From iMessage to Lightning cables, here’s how Apple secures your digital life

apple imessage ios lightning icloud security

We rely on our smartphones, tablets, and computers, so digital security matters to us whether we know anything about it or not. But it’s also tough to understand: we have little choice but to trust that when a company says it’s doing everything it can to keep our data and information secure, they’re actually doing it. They’re the experts, right? You know, like Target. And Adobe. And Yahoo. And Facebook. And many, many others.

Apple is not immune to security problems (it just patched a huge SSL bug in iOS and OS X – if you haven’t updated, back up and do it now). But unlike other big tech players, the company has published a detailed overview of its security measures, answering key questions about how Apple secures users’ passwords, data, and messages, and devices – an unusually public statement from such a famously secretive company.

The upshot: Apple takes this stuff very seriously – and perhaps differently than other companies. Here are a few examples.

The (private) keys are in your hands

Much of Apple’s security infrastructure relies on public key cryptography, also called asymmetric cryptography – a widely-accepted idea that’s been around since the 1970s. (Read up on how public key encryption works here.)

Even if someone cracks Apple’s servers, Apple probably won’t have much (or any) iMessage data to turn over.

Public-key cryptography is only as secure as the private key – which you, and only you, should have. If your private key is published, copied, or stolen, your data is not secure. Apple has consistently claimed it can’t snoop on iMessage and FaceTime even if it wanted to; that claim was challenged by several security researchers (Matthew Green laid out a succinct-but-technical argument) because Apple can restore recent iMessages to a new device if (say) you lose your iPhone. Therefore, Apple must be able to decrypt your messages, right?

Well, no. It turns out Apple only has the public keys for services like iMessage and FaceTime, but the private keys never leave a particular iOS device. Apple uses those public keys to encrypt every iMessage separately for every device (and only that device). Further, Apple deletes iMessages once they’re successfully delivered (or after seven days if they’re not received) so they don’t linger long on Apple’s servers. (Photos and long messages get encrypted separately, subject to the same deletion rules.) That means even if someone cracks Apple’s servers (or a government serves them a subpoena), Apple probably won’t have much (or any) iMessage data to turn over. Apple also alerts users immediately when a new device is added to their account, hopefully preventing someone from illicitly adding a device so they can receive their own copies of your messages.

What about your Keychain?

Apple’s iCloud keychain handles sensitive data – like passwords and credit card numbers – and keeps them synchronized between devices. So iCloud must keep a copy of that data to do the syncing, right? Well, no.

iMessage

Apple uses a similar public-keys-only method to synchronize Keychain items. Apple encrypts each item separately for each device, and Apple only syncs one item at a time as needed, making it very difficult for an attacker to capture all your Keychain data, even if Apple’s core system was compromised. To get your Keychain, an attacker would need both your iCloud password and one of your approved devices to add one of their own – along with fervent prayers you never see those notices Apple sends immediately when a new device is added.

Okay, so what about the optional iCloud Keychain Recovery? Apple must have all your Keychain data in order to restore it all, right? Well, yes. But Apple’s done something clever here too. By default, Apple encrypts Keychain Recovery data with Hardware Security Modules (HSMs), hardened devices used by banks and governments to handle encryption tasks. Apple has programmed the HSMs to delete your data after ten failed attempts to access it. (Before that, users have to contact Apple directly before making more attempts.) To prevent anyone from reprogramming the HSMs to change their behavior, Apple says it has destroyed the administrative access cards that allow firmware changes.

Even Apple can’t change the system without physically replacing whole clusters of HSMs in their data centers – which is a pretty intense physical security barrier for would-be attackers. And even if they pulled that off, the attack would only work on newly-stored Keychains: existing ones would still be safe.

Lightning in a bottle

Apple has confirmed long-standing suspicions that manufacturers in Apple’s Made for iPhone program must include a cryptographic circuit supplied by Apple for Bluetooth, Wi-Fi, or Lightning access to iOS devices. The circuit proves a device is authorized by Apple; without it, iOS accessories are limited to analog audio and audio playback controls: enough for speakers, but no access your apps or data. Some might argue this custom chip is an example of Apple forcing you to buy its own products, but it also means the odds are very low that plugging in somewhere to charge your device will compromise its security.

Tip of the iceberg

Apple’s white paper discusses many other technologies like Siri (including how long Apple holds on to data), the 64-bit A7 processor, and the iPhone 5S’s TouchID feature (Apple estimates the odds of a random fingerprint matching yours are about 1 in 50,000), and how apps and data are secured within iOS itself. Security experts will be pondering the contents for a long time.

