We are told the encryption keys reside only on your device. But Apple control “your” device so they can just issue an update that causes your device to decrypt data and upload it.
Apple has already fought US government demands that they push an update that would allow the US governmrnt to break encryption on a user's device.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones.
From the Advanced Data Protection whitepaper [0], it appears the keys are stored in the iCloud Keychain domain, so not the Secure Enclave:
> Conceptually, Advanced Data Protection is simple: All CloudKit Service keys that were generated on device and later uploaded to the available-after-authentication iCloud Hardware Security Modules (HSMs) in Apple data centers are deleted from those HSMs and instead kept entirely within the account’s iCloud Keychain protection domain. They are handled like the existing end-to-end encrypted service keys, which means Apple can no longer read or access these keys.
Apple can push firmware updates to the HSM just like the device. So if they really wanted they could add an operation that extracted the keys (likely by encrypting them to a key that lives in Apple's cloud).
An HSM bypass (extracting keys, performing unauthenticated crypto ops) on any recent iOS device is worth 10s of millions, easily. Especially if combined with a one-click/no click. In that sense, it’s auditable, because it’s one of the biggest targets for any colour hat, and the people smart enough to find a bug/backdoor would only be slightly aided by a spec/firmware source, and a bit more by the verilog.
This is true for pretty much every “real” hsm on the planet btw. No one is sharing cutting edge enclave details, Apple isn’t unique in this regard.
If someone has a reliable and workable secure enclave hack they can become a multi-millionaire for selling to state actors or become one of the most famous hackers in the world overnight (and possibly get a life changing amount of bounty from Apple)
Basically it's not a hack someone just throws on the internet for everyone to use, it's WAY too valuable to burn like that.
