Thankfully for the most part, developers have made backups relatively secure, but unfortunately it seems that with iOS 10, Apple has actually made backups less secure than with iOS 9. This is according to reports from security researchers at Elcomsoft and also Per Thorsheim (via PhoneArena), a security adviser at God Praksis AS.
For starters, Elcomsoft discovered that Apple implemented a password verification system for iOS 10 backups which makes brute force attacks possible, and also about 2,500 times faster to get into. They also seem to have omitted some security checks that were put in place in iOS 9. Whether this was intentional or an oversight remains to be seen.
Thorsheim also discovered that Apple had downgraded the hashing algorithm from SHA1 to SHA256, which basically also means that using brute force attacks, figuring out the password to the backup is possible using a common desktop processor (meaning no special equipment is needed).
However Elcomsoft has noted that unless the hacker has direct access to their victim’s mobile phone, it would be impossible for them to access the backups. We suppose that is semi good news, but hopefully this is something Apple will be able to address anyway.