Researcher finds iOS 10 backups 2,500x weaker than in iOS 9, but Apple promises to fix

“iOS 10 has a ‘major security flaw’ which leaves the data locally backed up to iTunes much more vulnerable to password cracking,” Darlene Storm reports for Computerworld.

“At least that is what Russian forensic software company Elcomsoft claimed on Friday. Apple allegedly weakened the method for protecting local backup files in iOS 10 by skipping some security checks. In other words, the security mechanism for protecting iOS 10 backups, which are saved locally on a computer via iTunes, are more susceptible to password-cracking tools,” Storm reports. “‘The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups,’ Elcomsoft researcher Oleg Afonin announced.”

“Elcomsoft, which makes forensic software to gain access to password-protected, locked and encrypted information on mobile devices, was tweaking its Phone Breaker software so it would work on iOS 10. That’s when the company discovered the ‘alternative password verification mechanism’ which Apple added to iOS 10 backups,” Storm reports. “Apple acknowledged the issue and promised the flaw will be fixed via an upcoming patch.”

Read more in the full article here.

MacDailyNews Note: Apple is aware of the issue and will correct it an upcoming update:

We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.

Apple Inc. statement, September 23, 2016


  1. Just a matter of time before the usual Apple apologists start their round of personal insults, guys. In their eyes Apple is the best it gets. Of course, they don’t use competitive products on a daily basis, so they can’t see how Apple has slipped relative to the competition.

    Thanks to Cook, Apple is now EXACTLY like Microsoft or Adobe. Profit maximization is always more important than user experience. And that means pushing software rental, consumer services, and server space on the innocent-sounding “cloud”, which is at best a slow archive with inadequate privacy controls and at worst a security bomb waiting to blow up.

    I long for the days when Apple made the most powerful personal computers with the absolute best GUI. Those days appear to be long gone, friends. I wish I was wrong, but all MDN can find are oblique references to Cook claiming he still gives a shit about the Mac platform despite all evidence to the contrary.

  2. While I appreciate Apple fixing this as soon as possible, this is just not a big issue for many of us who use FileVault2 full disk encryption on our Macs. Every single file on every single Mac I own is highly encrypted – and that includes my iOS backups. 🙂

  3. Replacing password hashing with SHA256 is really amateur hour. Not noticing it in code review while claiming security is top priority is worrying me. Why was the hashing mechanism replaced anyway and why with an inferior mechanism? Fact is that this piece of code should never have been allowed to be merged in master. To me this looks like a problem in the development process.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.