Closed robbiehanson closed 2 months ago
Fixes issue #342
but if we know from within Phoenix that this advanced option was enabled in iOS
There's a catch. Apple does not tell us whether or not "advanced data protection" is enabled. So Phoenix has no way of knowing. :slightly_frowning_face:
And also, if the user enables this option, Apple makes it really easy to disable (which simply uploads the private keys to Apple's servers). So if it's enabled today, it could theoretically be disabled tomorrow.
Apple does not tell us whether or not "advanced data protection" is enabled
Ok then we just need to add a short disclaimer about "Advanced data protection" in Settings > Recovery Phrase > iCloud backup, below the Your recovery passphrase will be stored...
message, and I think we should be good.
Here's what I came up with:
So the user has to agree to 1 of the legal sections. And we use strikethrough to explain the implications of "advanced data protection".
The (i) button points the user to Apple's official page
Updated design:
Apple recently added end-to-end encrypted data for iCloud via Advanced Data Protection:
When I first heard about this, I was under the impression that ALL iCloud data would be encrypted E2E (except mail, calendar & contacts). However, this is false. When enabled, all of Apple's own apps get E2E protection, but 3rd party apps ... nope! They have to opt-in themselves:
So with this PR, we are opting in.
Ramifications
Advanced data protection is not enabled by default. It's opt-in, and it's a relatively hidden setting. To enable it requires the user to setup either a "recovery key" or "recovery contact".
The recovery key option is similar to backing up a bitcoin seed. The user is given a 28-character hexadecimal string, and are told they're responsible for saving it.
The recovery contact option allows them to choose 1 or more trusted contacts:
The user can pick multiple options (e.g. recovery key plus multiple recovery contacts).
But throughout the setup process, the user is regularly reminded about data loss.
So if the user loses access to their Apple account, and they lose all their recovery options, then they've basically lost all their iCloud data (photos, files, notes, etc).
Apple can help the user regain access to their account, but only the non-encrypted data would be available. Such as email, calendar, contacts ... and unencrypted CloudKit records.
In my opinion, if a user explicitly enables "advanced data protection", they would probably assume that an iCloud backup of their recovery phrase (via Phoenix, or any other wallet) would be E2E encrypted. They might be wrong. But they would be excused for believing so, because most people do.
In fact, if you watch any tutorial on setting up Advanced Data Protection, most people say something like "all your iCloud data is E2E encrypted, except mail, calendar & contacts." (example) So the confusion is common.
For this reason (and others) I think the responsible choice is to opt-in to E2E encryption.
Technical notes
The record we're now backing up in the cloud looks like this:
In other words, in it's current state, this PR encrypts just the recovery phrase, and not the other metadata. Requesting feedback about this.