We're overdue in updating the status of this incident; we've been in communication with clients directly. In the interests of completeness, we're closing this incident and updating here.
Apple made a series of changes to the iCloud early and mid 2017, primarily in response to a widely reported hacking / extortion event. The changes made were unhelpful as they had the effect of making regular, transparent iCloud backup access more challenging. There were two key changes: account access could lead to accounts being temporarily locked, and authentication tokens for backup access were required to be fresher than 24 hours old. Whilst the former change attracted the most attention, the second was more profound.
Our response was four-fold:
1. Firstly, we worked to ensure that our real-time iCloud data access was unaffected by either of these changes.
2. Secondly, we rapidly released our asmaster product which handled poll frequency for our clients. A number of client scheduler implementations were leading to overly aggressive polls of the iCloud, which contributed negatively to locking. We made asmaster freely available to all clients, simplifying their own integrations.
3. Thirdly, we shipped our asrelay technology to enable clients to work with iOS backup data directly, bypassing the storage limits and change risk of the iCloud. asrelay is available for users with iOS running Windows or macOS, and provides access to another segment of iOS users.
4. Finally, we continued our investment in R&D to enable us to continue helping clients access iCloud backups in a transparent, ethical, secure and scalable manner. We will be announcing more in this space in the coming months.
On this latter point, transparency and security were of utmost importance to us. We have always directly identified our interactions with Apple's servers as coming from Reincubate. We don't operate in the shadows, or in an environment that lacks robust data protection regulation. Consequently rearranging our networking stack to anonymise or somehow mask our traffic was not the right course of action. We met with the team at Apple and continued our work, and were able to structure our iCloud backup access mechanism in such a way as to satisfy the criteria we had: no anonymous access, and no locking of iCloud accounts as a consequence of facilitating legitimate access.
It is still possible for clients to encounter locked iCloud accounts whilst working with iCloud backups. End-user accounts may be locked prior to signing up, or may be accessing their data through other mechanisms which lock. Our API attempts to rate-limit clients that aggressively poll the API beyond our best practises, but behaviour like this can increase the risk of locking. In practise, our rate limiting does a pretty good job of protecting against this. Additionally, lower-priced client services may be more susceptible to attempts at fraudulent account access which can lead to locking for security reasons: this is entirely correct and appropriate.
As we have done consistently, we strongly encourage all clients to promote use of Apple's secure 2FA (two factor authentication) mechanism. This mechanism is a win/win technology for all involved, as it goes further to reinforce legitimacy and consent of access.
Posted Feb 14, 2018 - 14:13 GMT