Apple has updated its iOS Security Guide to disclose that personal data from its iCloud storage service is actually stored in google cloud servers.
according to the document:
“iCloud stores a user’s contacts, calendars, photos, documents, and more and keeps the information up to date across all of their devices, automatically. iCloud can also be used by third-party apps to store and sync documents as well as key values for app data as defined by the developer. Users set up iCloud by signing in with an Apple ID and choosing which services they would like to use. iCloud features, including My Photo Stream, iCloud Drive, and iCloud Backup, can be disabled by IT administrators via MDM configuration profiles. The service is agnostic about what is being stored and handles all file content the same way, as a collection of bytes.
Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as S3 and Google Cloud Platform.”
The encryption routines used seem reasonable, in and of themselves. I am hesitant, however, to change my position on cloud services as a whole. Putting critical data on hardware you do not own is a risk. Putting that data on completely unknown hardware is a recipe for disaster.
It is incredibly unlikely that someone will brute-force the encryption keys they have setup from the google side, but the additional layer of operational complexity that has been introduced is a cause for concern. This is assuming they are being honest about the encryption, after all encryption creates a performance overhead that can reflect poorly on end-user services.
Cloud services pose numerous risks, not just of data theft or loss, but of civil rights abuses from corporate entities, state-funded attackers, and other bodies engaged in data-mining as a source of revenue or leverage.
There is also the possibility of the service just vanishing, temporarily, or permanently.
John Kheit compiled a list of cloud services that became defunct and shutdown
The Cloud is just someone else’s server, and you have no reason to trust them.