Skip to main content

Despite Apple’s push for encryption, iMessage remains insecure

iMessage 2
Image used with permission by copyright holder
Last month, Apple CEO  Tim Cook released a startling letter in which he claimed the company was “challenging the FBI’s demands” to open up a backdoor on the iPhone. From this emerged a wealth of various stances from publications, politicians, and even late night talk show hosts, who all reached the consensus that no one really knows what to do in the privacy vs. protection debate.

Despite Apple’s urge for encryption, however, research conducted by Johns Hopkins University cryptography professor Matthew Green and a handful of his students has determined that Apple may already be open to vulnerabilities — or at least the iMessage portion of it. In fact, Green went so far as to say that Apple’s iMessage encryption is fundamentally broken, requiring the company to mandate a complete cryptographical overhaul if it wants to keep its users safe from unsolicited lurking.

Recommended Videos

Especially at a time when the US government is doing everything in its legal jurisdiction to get its hands on a backdoor into encryption, this could be unfortunate for Apple if it doesn’t act quickly. A susceptibility to this degree could leave the Cupertino company open to not only pesky vigilante hackers, but the bureaucratic ones as well.

Please enable Javascript to view this content

“I’ve always felt that one of the most compelling arguments against this approach — an argument I’ve made along with other colleagues — is that we just don’t know how to construct such backdoors securely,” the professor explained in a blog post abbreviating the complete research paper. “But lately I’ve come to believe that this position doesn’t go far enough — in the sense that it is woefully optimistic. The fact of the matter is that forget backdoors: we barely know how to make encryption work at all.”

Put simply, the flaws found by Green and his pack of students can make it so those skilled enough to test their abilities could decrypt multimedia attachments, including both pictures and video from iMessage. Although the post mentions that certificate pinning has effectively made iMessage less exposed, a person could theoretically access Apple’s servers and proceed to take the attachments anyway, in the case that there’s a Push Notification Service server liability.

Green complimented iMessage for using “end-to-end encryption” dating back to 2011, but unfortunately it appears as though Apple uses the term quite loosely. True end-to-end encryption would keep messaging conversations between only those participating internally. Apple’s protection of iMessage does not extend to the server, leaving a gap in its defenses.

If a hacker were to take hold of the key server, they would in turn be able to intercept messages as they are being typed — those that have not already undergone the encryption process. Be that as it may, more threatening is the prospect of attackers making their way into already-encrypted messages, which is totally possible, according to Green and his disciples.

“In the long term,” Green explained, “Apple should drop iMessage like a hot rock and move to Signal/Axolotl.” In the meantime, Green recommends that users update to iOS 9.3 and the latest version of OS X, which implement fixes that mitigate some, though not all, of the vulnerability.

Gabe Carey
Former Digital Trends Contributor
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
Google Gemini arrives on iPhone as a native app
the Google extensions feature on iPhone

Google announced Thursday that it has released a new native Gemini app for iOS that will give iPhone users free, direct access to the chatbot without the need for a mobile web browser.

The Gemini mobile app has been available for Android since February, when the platform transitioned from the older Bard branding. However, iOS users could only access the AI on their phones through either the mobile Google app or via a web browser. This new app provides a more streamlined means of chatting with the bot as well as a host of new (to iOS) features.

Read more
I compared Apple’s and Samsung’s AI photo editing tools. There’s a clear winner
The Samsung Galaxy S24 Ultra and Apple iPhone 16 Pro Max's screen.

Apple has joined the AI game with Apple Intelligence, finally catching up to its competitors in that department. And with the iOS 18.1 update in October, most people who have a compatible iPhone can finally use those Apple Intelligence tools, including Clean Up.

The Clean Up tool in the Photos app is basically Apple’s version of Google’s Magic Eraser or Samsung’s Object Eraser. Back when I compared Magic Eraser and Object Eraser, Samsung’s tool was the better of the two. So, how does Apple’s Clean Up compare? Let’s find out.
The limitations of object removal tools

Read more
Apple quietly nixed this Apple Intelligence feature from iOS 18.2
Image Playground on iPad.

One of the most highly anticipated features of Apple Intelligence, Image Playground, has finally launched in the iOS 18.2 developer and public betas. This artificial intelligence tool, announced in June, enables users to create cartoon-like images from text descriptions. Unfortunately, at least in the beta version, one of Image Playground's announced features is missing.

As first noted on X (formerly Twitter) by @nicolas09f9 (via MacRumors), Image Playground was once expected to feature three design styles: Animation, Illustration, and Sketch. For whatever reason, the latter isn't a choice in the beta.

Read more