Users’ deleted notes should completely disappear from Apple’s servers after 30 days. However, ElcomSoft, a Russian company developing computer and mobile forensic tools, discovered that the deleted notes could still be extracted from Apple’s servers after the 30 days had passed, even though they were no longer visible to the users.
Deletes Notes Extracted From iCloud Servers
Apple’s Notes app automatically stores users’ notes in the cloud, when iCloud is enabled. Users can delete their notes, and they will remain in the app’s “Recently Deleted” folder for another 30 days, as expected.
However, ElcomSoft discovered that Apple was not deleting the notes once that 30-day period was over, even if the files were no longer in the Recently Deleted folder. Therefore, users would assume that the notes were permanently deleted when they actually weren’t.
The company used its own Phone Breaker forensic app, which can extract sensitive information from a phone if the files are not well protected by the mobile platform. If a user’s credentials are used, the tool can also download whatever data is available in the user’s iCloud account, even if the data is not visible to the user anymore.
According to ElcomSoft, a user’s authentication token can also be extracted from the PC to bypass the iCloud authentication process, which sounds like another security design flaw Apple needs to fix.
Deleted notes extracted in ElcomSoft's Phone ViewerThe company demonstrated how out of the 334 notes extracted from a user’s (test) account, two were found in the Recently Deleted folder, but 47 notes were deleted more than 30 days earlier. These notes weren’t accessible to the user under any other means, but they were still there on Apple’s server.
Apple iCloud’s Privacy Issues
ElcomSoft’s recent discovery isn’t the only time Apple’s iCloud has had issues with previously deleted user data. Back in 2016, ElcomSoft discovered that users’ deleted photos were kept on Apple’s iCloud servers for years after the users had originally deleted them. After ElcomSoft’s public disclosure, Apple fixed the issue.
Earlier this year, ElcomSoft found another similar problem with iCloud: Deleted Safari browsing history also remained stored indefinitely on Apple’s servers. Users tend to delete their browsing history primarily for privacy reasons. Your browsing history can show your habits, what type of content you like to read, what videos you like to watch, your political affiliation, and so on. Few would like their browsing histories to be made public.
Last year, ElcomSoft also noticed that Apple was storing everyone’s call records on its servers by default, with no way to disable it. This is another privacy issue that Apple doesn’t seem willing to address, despite “taking privacy very seriously.”
This is a problem with Apple’s iMessage, too, which essentially nullifies whatever end-to-end encryption it may be using when iCloud is enabled. There’s no way to disable iMessage syncing alone. Therefore, if iCloud is enabled, your “end-to-end encrypted” messages will be stored on Apple’s servers, from which law enforcement or hackers can get them just like they could from any other chat application.
Apple could at least allow users to disable iMessage syncing when iCloud is enabled. The company should arguably have the syncing disabled by default, considering users expect them to be end-to-end encrypted and private.
ElcomSoft had previously suggested that Apple also reveals the following:
- Provide full details what data do they store in the iCloud
- Provide information what data they reveal (well, MAY reveal) to law-enforcement, if different from the above. Yes, such document is already there on Apple’s web site, but now we know that it is not complete.
- Allow “opt-out” for all categories of data saved in the iCloud, and/or provide an ability to delete the particular category (anything from web history to the list of iTunes purchases). That is not only about the call logs only. We do know that Apple stores even more.
No Fix For Deleted Notes Yet
ElcomSoft said that Apple had fixed the previous deleted photos and browsing history issues, but it’s yet to fix this recent software flaw. However, the company wondered how many times this will keep happening to its iCloud service. The more it happens, the less users can trust that their files are actually deleted from Apple’s servers.