Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

iMessage Contact Key Verification appears in first iOS 16.6 beta

An example of an alert from iMessage Contact Key Verification

One of the first found feature changes in iOS 16.6 and iPadOS 16.6 may be an iMessage verification system that could help prevent government agencies from eavesdropping on the conversations of critics.

In December 2022, Apple introduced a number of security protections to help protect the sensitive data of its users in iCloud and iMessage. Months later, in the first beta of iOS 16.6 and iPadOS 16.6, Apple seems to be preparing to take one of the features live.

Released on May 19, the first developer beta of the new cycle includes a setting in iMessage to enable iMessage Contact Key. While the setting exists in the beta, reports MacRumors, it doesn't appear that the setting has been enabled in iOS itself, making its appearance an indicator that it should arrive in the near future.

During its introduction, Apple said that iMessage Contact Key Verification would arrive sometime in 2023, but not when.

The feature works as an enhancement to existing end-to-end encryption in iMessage itself, and specifically targets users who face what Apple refers to as"extraordinary digital threats." This refers to journalists, human rights activists, and members of government who may face attempts to break Apple's security and to eavesdrop on messaging conversations.

The Contact Key Verification feature allows a user to verify they are messaging only with the intended recipient, without interference from outside forces. For added security, users can verify with each other by comparing a Contact Verification Code in person, over FaceTime, or via other secured communications.

Users who have enabled iMessage Contact Key Verification will be alerted automatically if a state-sponsored attacker were to somehow succeed in breaching cloud servers or to otherwise find a way to monitor encrypted communications.



14 Comments

appleinsideruser 6 Years · 692 comments

So iMessage is e2e encrypted, but if someone snoops on the cloud it’ll tell you!? Seems like there’s a little detail missing here somewhere…

2 Likes · 0 Dislikes
gatorguy 14 Years · 24654 comments

So iMessage is e2e encrypted, but if someone snoops on the cloud it’ll tell you!? Seems like there’s a little detail missing here somewhere…

Undisclosed man-in-the-middle eavedropping. By being included as a "secret' participant in the conversation E2EE is bypassed. This was reported a couple of years ago and by all appearances actively exploited for some time. 

Us commoners have nothing to worry about anyway, we aren't that valuable or interesting. 

4 Likes · 0 Dislikes
netrox 13 Years · 1522 comments

So iMessage is e2e encrypted, but if someone snoops on the cloud it’ll tell you!? Seems like there’s a little detail missing here somewhere…

I am thinking the same. If both ends are encrypted, how can the "man in the middle" know what's being said? 

2 Likes · 0 Dislikes
netrox 13 Years · 1522 comments

gatorguy said:
So iMessage is e2e encrypted, but if someone snoops on the cloud it’ll tell you!? Seems like there’s a little detail missing here somewhere…
Undisclosed man-in-the-middle eavedropping. By being included as a "secret' participant in the conversation E2EE is bypassed. This was reported a couple of years ago and by all appearances actively exploited for some time. 

Us commoners have nothing to worry about anyway, we aren't that valuable or interesting. 

But even with that, how would the man in the middle know what's being relayed if data is encrypted from end to end? You cannot decrypt if you don't have the key. 

3 Likes · 0 Dislikes
downwind 2 Years · 1 comment

So iMessage is e2e encrypted, but if someone snoops on the cloud it’ll tell you!? Seems like there’s a little detail missing here somewhere…

From the description, it does seems to be verifying the device you're connected from and not your user, probably using a unique secure enclave key on each device.

That way, if someone manages to log in as you to iCloud by stealing credentials or somehow breaching iCloud, they can't just use any iPhone to log in and communicate as you without the other part knowing you're using a new device, the other party will know since they've never seen your device key before.

3 Likes · 0 Dislikes