Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.



Pick an apple! 
Springy Dock Tricks

If you drag a file and hover over Dock icons, various useful things happen which are similar to Finder springing. If it's a window, the window un-minimizes from the Dock. If it's a stack, the corresponding folder in the Finder opens. If it's the Finder, it brings the Finder to the foreground and opens a window if one doesn't exist already. But the coolest (and most hidden) springing trick is if you hover over an application and press the Space bar, the application comes to the foreground. This is great for things like grabbing a file from somewhere to drop into a Mail composition window that's otherwise hidden. Grab the file you want, hover over the Mail icon, press the Space bar, and Mail comes to the front for you to drop the file into the compose window. Be sure that Spring-Loaded Folders and Windows is enabled in the Finder Preferences window.

Visit plucky tree

Submitted by


Secured iOS Backups Reduce Security, but Not by Much

Send Article to a Friend

At first, I thought Elcomsoft had discovered a major flaw in the way that iOS allows iTunes to back up the data of an iPhone, iPad, or iPod touch. The Russian security firm creates software designed to test the quality of passwords for many different software packages and systems by trying to crack them; it also markets its software for forensic use.

Elcomsoft offers iPhone Password Breaker software ($79 or $199, depending on features) to crack the password for an iTunes backup of an iOS device. Version 1.2 adds the capability to view the contents of an iOS device's keychain if a password is cracked. The iOS keychain, much like (or perhaps identical to) the one in Mac OS X, stores network, email, and other system passwords, as well as passwords from third-party apps that took Apple's advice to use the keychain.

Andrey Belenko of Elcomsoft explained how this new feature came about. Prior to iOS 4, iOS devices with a hardware encryption key always used that key to encrypt the keychain. So far, it has been impossible to recover the hardware encryption key from a device, and the key is strong enough to resist cracking. (Hardware encryption is found in all iOS devices released from 2009 on: all iPads, the iPhone 3GS and iPhone 4, and third-generation iPod touch models.)

The hardware key continues to be used in iOS 4 backups in iTunes, with an important exception. If you enable Encrypt iPhone Backup (or whatever iOS device is plugged in), iOS 4 switches from using the hardware key to a key derived from the password you enter for your backup.


The reason, Belenko explains, is that iOS 4 then allows the transfer of the keychain to a device being restored from a backup. If your iPhone is lost, stolen, or destroyed, or if you upgrade from one iPhone to another, you can restore your last backup onto your new iPhone. Before iOS 4, the passwords weren't passed along. (Elcomsoft offers an extensive FAQ explaining this even further.)

It's a strange notion, that encrypting your backup might actually make your data less secure. But it's not really a security hole, nor does Elcomsoft see it that way.

In order to extract passwords from your iPhone keychain, a ne'er-do-well has to gain access to your computer in some fashion, physically or through a remote exploit. With that kind of access, a keystroke sniffer could be installed, and then all the keys to the kingdom would be available.

Further, if you've picked a good, strong password, the Elcomsoft breaker won't help. It's a brute-force method, and the company doesn't oversell the difficulty of recovering a password. Its FAQ has this amusing dialog:

(end of one question): ...Only relatively short and simple passwords can be recovered in a reasonable time.

Q: What do you mean by "time consuming" and "reasonable time"?

A: A lifetime? Seriously, with protection as good as that, it may take centuries to recover a long password.

And Elcomsoft goes on to note, "The iPhone backup encryption is good enough. Well, it is near perfect by our standards. That's to say, it's really secure."

Apparently, Apple was able to add flexibility without compromising security so long as you take care to create a reasonably long and strong password. Apple's one mistake? Not including the Password Assistant that's used in the Keychain Access program and a few other places in Mac OS X to assist you in creating the best password for your iOS backups.

(Thanks to TidBITS security editor Rich Mogull for his input on this article.)


CrashPlan is easy, secure backup that works everywhere. Back up
to your own drives, friends, and online with unlimited storage.
With 30 days free, backing up is one resolution you can keep.
Your life is digital; back it up! <>

Comments about Secured iOS Backups Reduce Security, but Not by Much
(Comments are closed.)

barefootguru  2010-08-09 15:58
I've assumed that when running FileVault the iPhone backup enjoys the same security as the rest of my home folder—without further encrypting it. Can anybody confirm this?
Glenn Fleishman  2010-08-09 16:15
Precisely the same: which is, if you're logged into your account, none at all.

FileVault's encryption is only worthwhile when you are not logged into your account.