Some might argue this custom chip is an example of Apple forcing you to buy its own products.

None of this makes Apple devices or services immune from attack or flaws. Apple could be leaving out important information, or it could simply be blowing smoke – Apple certainly isn’t going to allow teams of fact-checkers into its data centers. But there’s little reason to doubt Cupertino’s authenticity here. Moreover, the paper again reveals Apple to be a very different from the Googles and Facebooks of the world, which thrive off monitoring our communications and personal data. 

Apple’s paper is a solid step forward. One could hope it will inspire other companies to detail how they keep users’ data secure – but I wouldn’t hold my breath.

Mobile

Verizon is launching real standards-based 5G in 30 cities in 2019

Verizon is in the midst of a massive 5G rollout. In addition to fixed 5G service, it will also begin deploying mobile 5G in the coming months. Here's everything you need to know about Verizon's 5G network and when it will be in your town.
Computing

Delete tracking cookies from your system by following these quick steps

Cookies are useful when it comes to saving your login credentials and other data, but they can also be used by advertisers to track your browsing habits across multiple sites. Here's how to clear cookies in the major browsers.
Home Theater

Here's a handy guide to mirroring your favorite devices to your TV screen

A vast arsenal of devices exists to allow sending anything on your mobile device (or PC) to your TV. Our in-depth guide shows you how to mirror content from your smartphone or tablet to the big screen.
Movies & TV

ESPN Plus is a great sports companion. Here's everything you need to know

ESPN's streaming service, ESPN Plus, arrived in 2018. Despite appearances, ESPN Plus isn't a replacement for your ESPN cable channels, and it differs from other streaming apps in a few key ways. We answer all your questions in this guide.
Smart Home

Your office is a mess, and it’s making Marie Kondo cry. Here’s how to tidy it up

Here's how to "Marie Kondo" your office. If you've been inspired to remove clutter and create a minimalistic workspace that makes you happy and helps you focus on what matters, then we have ideas that you'll want to try.
Deals

Stay fit and save cash with our top 10 affordable Fitbit alternatives

As much as we love Fitbits, they're rather expensive. If all you want is a simple activity tracker, however, then check out these great cheap Fitbit alternatives. With offerings from brands like Garmin, you don't need to pay full price.
Mobile

Samsung’s wide range of Galaxy products means there’s something for everyone

Samsung launched a host of new products on February 20, with prices ranging from just $35, all the way up to nearly $2,000. This was not by chance, and the company believes it has something for everyone in 2019.
Mobile

Samsung Galaxy S10e vs. OnePlus 6T: Can the Flagship Killer survive?

The Samsung Galaxy S10e is the new affordable flagship on the block, but at $750, it's $200 more than the OnePlus 6T. Does the Flagship Killer stand a chance against the new generation of flagship devices? Let's take a closer look.
Deals

Make some time for the best smartwatch deals for February 2019

Smartwatches make your life easier by sending alerts right on your wrist. Many also provide fitness-tracking features. So if you're ready to take the plunge into wearables and want to save money, read on for the best smartwatch deals.
Product Review

Samsung’s Galaxy Buds are a brilliant combination of value and comfort

With six hours of battery life, an extremely comfortable fit, sweatproofing, and a very palatable price tag, Samsung’s Galaxy Buds are putting all other true wireless earbuds on notice.
Deals

Amazon drops a sweet deal on the Kate Spade Scallop smartwatch for women

Unlike many other smartwatches geared toward women, the Kate Spade Scallop offers a more chic and minimalistic look. With this Amazon sale going on right now, you can get it for $109 off its retail price.
Cars

Lyft’s Shared Saver service offers cheaper rides, but you’ll have to walk a little

Lyft has launched a new ride option called Shared Saver that offers cheaper rides if you're willing to walk a little. Shared Saver designates a nearby pick-up point and drops you off a short distance from your final destination.
Deals

The 5 best Apple AirPods alternatives for Android, Windows, and iOS devices

Apple AirPods, nice as they are, aren't the only game in town. Other makers are offering their own truly wireless earbuds, and if you're looking to buy a pair of high-end in-ear headphones, we've got the best AirPod alternatives on the…
Mobile

Samsung Galaxy S10e vs. iPhone XR: Cut-price flagship showdown

The Samsung Galaxy S10 range has been revealed, and it heralds a new age of powerful technology. The Galaxy S10e packs the new power and design into a cheaper price point. But is it better than the iPhone XR?