New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

ElcomSoft Claims It's Able to Recover Deleted iCloud Notes Well Past Apple's 30-Day Window

Russian software company ElcomSoft today claimed in a blog post that iCloud notes marked as deleted are being stored on Apple's servers well past the advertised 30-day period they are kept in the "Recently Deleted" folder.


ElcomSoft said it used an updated version of its Phone Breaker tool, version 6.5, to recover dozens of iCloud notes deleted more than a month ago. ElcomSoft said many of the notes were deleted a few weeks past the 30-day window, but in some cases, it was allegedly able to extract notes deleted "several months ago."

When a user deletes a note in Apple's Notes app, it's moved to the "Recently Deleted" folder, which explicitly states that "notes are permanently deleted after 30 days." Likewise, a support document on Apple's website says users can view and recover notes for up to 30 days before they're permanently deleted.

However, ElcomSoft CEO Vladimir Katalov said the oldest note it was able to retrieve was deleted around five years ago:
"We did it again," says Vladimir Katalov, ElcomSoft CEO. "After recovering deleted photos and Safari browsing history from iCloud, we now add the ability to recover deleted notes from the same source regardless of how much time has passed after the deletion. The oldest record we've been able to pull was deleted back in 2012."
In its blog post, ElcomSoft said it was able to extract 334 notes from an iPhone with only 288 notes stored on it, including those in the "Recently Deleted" folder. In other words, ElcomSoft claims it was able to recover 46 notes deleted more than 30 days ago, and that was only one example.


Nevertheless, ElcomSoft said that its ability to extract iCloud notes deleted more than 30 days ago is "not necessarily" guaranteed. "While some of our test accounts did indeed contain deleted notes going all the way back to 2015, some other accounts contained much less than that," it explained.

ElcomSoft said its Phone Breaker tool is the only software it knows of that can be used to recover iCloud notes deleted more than 30 days ago. It also said the latest version of its Phone Viewer tool is needed to view them. The tools start at $79 each and appear to be compatible with both Mac and Windows.

To extract and view deleted notes, ElcomSoft says all someone has to do is launch Phone Breaker version 6.5 or newer, click "Download Synced Data from iCloud," authenticate with an Apple ID and password or a binary authentication token, wait for the download to complete, and open the file in Phone Viewer.

ElcomSoft's Phone Viewer tool appears to show recovered iCloud notes

ElcomSoft said "there is no doubt Apple will fix the current issue," but it didn't confirm if it has been in contact with the company. MacRumors has opted not to use the Phone Breaker tool out of an abundance of caution. Apple did not immediately respond to a request for comment today.

Last year, ElcomSoft generated headlines when it claimed Apple "secretly" syncs Phone and FaceTime call history logs on iCloud, even with backups turned off. In a statement, Apple said it offers call history syncing "as a convenience to our customers so that they can return calls from any of their devices."

In February, ElcomSoft also found that iCloud was allegedly storing deleted Safari browser history for a long period of time, ranging from several months to over a year. Forbes reported that Apple quietly "started purging older history records" once the news broke, but Apple never officially commented.



Top Rated Comments

(View all)

18 months ago
Lets face it people, no data truly gets deleted. If you're really concerned about privacy, dont use any electronic device.
Rating: 20 Votes
18 months ago
Elcomsoft is desperately trying to make a feature look like a flaw.

I suggest that Apple's intent is to let customers know that they have a *minimum* of thirty days to change their mind about deleting a note. To turn this around and try to claim that it is a guarantee that deleted notes will be purged at the thirty-day mark is a stretch.

It is perfectly reasonable to interpret "after thirty days" as "no sooner than thirty days".

