[kingnight]

My source, while I wholly acknowledge this is anecdotal and not evidence, is someone in law enforcement tasked with retrieving message logs for investigations. I was pretty skeptical but I've yet found any proof or documentation from Apple's support docs disproving this.

I also recall from the San Bernadino case that the FBI/Apple had the ability to get historic message history from the iCloud backup but the FBI pushed for decrypting the device because of the most recent and not backed up messages.

As for your scenario -- doesn't that explicitly confirm that the messages are not encrypted safely at rest? You can restore to an entirely new device, using the same backup, and retrieve the messages.

[aeontech]

> someone in law enforcement tasked with retrieving message logs for investigations.

Right, but do they retrieve them from iCloud? Without Apple's assistance, and without knowing the user's password?

> I was pretty skeptical but I've yet found any proof or documentation from Apple's support docs disproving this.

Well, here's the brief overview: https://support.apple.com/en-us/HT202303

and here's the iOS security whitepaper: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Which includes a section about iCloud security, including the following section:

  iCloud secures the content by encrypting it when sent 
  over the Internet, storing it in an encrypted format, 
  and using secure tokens for authentication.

I am no security expert, but I am pretty sure FBI wouldn't have a huge fight with Apple if they had any way to get to the data directly (and once they figured out they could use a vuln in the old iOS to break into the device, they did indeed drop the fight).

> FBI/Apple had the ability to get historic message history from the iCloud backup

Right, because they reset the shooter's Apple ID password. Not because the backup was in plaintext.

> As for your scenario -- doesn't that explicitly confirm that the messages are not encrypted safely at rest? You can restore to an entirely new device, using the same backup, and retrieve the messages.

How does that follow? You still need to supply your password to decrypt the backup before you can restore it. From the same security whitepaper:

  When files are created in Data Protection classes that aren’t accessible 
  when the device is locked, their per-file keys are encrypted using the 
  class keys from the iCloud Backup keybag. Files are backed up to iCloud 
  in their original, encrypted state. Files in Data Protection class 
  No Protection are encrypted during transport.

  The iCloud Backup keybag contains asymmetric (Curve25519) keys for each 
  Data Protection class, which are used to encrypt the per-file keys. For 
  more information about the contents of the backup keybag and the iCloud 
  Backup keybag, see “Keychain Data Protection” in the Encryption and Data 
  Protection section.

  The backup set is stored in the user’s iCloud account and consists of a 
  copy of the user’s files, and the iCloud Backup keybag. The iCloud Backup 
  keybag is protected by a random key, which is also stored with the backup 
  set. (The user’s iCloud password isn’t utilized for encryption so that 
  changing the iCloud password won’t invalidate existing backups.)

  While the user’s Keychain database is backed up to iCloud, it remains 
  protected by a UID-tangled key. This allows the Keychain to be restored 
  only to the same device from which it originated, and it means no one 
  else, including Apple, can read the user’s Keychain items.

  On restore, the backed-up files, iCloud Backup keybag, and the key for 
  the keybag are retrieved from the user’s iCloud account. The iCloud Backup 
  keybag is decrypted using its key, then the per-file keys in the keybag 
  are used to decrypt the files in the backup set, which are written as new 
  files to the file system, thus re-encrypting them as per their 
  Data Protection class.