file sharing or screen sharing enabled.
The security risk is that someone who had both your iCloud username and password could log in to another Mac as you and then use file sharing or screen sharing to contact any of those shared devices. However, having your iCloud credentials alone merely enables someone else to see those shared devices; a separate password is usually necessary to log in. So, if your device’s login password is both strong and different from your iCloud password, your actual risk is tiny.
If you never use Back to My Mac yourself, leave it off. It’s also a good idea to turn it off if you’re at Risk Level 4—see Risk Level 4 (Extreme). Otherwise—again, as long as you use good passwords—the benefits probably outweigh the risk.
Calendars, Contacts, and Reminders
iCloud can sync the data from your Calendar, Contacts, and Reminders apps across all your devices, including the icloud.com Web site. Apple encrypts the data both in transit and on the server, so the risk of someone being able to see any of your private data is incredibly small. As usual, your password is the weak link—if you use a great password (and preferably two-step verification), you’re almost certainly in good shape.
Turning these features off means their data won’t sync across devices—you can use iTunes on a Mac or PC to manually sync data with an iOS device, but that’s it. Syncing between Macs is cumbersome at best. For most people who need to keep your calendar, contact, and reminder data in sync among Macs and iOS devices, I suggest leaving these enabled. (You could use an alternative cloud sync service instead, but then you’re just trading one risk for another.) If you’re at Risk Level 4 and have particularly sensitive information in your Calendar, Contacts, or Reminders apps, you might have to bite the bullet and use iTunes syncing instead.
Find My Mac
With Find My Mac enabled, your Mac constantly determines its location based on information about nearby Wi-Fi networks. That way, if your Mac is lost or stolen, then—as long as it’s turned on and can connect to the Internet via Wi-Fi—you have a way to locate it.
But if you’re seriously thinking about tracking down a stolen Mac on your own, you’re nuts—people can get hurt or killed doing that kind of stuff. Leave it to the police. Unfortunately, as with many other property crimes, tracking down stolen Macs is not among the top priorities of most police departments. Police may well be interested in any information obtained via Find My Mac, but don’t expect officers to run to their cars, fire up the sirens, and speed off in pursuit of your computer if Find My Mac claims it can locate your stolen machine.
However, Find My Mac can be useful in cases where your Mac was simply misplaced (left in a taxi or at the library, say)—you can use this feature to display a message on your Mac’s screen with contact information so an honest citizen can return it to you. (This really happens!) And, most importantly, you can also use Find My Mac to remotely lock your Mac and even wipe its contents, to keep your data safe.
Is there a downside to leaving Find My Mac enabled? Well, someone who knew your iCloud username and password could potentially use that information to determine your physical location or even erase all the data on your Mac. (Insert standard sermon about creating good passwords—see Improve Your Passwords.) If you consider that risk more of a concern than being able to locate, lock, or erase a wayward Mac, leave it off.
iCloud Drive, which replaces the iCloud feature previously called Documents & Data, lets you sync documents and app data with your other devices via the cloud. Like other iCloud data, it’s encrypted both in transit and on the server; and, like everything else, it’s only as safe as your password.
If you use iCloud Drive solely for run-of-the-mill files and data, there’s no need to turn it off. In fact, so many apps use iCloud Drive in some fashion that (assuming you have more than one compatible Mac or iOS device) you may experience considerable inconvenience if you disable it.
On the other hand, if you create highly sensitive documents in apps that can use iCloud Drive and are also at a high enough risk level to be targeted individually, you might want to think twice about it.
iCloud Keychain, which stores your usernames, passwords, credit card numbers, and other confidential data, is arguably the best-protected part of iCloud, in that your data is encrypted on your Mac, with your own password, in such a way that even Apple can’t decrypt it.
Note: Depending on how you set up iCloud Keychain, you may have received a 29-character security code that you can use to recover your data if you forget your password. Needless to say, you should guard that code as carefully as you guard your iCloud password!
If you disable iCloud Keychain, you’ll have to enter each password you use at least once on every device. (Once per password, per device may be sufficient if you store it in that device’s Keychain, or in a stand-alone password manager.) And, if you change a password, you’ll have to change it on every device.
Then again, iCloud Keychain didn’t exist before OS X 10.9 Mavericks, and we all somehow managed without it. It’s a terrific convenience—but nothing more.
So, if you’re at Risk Level 4—or if you’re at a lower risk level but have passwords in your Keychain that protect data or resources of extraordinary value—you might want to leave it off. But even for such high-risk situations, iCloud Keychain is pretty secure. If I were going to trust one iCloud feature with my data, iCloud Keychain would be it.
If you have an iOS device, you can turn on Settings > iCloud > Backup > iCloud Backup to securely upload to Apple’s servers all the essential data on your device—your photos, account settings, documents, and so on. (Some types of data, such as calendars, contacts, and email, which are synced separately, don’t count as part of iCloud Backup.) That way, if the device is lost or stolen, if you get a new one, or if the data on your device is damaged in some way, you can restore all your data—even to another iOS device—directly from the cloud.
Backing up an entire iOS device presents about the same security risk as enabling iCloud Drive and Photos: someone with your password could conceivably access that data. If your password is strong, you’ve enabled two-step verification, or you have little of interest on your iOS device, leaving iCloud Backup enabled is a nice convenience feature.
But Risk Level 4 people, forget about it. The alternative is to back up to a Mac or PC (via USB or Wi-Fi) with iTunes as a conduit. That requires more effort, and proximity to the computer, but it avoids storing a backup copy of potentially sensitive data in Encrypt Your Email).
If I had to live without just one iCloud feature, it would certainly be Notes—I rarely use it, and I have many other ways to synchronize simple notes among my devices. If you use Notes for highly confidential data and have a high risk level, consider switching off Notes syncing and using something else instead (such as an app that encrypts text with a separate password before uploading it).
iCloud has two distinct photo-syncing features: My Photo Stream (which stores up to the last 1,000 photos you’ve taken in the cloud and syncs them across your devices) and iCloud Photo Library, which syncs all your photos from the Photos app for iOS (and, starting with 10.10.3 Yosemite, can do the same thing with the new Photos app for Mac). You can use either or both, depending on your needs. (I explain the differences in detail, and help you decide which to use, in Digital Sharing for Apple Users: A Take Control Crash Course.)
Syncing photos is fantastically convenient and useful. If you use your iOS device to take photos of puppies and flowers and sunrises over the beach, you’ll certainly want to turn on one or both of these features.
However, if you are at Risk Level 4, or if you take photos of an intimate nature—you know what I’m talking about—you should immediately turn off Photos in System Preferences > iCloud, and (even more importantly) on your iOS devices, go to Settings > iCloud > Photos and turn off everything you see there. Because (we’re coming up on the last chorus here) someone with your iCloud username and password could download all your photos. And that’s exactly what happened in a major 2014 hacking scandal in which someone guessed certain celebrities’ iCloud passwords, grabbed all their very private photos, and posted them on the Internet. Don’t let that happen to you.
Last, there’s Safari—enabling it in the iCloud pane of System Preferences lets iCloud sync your Safari bookmarks, Reading List, and the list of open tabs on each of your devices. I find this feature extraordinarily useful, but if I were viewing sites I didn’t want anyone else to know about—or perhaps online banking, Web-based email, online retailers like Amazon, or online payments services like PayPal—and had reason to think my password was not up to snuff, then I might turn this off. Same goes for anyone at Risk Level 4—the convenience just isn’t worth it.