The issue with iPhone backups carries another security weakness that Iâve not seen mentioned before. When you manually request a backup from your Mac, or if you have it set up for automatic backups to your Mac (which is still possible to do with iMazingâyou just have to enter the passcode every time), youâll get the passcode pop-upâwithout anything identifying the computer requesting the backup.
That is, it asks you if you trust an unnamed, unspecified computer thatâs requesting a backup. Am I the only one who can see ways for this to go very wrong?
It shouldnât bother me for wired backups; after all, Iâm going to be sitting at the computer, and I can see the USB cable connecting the device to my Mac. But the pop-up is identical for wired and wireless backups, and does not indicate which the request is.
This means that, in theory, if a bad actor in or near your household or office was able to associate your iPhone with their computer, itâs conceivable that they could time a wireless backup request from their Mac to whenever youâre about to do a wired backup to your own Mac. As long as they donât jump the gun, the timing doesnât have to be perfect, as it can take up to several seconds for the prompt to appear on the device. Since the pop-up doesnât indicate the requesting computer or the manner in which the backup is to be conducted, you have nothing to alert you that this request is not your own.
While I have trust that Appleâs security measures would make this kind of interception difficult, I donât trust that itâs impossible or even impractical to attempt. The data thief could be an obnoxious roommate, a partner who suspects you of cheating, a business colleague who wants to sabotage you, or any number of other close-to-you people. If youâre an âimportant personâ, the data on your phone might be worth an outsider specifically targeting in this manner.
You also have no assurance that the pop-up is genuine. There is nothing about it that canât be replicated by an app. So instead of raw data theft, the culprit could just be after your passcode. Granted, this is a bit less likely, because it requires the perpetrator to know when you have automatic backups scheduled, which even social engineering might find tricky. But itâs not outside of the realm of possibility, especially for a person close to you, like those I mentioned above.
Iâll grant this this may seem like an unlikely possibility altogether, cybersecurity concerns shouldnât be limited to only the probable. The improbable is attempted more often than most people would think. What matters isnât so much the probability of the method succeeding as it is the motivation someone else has to mess with you.
Apple could easily alleviate this concern by adjusting the passcode prompt to give the name of the computer requesting a backup and whether itâs wired or wireless. That data should already be received by the device as part of the backup request, so thereâs no real reason it canât be shared with the user. While it wouldnât eliminate the possibility of this kind of attack happening, it would add steps to the attack that would deter some from trying it.