Skip to main content

Despite Apple’s push for encryption, iMessage remains insecure

Last month, Apple CEO  Tim Cook released a startling letter in which he claimed the company was “challenging the FBI’s demands” to open up a backdoor on the iPhone. From this emerged a wealth of various stances from publications, politicians, and even late night talk show hosts, who all reached the consensus that no one really knows what to do in the privacy vs. protection debate.

Despite Apple’s urge for encryption, however, research conducted by Johns Hopkins University cryptography professor Matthew Green and a handful of his students has determined that Apple may already be open to vulnerabilities — or at least the iMessage portion of it. In fact, Green went so far as to say that Apple’s iMessage encryption is fundamentally broken, requiring the company to mandate a complete cryptographical overhaul if it wants to keep its users safe from unsolicited lurking.

Recommended Videos

Especially at a time when the US government is doing everything in its legal jurisdiction to get its hands on a backdoor into encryption, this could be unfortunate for Apple if it doesn’t act quickly. A susceptibility to this degree could leave the Cupertino company open to not only pesky vigilante hackers, but the bureaucratic ones as well.

“I’ve always felt that one of the most compelling arguments against this approach — an argument I’ve made along with other colleagues — is that we just don’t know how to construct such backdoors securely,” the professor explained in a blog post abbreviating the complete research paper. “But lately I’ve come to believe that this position doesn’t go far enough — in the sense that it is woefully optimistic. The fact of the matter is that forget backdoors: we barely know how to make encryption work at all.”

Put simply, the flaws found by Green and his pack of students can make it so those skilled enough to test their abilities could decrypt multimedia attachments, including both pictures and video from iMessage. Although the post mentions that certificate pinning has effectively made iMessage less exposed, a person could theoretically access Apple’s servers and proceed to take the attachments anyway, in the case that there’s a Push Notification Service server liability.

Green complimented iMessage for using “end-to-end encryption” dating back to 2011, but unfortunately it appears as though Apple uses the term quite loosely. True end-to-end encryption would keep messaging conversations between only those participating internally. Apple’s protection of iMessage does not extend to the server, leaving a gap in its defenses.

If a hacker were to take hold of the key server, they would in turn be able to intercept messages as they are being typed — those that have not already undergone the encryption process. Be that as it may, more threatening is the prospect of attackers making their way into already-encrypted messages, which is totally possible, according to Green and his disciples.

“In the long term,” Green explained, “Apple should drop iMessage like a hot rock and move to Signal/Axolotl.” In the meantime, Green recommends that users update to iOS 9.3 and the latest version of OS X, which implement fixes that mitigate some, though not all, of the vulnerability.

Gabe Carey
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
Apple iPhone owners urged to download new update now as a security must
An iPhone showing the Apple Password app.

The new iPhone software update, iOS 18.4, could be more critical than is being talked about when it comes to security.

While there are lots of new features added in the latest release, out yesterday, what's less talked about is the 62 security updates and fixes that roll out with this version. Some are quite serious.

Read more
This could be what to expect from Apple’s massive iOS 19 overhaul, sneak peek
iOS 19 mock

Apple has just confirmed the dates for its WWDC 2025 and now we've seen a leak of just what we may be able to expect from iOS 19.

The rumour mill has been churning out lots about this being Apple's biggest redesign and overhaul since iOS 7.

Read more
Apple could be forced to make major changes to how your iPhone works
The back of the Apple iPhone 16 Pro Max.

Apple is facing yet another landmark push in Europe that could open some of the signature features of its ecosystem. The European Commission has today detailed a couple of broad interoperability measures that Apple must follow, in order to oblige with the Digital Markets Act (DMA) guidelines.
These measures cover a total of nine connectivity features available on iPhones, covering everything from smartwatches to headphones. The idea is to give developers access to the same set of advanced features — such as immersive notifications on watches and quick pairing for peripherals — that is locked to Apple’s own devices.
“The specification decisions are legally binding,” says the regulatory body, adding that interoperability is “key to opening up new possibilities for third parties to develop innovative products and services on Apple's gatekeeper platforms.”

Hello, AirDrop alternatives!

Read more