If you were to get hacked, would it be worse for the hack to affect your Apple account or your Google account?
That depends on a lot of factors. But Vladimir Katalov, CEO of Elcomsoft Ltd., a company that makes digital forensics software tools for customers like U.S. intelligence agencies, says he thinks ultimately, getting your Google account hacked is riskier.
Basically, you can forget about privacy if you're using a smartphone or any device. - Vladimir Katalov, Elcomsoft
That said, both accounts can potentially provide access to reams of personal information, from contacts to photos to internet bookmarks, Katalov demonstrated at a presentation at the SecTor IT security conference in Toronto last week.
Last fall, naked and intimate images of actresses Jennifer Lawrence and Mary Elizabeth Winstead, swimsuit model Kate Upton and other celebrities were spread across the internet during a high-profile breach of celebrity Apple accounts. Russian Prime Minister Dmitry Medvedev had his Twitter account hijacked and Russian President Vladimir Putin's private emails were also leaked as a result of similar attacks.
Katalov said in all cases, someone managed to get hold of the victims' Apple account information and downloaded their Apple backup, which "basically… is everything that is stored on your iPhone" from your photos to saved network settings to call logs and text messages.
Apple provides a fairly comprehensive list of the types of information available through your Apple account within the guidelines for law enforcement requests on its Government Information Requests website.
It's more information than is typically stored on Android phones, Katalov says.
'You won't even know about it'
And Apple doesn't necessarily notify you if someone downloads your backup file: "You won't even know about it."
He added that Apple started sending out notifications shortly after the celebrity hacks, but stopped at some point.
The good news is that you can disable iCloud backups completely, making them impossible for anyone to download, Katalov says.
Meanwhile, the amount of information from your Google account — from both mobile devices and desktop use — is vast as well, from your photos to your browsing history and your profile for targeted ads to your chats in Google Hangouts.
And it's not necessarily as easy to figure out exactly what or how much there is.
Katalov said you can get most of it by using Google's Takeout service, which allows users to export and download all their data from most Google services. But that's not complete.
Google usually sends notifications if someone logs into your account from a new device or location, alerting you that someone may have your password. But it's possible for hackers to use developer tools to access some information in your account without detection, such as your Hangouts conversations and your location history.
Under some circumstances, it may be possible for hackers to get into your Apple and Google accounts without your password — they can instead use malware to steal a small file on your device called an authentication key that will let them into your account until you change your password. In that case, Katalov said, you will never get any notification that someone has accessed your account.
While both Apple and Google encrypt your stored passwords, they store the encryption keys with the data so it's not hard for someone to decrypt the data, Katalov said. Apple does have one additional level of security: extra encryption tied to the identity of your device.
"So even if you restore them from iCloud backup to new device, your passwords are not being restored because your hardware is different," Katalov said. "So losing your Apple ID and password is much less risky even if the iCloud backups are there."
Tips to reduce your risk
There are steps you can take to minimize your risk of your accounts getting compromised. Katalov recommends that you:
- Use a strong password and change it regularly.
- Pay attention to notification emails about logins to your account.
- Use two-factor authentication.
Ultimately, though, Katalov warns, even if you're careful, you can never expect your information to be completely secure.
"Basically, you can forget about privacy if you're using a smartphone or any device. If you're using the cloud, that means the government has for sure access to that information with or without your knowledge," he said.
He added that most of the time, users have no way of knowing how their information is stored, whether or how it's encrypted, and who can access it. In many cases, companies like Apple use servers from other companies such as Microsoft and Amazon.
"If you're using the internet," Katalov said, "at least some of your information will be leaked somewhere."