Default post cover image

iTunes backups: secure again in iOS 10.1

Catalina Butnaru

by Catalina Butnaru

iOS 10 has reached 65% adoption rate amongst all Apple users according to a near real-time user adoption report from Mixpanel. Adoption rate for iOS 10 started slower after launch, and picked up speed over the past 2 weeks. Official stats on Apple’s developer page show that only 54% of devices are currently running iOS 10. That’s roughly half a billion active devices.

iTunes backups are secure again
iTunes backups are secure again

In iOS 10, Apple made a number of changes to encrypted, password protected iTunes backups. Changes included encrypting key pieces of information known as metadata about backups, such as the date on which files were last modified, their size, and additional information needed to decrypt them.

Backup encryption is enabled by users who wish to encrypt data including wi-fi settings, browser history, health data and passwords, and we strongly recommend users do this. The only thing that stands between private information and hackers is that password. Hence, the security flaw affecting iTunes passwords caused such a stir earlier in September.

iOS 10 backups included a password hash used to verify if the user has entered the correct password to decrypt the backup. This made it much easier for hackers to use brute force to crack the passwords of encrypted backups. To break the encryption, an attacker was able to try thousands of passwords in quick succession until they found one that matched the password hash.

Theoretically, the security flaw introduced for encrypted iTunes backups might have affected a reasonable proportion of the half a billion devices or so devices on iOS 10.

The security flaw in iOS 10 is fixed in iOS 10.1 beta

We’ve discovered Apple introduced a fix in iOS 10.1 beta 2 and 3 that addresses this issue: by reverting the encryption method to the one from iOS 9. In the latest beta of iOS 10.1, Apple have fixed this security flaw by removing the new password hash from encrypted iOS 10.1 backups.

Arguably, alternative encryption methods exist for scenarios where authentication is required. Thus, the easiest and fastest solution was to essentially roll back the security mechanism to how it was before the flaw was introduced.

In any case, one thing is important to remember: encryption strength is always dependent on the strength of your password. Always use randomised characters and non-alphanumeric ones to increase your password’s strength. Cracking a password using a password hash is made much more difficult if you use a strong password.

iPhone Backup Extractor works with the newest iTunes encrypted backups

As ever, our team has already dug into the changes to encrypted iTunes backups, and updated iPhone Backup Extractor to be compatible with the latest iOS betas.

If you’re already using iPhone Backup Extractor, and are updating to iOS 10.1, please upgrade iPhone Backup Extractor, to continue recovering deleted or missing files from iTunes backups made with the most recent iOS version. iPhone Backup Extractor continues to be compatible with older iOS versions as well.

As a company, data privacy and security are in our DNA. The iPhone Backup Extractor is built to ensure compatibility with all extra security measures made available to Apple users, ensuring that our product is used by legitimate iTunes and iCloud users who pass all authentication stages associated with accessing a backup either locally or in the cloud.

Catalina Butnaru

by Catalina Butnaru on , last updated

We've helped over 3,000,000 people recover their lost iPhone data. Let us help you too.

Submit a comment

© 2008 - 2018 Reincubate Ltd. Registered in England and Wales: #5189175, VAT GB151788978. Built with ❤️ in London.

Reincubate is a registered trademark. All rights reserved. Terms & conditions. Privacy Policy. It's your data, not ours. We recommend 2FA.

close

For personal users

For businesses and pro users

Scroll down for business and pro plans

Basic

$34.95

iTunes support

Works with Windows and Mac

Customer support

Preview iCloud device list

BUY BASIC

Premium

$69.95

iCloud and iTunes support

Works with Windows and Mac

Customer support

5 iCloud devices

BUY PREMIUM
Jonathan

This is iPhone Backup Extractor, think of it as a "personal forensics" utility. It's pretty awesome.

Jonathan Zdziarski

Forensics and iOS expert

For business and pro users

Business

$299.95

25 iCloud devices

High priority customer support

Commercial license

All benefits of our premium plan

BUY BUSINESS
ricloud
Demo our APIs for enterprise

Need iCloud access, forensic tooling, bulk recovery of deleted SQLite data?

Learn about our APIs at www.reincubate.com.