iCloud security and privacy overview

Apple takes data security and the privacy of your personal information very seriously. iCloud is built with industry-standard security practices and employs strict policies to protect your information.

Data security

iCloud secures your information by encrypting it when it's sent over the Internet, storing it in an encrypted format when kept on a server, and using secure tokens for authentication. This means that your information is protected from unauthorized access both while it is being transmitted to your devices and when it's stored in iCloud. iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.

Security and iCloud features

This table summarizes how iCloud secures your data when you use up to date operating systems and software.

Data Encryption Notes
In transit On server
Calendars Yes Yes A minimum of 128-bit AES encryption
Contacts Yes Yes
Bookmarks Yes Yes
Notes Yes Yes*
Reminders Yes Yes
Photos Yes Yes
iCloud Drive Yes Yes
Backup Yes Yes
Find My iPhone Yes Yes
Find My Friends Yes Yes
iCloud Keychain Yes Yes

Uses 256-bit AES encryption to store and transmit passwords and credit card information. Also uses elliptic curve asymmetric cryptography and key wrapping.

iCloud.com Yes N/A All sessions at iCloud.com are encrypted with SSL. Any data accessed via iCloud.com is encrypted on server as indicated in this table.
Back to My Mac Yes N/A Back to My Mac does not store data on iCloud. Data retrieved from other computers is encrypted with SSL while in transit.
Mail Yes No

All traffic between your devices and iCloud Mail is encrypted with SSL. Consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers. All Apple email clients support optional S/MIME encryption.

 

*Encryption is available only when you use the latest iOS or macOS and upgrade your Notes app.

Use of secure tokens for authentication

When you access iCloud services with Apple’s built-in apps (for example, Mail, Contacts, and Calendar apps on iOS or macOS), authentication is handled using a secure token. Using secure tokens eliminates the need to store your iCloud password on devices and computers. Even if you choose to use a third-party application to access your iCloud data, your username and password are sent over an encrypted SSL connection.

Strong passwords

When you create an Apple ID to use with iCloud, your password must have a minimum of 8 characters, a number, an uppercase letter, and a lowercase letter. Learn more about creating a strong password.

Two-factor authentication

Apple offers an optional security enhancement for your Apple ID called two-factor authentication. With two-factor authentication, your account can only be accessed on devices you trust, like your iPhone, iPad, or Mac. So when you want to sign in with your Apple ID on a new device for the first time, you need to provide two pieces of information—your password and the six-digit verification code that's automatically displayed on your trusted devices.

Two-step verification

Apple offers another security featured for your Apple ID called two-step verification. Two-step verification requires you to verify your identity using one of your devices before you can make changes to your information on your Apple ID account page, sign in to iCloud on a new device or at iCloud.com, or make an iTunes, iBooks, or App Store purchase from a new device.

Privacy

Apple has a company-wide commitment to your privacy. Our Privacy Policy covers how we collect, use, disclose, transfer, and store your information.

In addition to adhering to the Apple Privacy Policy, Apple designs iCloud features with your privacy in mind. For example:

Find My iPhone

  • You must set up Find My iPhone, iPad, and iPod touch in iOS Settings before your device can be located.
  • You must set up Find My Mac in System Preferences before your Mac can be located.
  • Location data is sent from your device only when you request its location—it isn't transmitted or recorded at any other time.
  • Last known device location data is stored on Apple's servers in an encrypted format for 24 hours and then permanently deleted.
  • Lost Mode data is stored on the device that is in Lost Mode and retrieved on-demand by you only.
  • You are automatically signed out of the Find My iPhone app (on device or on the web) after 15 minutes of inactivity.
  • Remote Lock allows you to lock a device's screen to prevent others from accessing your data.
  • Remote Wipe lets you permanently and securely erase your data from a device.
  • If you’re using Family Sharing, sharing your device's location with family members is optional. You will not share your device's location by default.

Location Sharing

  • With iCloud, you can share your location with friends and family using the Find My Friends app or the Messages app in iOS 8 and later.
  • For someone to see your location, you must first give that person explicit permission.
  • Your location is sent from your device only when a friend requests to see your location or if you choose to send your current location within a message—it is not transmitted or recorded at any other time.
  • There is a single switch you can use to hide from all of your friends at any time. You can turn off the option from either of these settings:
    • Settings > Privacy > Location Services > Share My Location
    • Settings > iCloud > Share My Location
  • Last known location data is stored on Apple's servers in an encrypted format for only two hours, and then permanently deleted.
  • If you use Family Sharing, sharing your location with family members is optional. You won't share your location by default.
  • You can share your location with friends and see your friends on a map if you download the optional and free Find My Friends app from the App Store.

iCloud Keychain

  • iCloud Keychain encryption keys are created on your devices, and Apple can't access those keys. Only encrypted keychain data passes through Apple's servers, and Apple can't access any of the key materials that could be used to decrypt that data.
  • Apple can't see or access the contents of your iCloud Keychain.
  • Only trusted devices that you approve can access your iCloud Keychain.
  • Advanced settings allow you to choose an iCloud Security Code longer than four digits or have your device generate one for you.
  • You can choose to disable keychain recovery, which means that iCloud Keychain is kept up to date across your approved devices, but the encrypted data is not stored with Apple and cannot be recovered if all of your devices are lost.

Photos

  • You can delete unwanted photos from iCloud Photo Library or My Photo Stream at any time.
  • You can delete unwanted photos and videos from your shared albums at any time.
  • You can remove subscribers from shared albums that you created at any time.
  • If you’re using Family Sharing, you are automatically added to an iCloud Photo Sharing album with your family members. However, you're in control of what photos, videos, and comments you want to share. Nothing is shared automatically or by default.
Published Date: