iMessage May Not Be as Secure as Apple Claims

Security researchers questions Apple's claims about iMessage. Courtesy Apple

Security researchers questions Apple's claims about iMessage. Courtesy Apple

Is iMessage really secure? Apple says the encryption on its Wi-Fi-enabled messaging service is unbreakable, but at the Hack in the Box computer security conference in Kuala Lumpur Oct. 14-18, researchers painted a different picture.

Here's the backstory: On June 6, a top-secret document leaked by former NSA contractor Edward Snowden suggested that several major communication companies, including Apple, were part of a government surveillance program called PRISM.

Apple denied that it worked with the NSA to spy on its users in a June 16 statement, in which it also emphasized iMessage's security.

MORE: NSA Leaks 2013: A Timeline of NSA Revelations

"Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data," wrote Apple in its statement. 

Apple's iMessage encryption

End-to-end encryption means that the message is encrypted as soon as it leaves the sender's phone, and doesn't get decrypted until it reaches the recipient's phone. That way, not even the company doing the delivery — in this case, Apple — can read the message.

No hacker worth his or her salt takes a statement like that at face value, so two researchers with Paris-based security firm Quarkslab decided to do a bit of digging into iMessage and how it implements its encryption.

What did they find? Apple's boasts of iMessage's security are "just basically lies," said Quarkslab researcher Cyril Cattiaux at the Hack in the Box presentation.

iMessage uses an encryption protocol called public-key encryption, which means that each iMessage user has two encryption keys: the public key is used to encrypt messages so that only people who possess the corresponding private key can decrypt and read them.

But iMessage users don't actually possess their encryption keys — Apple manages them, and the means by which it does that is unclear.

Can you trust Apple's security?

That means that it's entirely possible for Apple to switch the keys and their corresponding users, or add another private key to a given public key and intercept the contents of an iMessage conversation.

So when you use iMessage, you aren't relying on the proven math of Apple's encryption implementation. You're trusting the company to properly manage your encryption keys.

What does that mean for you? For most users, iMessage is probably secure enough. But messaging apps with more secure encryption implementation do exist, such as Wickr and SilentText.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • monsta
    Makes you wonder why iMessage is free....
  • otacon

    Makes you wonder why BBM is free... what a stupid statement.
  • house70
    "Can you trust Apple's security?"

    Just as much as you can trust iPhone 5s' borked sensors... not at all.
    In truth, there is no surprise here. By now everyone should be used to Apple's lies when it comes to their products. "it just works"... what a load of bull (unless it's finished with " everything else").
    Meh. Movin' on...
  • monsta
    @ otacon
    " He's out to make a quick buck and will just toss the phone. If you don't want your data being compromised don't put it out there to begin with"

    Now thats the stupidest statement I've ever heard!
  • jldevoy
    Apple can't win on this point, it's now a crime in the USA to tell anyone you're being coerced by the NSA etc.
  • rantoc
    If you believed apple in the first place there is one way to get help - A shrink!
  • wopr11
    Apple lying? when haven't they
  • IreneRDubose
    <B>my buddy's step-sister makes <$82> an hour on the computer. She has been laid off for 8 months but last month her payment was <$17918> just working on the computer for a few hours. Here's the site to read more

  • ddpruitt
    So?.. anything sent over the air or stored electronically, given enough time and resources, can be decrypted and read. The only thing the average user or even large corporation can do is put up enough road blocks that the time needed to decrypt information doesn't make it financially viable.

    Yes but this is basically a shortcut around all of the roadblocks, you just need to ask the construction company for the key to the gate. The current implementation allows any government agency to ask for the keys and then read messages en masse. True end to end encryption would make it several orders of magnitude more difficult to decrypt a signal message, let alone a boatload.