Apple reaffirms security, privacy of encrypted iMessages

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple on Friday issued a statement affirming the security of their iMessage instant messaging service, rebuking suggestions that the company could, if forced by court order, intercept the encrypted missives.

"iMessage is not architected to allow Apple to read messages," Apple spokewoman Trudy Muller said in a blunt statement to AllThingsD regarding recent suggestions that the iMessage protocol could be subject to a wiretap. "The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."

iMessage security has been a hot topic seemingly since the public release of the service alongside iOS 5 in 2011 when Apple's news release touted the feature as having "secure end-to-end encryption."

The United States Drug Enforcement Agency famously complained in April of this year that iMessage's secure design prohibited the agency from spying on suspects. The DEA circulated a memo to staff, warning that "iMessages between two Apple devices are considered encrypted communication and cannot be intercepted, regardless of the cell phone service provider."

Apple's messaging service utilizes public key cryptography to secure its communications. Broadly speaking, public key cryptography works by encoding data with one key such that it can only be decoded with a different, mathematically matched, key.

Both keys are generated at the same time and are considered to be a "key pair" —  one key cannot be deduced from the other.

Apple's vehement response comes after suggestions from security firm QuarksLAB gained publicity this week. They suggested that Apple, which controls distribution of both keys via their central servers, can read users' iMessages by performing what is known as a "man-in-the-middle" attack, in which the central servers would transparently pass illegitimate key pairs between devices. The illegitimate key pairs would theoretically be generated by Apple, and thus allow the company to intercept iMessages.