Russian software company, Elcomsoft, a specialist in developing cracking tools for extracting data from iOS devices, discovered the issue while building an updated version of its Phone Breaker app. In one instance, Vladimir Katalov, CEO of ElcomSoft, came across his own iCloud history by accident. He then used his company’s Phone Breaker app to extract the data Apple had been keeping in his iCloud account and found that deleted records from over a year ago were still kept. Apple calls the records “cleared”, not “deleted”. “We have found that they stay in the cloud, probably forever,” Katalov claimed.
The entries included Google searches, the full terms of which were visible in the Phone Breaker software. Cleared entries were given “deleted” status, while Safari activity that hadn’t been cleared was labeled “actual.” Apple was keeping deleted browser information in a separate iCloud record called “tombstone.” According to Elcomsoft, the data was likely kept as part of an iCloud feature that syncs browsing history across multiple devices and ensures it’s deleted from all devices when history is cleared. To ensure this wasn’t a coincidence, Forbes hired an iOS forensics expert to validate Katalov’s claims. The expert found the Elcomsoft Phone Breaker tool recovered 125,203 browsing history records dating back to November 2015, even though the Safari cache had been cleared. They also found deleted Notes, but they were only kept for 30 days, indicating Apple was purging them regularly. It’s unclear just how or why Apple is storing cleared browsing history for such a long period. The whole issue appears to be a design problem connected to the syncing technology between iOS, Mac OS X and Apple’s servers rather than anything suspicious. However, what is more worrying is that Apple’s keeping it, but not encrypting it, which means it’s easily available with tools like Phone Breaker. The good news is, since Phone Breaker only works with a user’s Apple ID and password, or an authentication token pulled from a user’s computer, nobody can gain access to your iCloud account information. It looks like Apple is already taking steps to rectify the issue, deleting browsing data older than two weeks, which means a user’s browsing history is stored in iCloud now for at least a two week period. Shortly, after the issue was brought to the company’s attention, Katalov and another source told Forbes that their Safari records had suddenly started disappearing, which suggests Apple has begun purging them already. However, there was no official comment made by Apple.