Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Security firm recovers iCloud Notes beyond Apple's 30-day deletion window

Despite an Apple policy of permanently wiping deleted iCloud Notes older than 30 days, it appears to be possible to recover notes that are far older, a security firm said on Friday.

Using a new version of its Phone Breaker tool, Russia's Elcomsoft said it was able to retrieve notes dating weeks, months, or years beyond Apple's 30-day window. In extreme cases, notes were retrieved from as far back as 2015.

One iPhone produced 334 notes, despite it only having 288 listed — including those in the "Recently Deleted" folder. The ability to extract old notes isn't rock-solid, however, as some test iCloud accounts generated older results than others.

Aside from Phone Breaker, the Elcomsoft hack requires only an Apple ID login or binary authentication token, along with the company's Phone Viewer software.

"There is no doubt Apple will fix the current issue," the firm said, noting that Apple has solved past retention issues it discovered, namely ones with iCloud Photo Library and Safari data.

In the latter case, iCloud was found to be retaining Safari histories and Google search terms for over a year. Apple was quick to respond to the bad publicity by scrubbing the older data.



12 Comments

Rayz2016 8 Years · 6957 comments

Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

mknelson 9 Years · 1148 comments

Rayz2016 said:
Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.

gatorguy 13 Years · 24627 comments

mknelson said:
Rayz2016 said:
Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.

This report indicates they were able to retrieve readable notes. I don't see tho where it says whether the phone's contents had supposedly been deleted along with the original encryption key.  That's a kinda important detail to know. I'm assuming it was not an erased phone. 

Soli 9 Years · 9981 comments

Rayz2016 said:
Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

I can't directly answer your question regarding the NAND storage and how Apple removes files/partitions after you wipe it, but this specifically with iCloud storing old data.

Soli 9 Years · 9981 comments

mknelson said:
Rayz2016 said:
Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.

But they don't have a secure erase option so couldn't the key be created to retrieve data? Even if it's infinitesimal, it's still technically possible, right?