Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple reaffirms security, privacy of encrypted iMessages

Apple on Friday issued a statement affirming the security of their iMessage instant messaging service, rebuking suggestions that the company could, if forced by court order, intercept the encrypted missives.

"iMessage is not architected to allow Apple to read messages," Apple spokewoman Trudy Muller said in a blunt statement to AllThingsD regarding recent suggestions that the iMessage protocol could be subject to a wiretap. "The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."

iMessage security has been a hot topic seemingly since the public release of the service alongside iOS 5 in 2011 when Apple's news release touted the feature as having "secure end-to-end encryption."

The United States Drug Enforcement Agency famously complained in April of this year that iMessage's secure design prohibited the agency from spying on suspects. The DEA circulated a memo to staff, warning that "iMessages between two Apple devices are considered encrypted communication and cannot be intercepted, regardless of the cell phone service provider."

Apple's messaging service utilizes public key cryptography to secure its communications. Broadly speaking, public key cryptography works by encoding data with one key such that it can only be decoded with a different, mathematically matched, key.

Both keys are generated at the same time and are considered to be a "key pair" —  one key cannot be deduced from the other.

Apple's vehement response comes after suggestions from security firm QuarksLAB gained publicity this week. They suggested that Apple, which controls distribution of both keys via their central servers, can read users' iMessages by performing what is known as a "man-in-the-middle" attack, in which the central servers would transparently pass illegitimate key pairs between devices. The illegitimate key pairs would theoretically be generated by Apple, and thus allow the company to intercept iMessages.



50 Comments

macmanfelix 12 Years · 125 comments

QuarksLAB is doing what everybody does these days. Shameless.

struckpaper 11 Years · 702 comments

Quote:
Originally Posted by MacManFelix 

QuarksLAB is doing what everybody does these days. Shameless.

What are they doing that everybody else is doing?

milsf1 14 Years · 27 comments

If they want to put this to rest, then they should have a few respected outside security experts come and do an audit of the system. Just saying, "That's not how our system works" won't stop the speculation and click-bait articles declaiming the possible/theoretical insider MitM vulnerabilities. I'm not talking about making the whole architecture opensource or anything, just a third-party audit of the security code much like they have outside firms audit their financial records.

struckpaper 11 Years · 702 comments

Quote:
Originally Posted by MilSF1 

If they want to put this to rest, then they should have a few respected outside security experts come and do an audit of the system. Just saying, "That's not how our system works" won't stop the speculation and click-bait articles declaiming the possible/theoretical insider MitM vulnerabilities. I'm not talking about making the whole architecture opensource or anything, just a third-party audit of the security code much like they have outside firms audit their financial records.

You're missing the salient point. Quarks is not misconstruing Apple's system. And Apple is not saying they are. Before criticizing any party, try reading Quarks' report and Apple's rebuttal. Of course, no need to do so if you just want to make a *soundbite* for the sake of it.

robbiuno 11 Years · 26 comments

If the key pair is generated in Apple's server, surely they could use them or pass them on if required. For all we know the DEA wants everyone to use iMessage because they do just that. Who cares, it's safer to assume the government can read your messages on all these devices and use alternate comm's methods if you need privacy.