[ADP] Is Advanced Data Protection Supported?

[Sponge-bink]

Summary

Can I download iCloud photos with Advanced Data Protection enabled? I have Access iCloud Data on the Web enabled and can download iCloud photos from my browser.

Context

I'm using the Python package. This is what it gives me:

2023-09-21 15:18:04 DEBUG    Authenticating...
iCloud Password:
Usage: icloudpd <options>
Try 'icloudpd -h' for help.

Error: No such option: -B
2023-09-21 15:18:12 ERROR    private db access disabled for this account.  Please wait a few minutes then try again.  The remote servers might be trying to throttle requests. (ACCESS_DENIED)
private db access disabled for this account.  Please wait a few minutes then try again.  The remote servers might be trying to throttle requests. (ACCESS_DENIED)
multiprocessing/resource_tracker.py:104: UserWarning: resource_tracker: process died unexpectedly, relaunching.  Some resources might leak.
Mac-mini ~ % Usage: icloudpd <options>
Try 'icloudpd -h' for help.

Error: No such option: -B

Note that I did not include a -B option in the command, it looked like this:

icloudpd -d /my \path \
-u myemail@example.com \
--threads-num 4 \
--recent 1000

And the program seemed to have started itself again and told me the second time that have used an unsupported option -B while I didn't.

[AndreyNikiforov]

There is no special code that handles ADP on icloudpd side. If you have web access enabled, I assume icloudpd should just work, because it emulated web browser.

[boredazfcuk]

Interesting read about how icloud.com works when ADP is enabled:

https://support.apple.com/en-gb/guide/security/sec973254c5f/web

[Sponge-bink]

If you have web access enabled, I assume icloudpd should just work

It needs to send a request to one of my trusted devices to grant the access which I believe icloudpd is not capable of:

[genfersee]

I have the same error...

Try 'icloudpd -h' for help.

Error: No such option: -B

... with or without iCloud web access enabled.

[boredazfcuk]

It needs to send a request to one of my trusted devices to grant the access which I believe icloudpd is not capable of.

The request wouldn't be sent from the device that accesses the icloud.com website though, would it? Like, if I borrow my mate's laptop and log in to iCloud.com, his laptop isn't going to know what/where to send that request to. The request will be sent from icloud.com to your trusted device, then you need to approve it.

It would already be too late by that point. icloudpd will have bailed because the website wasn't appearing as it expects. I'd guess that launching icloudpd a second time probably isn't going to work either, as icloudpd doesn't save session information from a previous run. This means it would repeat the login process, Apple may see it as a new request and re-trigger the approval notification.

I think icloudpd would need to be changed so that it could re-use the session information from previous runs. I think I've seen this in the cookie, at least that's what I presume X-APPLE-DS-WEB-SESSION-TOKEN is for as I've only ever seen it valid for a month,

Another option would be for icloudpd to just check for that message in your screenshot and just wait until it goes away (when you've authorised the request) before proceeding with the download.

[Sponge-bink]

I should add that this request wasn't triggered until I click the photos icon on iCloud.com. These images were just to showcase what it would look like. icloudpd doesn't trigger OR handle this currently.

[boredazfcuk]

I should add that this request wasn't triggered until I click the photos icon on iCloud.com.

Ah OK. icloudpd would need tweaking to click on this link automatically then to wait for the WebUI to appear. Maybe controlled by an additional command line parameter like --adp or something.

[ido2]

Why isn't this a major issue? Why aren't most people using ADP by now?

+1 for higher priority.

[boredazfcuk]

Why isn't this a major issue? Why aren't most people using ADP by now?

I don't want ADP on my device because it means I will have to authorise icloudpd 4 times per day. What I need is a utility which reliably backs up my photos and only requires interaction with it once every few months. icloudpd does exactly that job.

I guess that's why there's no appetite for for ADP. If there was, somebody would have submitted a PR for it.

[ido2]

I beg to differ, ADP, among other reasons, was developed and released to the public by Apple due to a huge privacy -aware user base.
That said, maybe that user base doesn't overlap with the ones using this application on a daily/backup use-case, due to the reasons you have mentioned.
Then again, I'm just interested in offloading pics every once and a while, so don't care about the bulky authentication process.
So would be happy if implemented :)

[Sponge-bink]

Then again, I'm just interested in offloading pics every once and a while, so don't care about the bulky authentication process.

Same here! I turned on ADP mainly because I can finally backup my messages and the whole iOS device knowing it's end-to-end encrypted.

[boredazfcuk]

I beg to differ, ADP, among other reasons, was developed and released to the public by Apple due to a huge privacy -aware user base.

That said, maybe that user base doesn't overlap with the ones using this application on a daily/backup use-case, due to the reasons you have mentioned.

There's been nearly 1.5 million pulls of my icloudpd container and the number of people requesting ADP support is probably in single digits. I'm pretty sure there's not a huge overlap.

[Sponge-bink]

There's been nearly 1.5 million pulls of my icloudpd container and the number of people requesting ADP support is probably in single digits.

I'm more curious about how many of those 1.5 million pulls were actually made after ADP becoming available to the public. (And dare I add, it's not yet available to all users around the world.) I'm betting that's a lot less appealing number than 1.5 million.

I'm pretty sure there's not a huge overlap.

I genuinely couldn't think of a reason why a person who knows that iCloud Photos need to be backed up, did their research, ended up here with a tool that has no GUI at all, whose the easiest installation requires you to download an executable that has no permission to execute and fails macOS's gate keeper, would be less or even equally interested than the average in a major privacy feature in years for the service protecting those photos ultimately better.

Even if there isn't, that is just the status quo. People using iPhones to take pictures and storing them in iCloud, people want to have a piece of mind that those precious pictures are safe, people care about privacy and want to be responsible for their own data, and the ADP feature, those people/things are not going away in the foreseeable future.

[boredazfcuk]

I'm more curious about how many of those 1.5 million pulls were actually made after ADP becoming available to the public. (And dare I add, it's not yet available to all users around the world.) I'm betting that's a lot less appealing number than 1.5 million.

Around 200k just in September... ADP is 10 months old.

I genuinely couldn't think of a reason why a person who knows that iCloud Photos need to be backed up, did their research, ended up here with a tool that has no GUI at all, whose the easiest installation requires you to download an executable that has no permission to execute and fails macOS's gate keeper, would be less or even equally interested than the average in a major privacy feature in years for the service protecting those photos ultimately better.

You can't think of a reason coz you don't really know what you're on about. My container can be installed, configured and downloading photos within minutes. People have even created YouTube tutorials on how to set it up. The biggest user base isn't people running Windows/Macs, it's people with home NAS devices like QNAP/Synology/Unraid/TrueNAS. They want to set up their NAS to download their photos and forget about it for months at a time, Some people have even complained that their multifactor cookie expiring after 90-days is too frequent.

Even if there isn't, that is just the status quo. People using iPhones to take pictures and storing them in iCloud, people want to have a piece of mind that those precious pictures are safe, people care about privacy and want to be responsible for their own data, and the ADP feature, those people/things are not going away in the foreseeable future.

The Venn diagram of people who care about security, and people who trust GitHub project owners with their iCloud credentials, looks like this:

O O

[AndreyNikiforov]

Accounts with APD are not supported. Sounds like ADP may allow temporal web access and that might be used by icloudpd if support is implemented. Needs R&D work, so changing from bug to enhancement.

[ido2]

FYI, ADP works in steilerDev/icloud-photos-sync#202 and https://github.com/foxt/icloud.js

[plplplpl3]

any chance to update with adp working?:))))

[NeonMinnen]

Would be lovely.