HomeKit data security
For homes that have been upgraded to the new HomeKit architecture (available in iOS 16.2 and iPadOS 16.2), HomeKit data is securely synchronized between a user’s Apple devices using iCloud and iCloud Keychain. During this process, the HomeKit data is encrypted using iCloud end-to-end encryption and isn’t accessible by Apple.
The user who initially created the home in HomeKit (the “owner”) or another user with editing permissions can add new users. The owner’s device configures the accessories with the public key of the new user so that the accessory can authenticate and accept commands from the new user. When a user with editing permissions adds a new user, the process is delegated to a home hub to complete the operation.
Home data and apps
Access to home data by apps is controlled by users in Privacy settings. Users are asked to grant access when apps request home data, similar to how to access Contacts, Photos, and other iOS, iPadOS, and macOS data sources works. If the user approves, apps have access to the names of rooms, names of accessories, the room each accessory is in, and other information as detailed in the HomeKit developer documentation at https://developer.apple.com/homekit/.
Local data storage
HomeKit stores data about the homes, accessories, scenes, and users on a user’s Apple devices. This data is stored using the Data Protection class Protected Until First User Authentication and within a data vault. HomeKit data isn’t backed up in local backups.