A.
Rating: 9 Votes
18 months ago
Come on. In today's OS terminology, "permanently deleted" only means the file is marked as disposable and MAY be destroyed if space is needed. It's is called "permanently deleted" only because theoretically speaking there is no guaranteed-to-work method to recover them. Given that the hard disks are getting so cheap these days, most likely none of those cloud servers of any company has ever deleted a single byte at all.
Rating: 8 Votes
18 months ago
Does everyone interested in privacy now realize they just need to buy a bigass hard drive and skip all this cloud crap?
Rating: 8 Votes
18 months ago

Lets face it people, no data truly gets deleted. If you're really concerned about privacy, dont use any electronic device.


No, this is why you don’t entrust cloud services with your data. Deleting such data is in most cases an afterthought for these developers. It is far easier to just flip a switch and hide the content from the user interface than to actually purge data from a database. Even if there is no malicious intent, there are several technical reasons why this doesn’t happen.

iCloud in particular is a massive blackbox with tons of irregularities and disappointments like this one. I don’t touch it anymore.
Rating: 6 Votes
18 months ago
Nice, any software like this but with photos?
Rating: 4 Votes
18 months ago
There does seem to be a bit of a pattern here.

I've posted previously about the way Apple retains contact information for the purposes of its recent contacts list even after deleting any record of the contact from Address Book or Mail (for example) and there's no way to permanently clear the list. You can only temporarily hide the previous recipients but they keep coming back.

At best this is an annoyance because I have recipients in the list I haven't contacted for many years and have no intention of ever contacting again cluttering the list. They are hardly "recent". Apple, why do I have recipients I haven't contacted for 5 years in the list that keep coming back?

At worst this is a privacy concern. Any permanent tracking/storing of user information and personal details without the ability to change or delete them bothers me. I get why the recent contacts in Messages and Mail exists but the implementation is flawed. They should let the user permanently delete individual recipients, clear the list entirely or at least bring their definition of "recent" from meaning "forever" to "previous 3 months" or something.

I support this company investigating digital privacy. Not everyone is concerned but many are and I think everyone deserves to at least be informed. That their findings appear to have led to some changes is a good thing.
Rating: 4 Votes
18 months ago

Those two options are hardly related since (with a few exceptions) everything in the cloud is also stored on your local hard drive. Switching off cloud services doesn't require getting a new, big hard drive. You already have that hard drive, almost everything is first generated locally (which could also be a phone or tablet) before it uploaded to the cloud.


Whatever, my point is, if you want privacy, all you gotta do is (to paraphrase the rolling stones) get off of that cloud.
Rating: 3 Votes
18 months ago

Balderdash. I’m going to suggest just like you did that the vast majority of people would expect that after 30 days that the data is gone for good.


You can suggest that, but it doesn’t make it right.

Throw a piece of paper into your wastebasket at your office on Monday. It’s in the trash, right? The next day, you see that it’s still in the trash can, right? You could pull it back out. Or you could leave it there. Now, your trash is normally emptied over the wekeend. BUT guess what? This weekend, the cleaners didn’t show up! You come in Monday and OMFG! Your trash is STILL in the trash can! The outrage! I thought that trash was supposed to be DESTROYED over the weekend but it wasn’t! What am I going to do?

Second scenario. You have a piece of paper. You want to permanently destroy it. You toss it into your shred box. Later that day, you walk your box over to the shredder and shred it. No going back now. It’s permenently destroyed. No waiting.

For someone to assume that a note sitting in a “recently deleted” folder should be guaranteed to be 100% destroyed precisely 2,592,000 seconds after it was deleted is asinine.

This would be a story if these Russians were able to pull arbitrary notes or deleted notes from Apple’s servers. Like pulling someone else’s notes. Pulling your own stuff out of the trash 31 days or even 90 days after it was deleted? Not a story to me.
Rating: 3 Votes
18 months ago

Does everyone interested in privacy now realize they just need to buy a bigass hard drive and skip all this cloud crap?


I did this. I set up a mini server with a vpn router and fixed IP address. My primary machine has everything on it but I can access files from my travel machine as needed via the vpn.
Rating: 3 Votes

[ Read All Comments ]