It’s been a tough week for iMessage. a urgent security update to solve a serious security issue has been released alongside glitzy iOS 15 feature updates promising public relations. And then its rival WhatsApp dropped its own surprise bomb—the biggest missing feature of the platform was suddenly there– as simple as that, a real game changer.
WhatsApp has of course been affected by its own NSO exploits in the past. But now its surprisingly timed update exposes a different iMessage security vulnerability. If you back up WhatsApp from your iPhone to iCloud, Apple can currently access that backup. It’s the same with Android devices and Google Cloud. Now, WhatsApp is ending this vulnerability, cutting off Apple’s access. But this same vulnerability remains by default in iMessage, undermining its end-to-end encryption.
The WhatsApp update was announced by Mark Zuckerberg himself, on Facebook. We knew it was in the works, but we weren’t expecting this confirmation and technical detail so soon. The timing of the same week as the iPhone’s launch might be a coincidence, but Zuckerberg has previously reported on the iMessage security vulnerability. “Apple and governments have the ability to access most people’s messages,” he warned, as his privacy-focused battle with Apple escalated earlier this year.
With this update, WhatsApp ends its exposure to Apple’s security. Its end-to-end message and call encryption is protected with the same level of security for chats and media you save in the cloud. It now presents a marked improvement over Apple’s confused approach to cloud encryption.
I reported on the WhatsApp update a week ago, and since then I have answered several user questions about how they are protecting iMessage from this vulnerability. You can find details below. It’s a stupidly simple tuning that we don’t talk much about.
WhatsApp backup encryption is smartly designed. It clearly took a lot of work to provide a solution for 2 billion users in most countries of the world. Simply put, your backup is protected with a 64 character encryption key. You can either create and store your own, manually, or protect one online in a third-party safe that’s protected with an easy-to-remember password. The key being WhatsApp does not have access.
And it is this concept of “access” that undermines the security of iMessage. Apple’s encryption architecture for what it calls “Messages in iCloud” is also cleverly designed. It’s the best multi-device, fully-encrypted architecture available, beating WhatsApp’s own multi-device update, as it creates a circle of trusted devices without the concept of a primary messenger to which all other devices are linked.
Apple provides you with an end-to-end encryption key that ensures that messages sent to and from your devices cannot be read by anyone other than you and your counterparties. But it then stores a copy of that key in your iCloud backup, and that iCloud backup isn’t end-to-end encrypted, which means Apple can access the backup, retrieve the key, and then access all of those ” Messages in iCloud ”.
“IMessage users may mistakenly believe their communication is private,” warned ESET’s Jake Moore, “but with access granted from a simple backup created, it somehow compromises its success in protection. ”
Like apple recognize, “Apple keeps the encryption keys in its US data centers. ICloud content, as it exists in the customer’s account, may be provided in response to a search warrant issued upon presentation of probable cause or the customer’s consent.
This is all very timely. Apple came under fire for its intention to add a client-side iMessage machine learning filter (on your iPhone) that would warn minors sending or receiving sexually explicit images. Critical argued that this was a potential backdoor. Apple has denied that this is the case, but blocked its plans as well as CSAM screening on the device.
This backup vulnerability, however, is a backdoor. “With access granted from a simple backup created,” Moore told me, “it kind of defeats his success in protecting”.
To understand the backup vulnerability of iMessage, you need to rethink the evolution of iCloud and cloud services in general. What started as a means of automatic or triggered off-device backups and data storage has grown into a seamless, always-on platform that drives applications and services in real time.
Among the iCloud sync services that keep your calendar, reminders, and Safari data in sync across all your devices, you have Messages in iCloud, a running backup of all messages that all your trusted devices can access.
But you also get the generic iCloud backup, which primarily stores data from apps on your phone that don’t rely on their own cloud services, along with your device settings and home screen layouts. You don’t need it: You can run a direct transfer when you switch devices, and most decent third-party apps now offer their own cloud data backups, which is useful if you lose your device.
If you have enabled messages in iCloud and iCloud backups are also enabled, this iMessage encryption key is saved. Turn off iCloud backups and you’re good to go. Or, if you want to keep an iCloud backup while still having fully encrypted messaging, go to WhatsApp or (better) Signal.
And the concept of “fully encrypted” messaging brings us to the other serious issue for iMessage, the lack of interoperability between platforms. Those of you old enough will remember the early days of texting, when it was not possible to send messages across networks. Apple / Google’s current approach to messaging unfortunately creates a similar paradox.
With iMessage, you can send secure SMS, but only to other Apple users; with Google Messages, you can now send secure RCS messages from your Android device, but not to iPhones. Cross-platforms (instead of networks, this time around) will see your messages revert to unsecure SMS, and it’s best to avoid that.
Apple and Google are inadvertently arguing to switch from their own operating system-based messaging to over-the-top cross-platform platforms. In recent months, WhatsApp has solved its most serious issues: multi-device access and encrypted backups. Meanwhile, Signal continues to offer a safer alternative that can do just the same.
As the shadow of Pegasus recedes (Apple hopes), after iOS 14.8 and its welcome (albeit belated) transparency, Apple has some serious questions to resolve on iMessage. This backup anomaly must be corrected or at least more clearly communicated to users who should be able to refuse the backup of encryption keys. I asked Apple about it, but the company does not “comment or speculate” about its future plans.
This is becoming a serious problem for Apple. iOS 15 was intended to bring some cool new features to iMessage. But all we’ve been talking about in recent months are iMessage’s security vulnerabilities. Apple needs to recognize that WhatsApp has now caught up with and surpassed iMessage in terms of security, while also offering cross-platform features and other secure features like disappearance of single-view messages and media.
With all of that in mind, I can no longer recommend iMessage as their daily messenger for Apple users, and suggest they go with WhatsApp or Signal instead.