CloudKit

The CloudKit framework provides interfaces for moving data between your app and your iCloud containers. You use CloudKit to store your app’s existing data in the cloud so that the user can access the data on multiple devices. You can also store data in a public area where all users can access it.

CloudKit Security

iOS Apps created by the Nicholas Seawater Development Team use CloudKit exclusively to store data online.

What is CloudKit?

CloudKit lets app developers store key-value data, structured data, and assets in iCloud. Access to CloudKit is controlled using app entitlements. CloudKit supports both public and private databases. Public databases are used by all copies of the app, typically for general assets, and aren’t encrypted. Private databases store the user’s data.

How does CloudKit ensure user data privacy?

CloudKit uses account-based keys to protect the information stored in the user’s private database. CloudKit uses a hierarchy of keys, similar to Data Protection. The per-file keys are wrapped by CloudKit Record keys. The Record keys, in turn, are protected by a zone-wide key, which is protected by the user’s CloudKit Service key. The CloudKit Service key is stored in the user’s iCloud account and is available only after the user has authenticated with iCloud.

CloudKit End-to-End Encryption

Many Apple services use end-to-end encryption with a CloudKit service key protected by iCloud Keychain syncing. For these CloudKit containers, the key hierarchy is rooted in iCloud Keychain and therefore shares the security characteristics of iCloud Keychain—namely, the keys are available only on the user’s trusted devices, and not to Apple or any third party. If access to iCloud Keychain data is lost, the data in CloudKit is reset; and if data is available from the trusted local device, it’s uploaded again to CloudKit.