(ios) Apple's "advanced data protection" + seed backups

[robbiehanson]

Apple recently added end-to-end encrypted data for iCloud via Advanced Data Protection:

When I first heard about this, I was under the impression that ALL iCloud data would be encrypted E2E (except mail, calendar & contacts). However, this is false. When enabled, all of Apple's own apps get E2E protection, but 3rd party apps ... nope! They have to opt-in themselves:

Advanced Data Protection also automatically protects CloudKit fields that third-party developers choose to mark as encrypted, and all CloudKit assets.

CloudKit Record fields must be explicitly declared as “encrypted” in the container’s schema to be protected, and reading and writing encrypted fields requires the use of dedicated APIs.

So with this PR, we are opting in.

Ramifications

Advanced data protection is not enabled by default. It's opt-in, and it's a relatively hidden setting. To enable it requires the user to setup either a "recovery key" or "recovery contact".

The recovery key option is similar to backing up a bitcoin seed. The user is given a 28-character hexadecimal string, and are told they're responsible for saving it.

The recovery contact option allows them to choose 1 or more trusted contacts:

A recovery contact can generate a code from their Apple device to help you get your data back.

The user can pick multiple options (e.g. recovery key plus multiple recovery contacts).

But throughout the setup process, the user is regularly reminded about data loss.

So if the user loses access to their Apple account, and they lose all their recovery options, then they've basically lost all their iCloud data (photos, files, notes, etc).

Apple can help the user regain access to their account, but only the non-encrypted data would be available. Such as email, calendar, contacts ... and unencrypted CloudKit records.

In my opinion, if a user explicitly enables "advanced data protection", they would probably assume that an iCloud backup of their recovery phrase (via Phoenix, or any other wallet) would be E2E encrypted. They might be wrong. But they would be excused for believing so, because most people do.

In fact, if you watch any tutorial on setting up Advanced Data Protection, most people say something like "all your iCloud data is E2E encrypted, except mail, calendar & contacts." (example) So the confusion is common.

For this reason (and others) I think the responsible choice is to opt-in to E2E encryption.

Technical notes

The record we're now backing up in the cloud looks like this:

{
  "name": "Optional backup name user can enter",
  "language": "en",
  "encrypted": {
    "mnemonics": "indoor fox shiver ..."
  }
}

In other words, in it's current state, this PR encrypts just the recovery phrase, and not the other metadata. Requesting feedback about this.

[robbiehanson]

Fixes issue #342

[robbiehanson]

but if we know from within Phoenix that this advanced option was enabled in iOS

There's a catch. Apple does not tell us whether or not "advanced data protection" is enabled. So Phoenix has no way of knowing. :slightly_frowning_face:

And also, if the user enables this option, Apple makes it really easy to disable (which simply uploads the private keys to Apple's servers). So if it's enabled today, it could theoretically be disabled tomorrow.

[dpad85]

Apple does not tell us whether or not "advanced data protection" is enabled

Ok then we just need to add a short disclaimer about "Advanced data protection" in Settings > Recovery Phrase > iCloud backup, below the Your recovery passphrase will be stored... message, and I think we should be good.

[robbiehanson]

Here's what I came up with:

So the user has to agree to 1 of the legal sections. And we use strikethrough to explain the implications of "advanced data protection".

The (i) button points the user to Apple's official page

[robbiehanson]

Updated design: