Cloud services can be great – helpful, convenient, and easy to use. They also can be unreliable, insecure, and a risk to privacy. Consumer cloud environments, like Google, Yahoo, and Apple have no SLA, no contractual remedy for a breach, and are rarely compliant with corporate security policies. I, like many security professionals, avoid using consumer cloud for anything that has any real disclosure risk – and simply don’t use any of the services that mine my data for advertising purposes at all.
Apple’s working hard to shove their subscription, streaming, and cloud services at their customers – it’s their new business model. We saw that in the latest TV and music app where they intentionally mixed on-device, in-cloud, and streaming content all together – and constantly override the ‘downloaded only’ filter that’s our last hope of not incurring data charges on metered connections. Turning on an apple music subscription is deceptively easy (I had a family member do just that). It’s a major annoyance to be sure. But the media applications, while they present an economic risk, and a boredom risk (the TV app is currently non-functional in Airplane mode), there’s not much of a security or privacy risk.
iCloud drive is a different story, because it allows apps to sync any and all data to the cloud. So, I make sure that it’s turned off on all my iOS devices. I’m perfectly happy to have to turn it off myself – I wear a tinfoil hat for a living, but most folks don’t. Imagine my surprise though, when after upgrading to iOS 10.2, it’s back on. It appears that there’s a bug that re-enables iCloud drive and my apps were automatically enabled to transmit data. Fortunately I’ve gotten into the habit of going through all the settings after upgrades to catch any new privacy options (Apple’s far better at protecting user privacy than Android or Windows).
So user beware. If you use your iOS device to store any sort of confidential information (HIPPA for example), make sure you turn iCloud drive back off. It also would be a good idea to start checking your iCloud settings after every upgrade.
I’ve logged a bug with Apple, and will post an update with any response. It’s been a couple of weeks, and no word back yet.
Apple’s investigated, and this appears to be a rare situation, and is definitely unintentional. If you upgrade and see this behavior, please drop a comment and I’ll pass it along in my defect with them.