From iMessage to Lightning cables, here’s how Apple secures your digital life

apple imessage ios lightning icloud security

We rely on our smartphones, tablets, and computers, so digital security matters to us whether we know anything about it or not. But it’s also tough to understand: we have little choice but to trust that when a company says it’s doing everything it can to keep our data and information secure, they’re actually doing it. They’re the experts, right? You know, like Target. And Adobe. And Yahoo. And Facebook. And many, many others.

Apple is not immune to security problems (it just patched a huge SSL bug in iOS and OS X – if you haven’t updated, back up and do it now). But unlike other big tech players, the company has published a detailed overview of its security measures, answering key questions about how Apple secures users’ passwords, data, and messages, and devices – an unusually public statement from such a famously secretive company.

The upshot: Apple takes this stuff very seriously – and perhaps differently than other companies. Here are a few examples.

The (private) keys are in your hands

Much of Apple’s security infrastructure relies on public key cryptography, also called asymmetric cryptography – a widely-accepted idea that’s been around since the 1970s. (Read up on how public key encryption works here.)

Even if someone cracks Apple’s servers, Apple probably won’t have much (or any) iMessage data to turn over.

Public-key cryptography is only as secure as the private key – which you, and only you, should have. If your private key is published, copied, or stolen, your data is not secure. Apple has consistently claimed it can’t snoop on iMessage and FaceTime even if it wanted to; that claim was challenged by several security researchers (Matthew Green laid out a succinct-but-technical argument) because Apple can restore recent iMessages to a new device if (say) you lose your iPhone. Therefore, Apple must be able to decrypt your messages, right?

Well, no. It turns out Apple only has the public keys for services like iMessage and FaceTime, but the private keys never leave a particular iOS device. Apple uses those public keys to encrypt every iMessage separately for every device (and only that device). Further, Apple deletes iMessages once they’re successfully delivered (or after seven days if they’re not received) so they don’t linger long on Apple’s servers. (Photos and long messages get encrypted separately, subject to the same deletion rules.) That means even if someone cracks Apple’s servers (or a government serves them a subpoena), Apple probably won’t have much (or any) iMessage data to turn over. Apple also alerts users immediately when a new device is added to their account, hopefully preventing someone from illicitly adding a device so they can receive their own copies of your messages.

What about your Keychain?

Apple’s iCloud keychain handles sensitive data – like passwords and credit card numbers – and keeps them synchronized between devices. So iCloud must keep a copy of that data to do the syncing, right? Well, no.


Apple uses a similar public-keys-only method to synchronize Keychain items. Apple encrypts each item separately for each device, and Apple only syncs one item at a time as needed, making it very difficult for an attacker to capture all your Keychain data, even if Apple’s core system was compromised. To get your Keychain, an attacker would need both your iCloud password and one of your approved devices to add one of their own – along with fervent prayers you never see those notices Apple sends immediately when a new device is added.

Okay, so what about the optional iCloud Keychain Recovery? Apple must have all your Keychain data in order to restore it all, right? Well, yes. But Apple’s done something clever here too. By default, Apple encrypts Keychain Recovery data with Hardware Security Modules (HSMs), hardened devices used by banks and governments to handle encryption tasks. Apple has programmed the HSMs to delete your data after ten failed attempts to access it. (Before that, users have to contact Apple directly before making more attempts.) To prevent anyone from reprogramming the HSMs to change their behavior, Apple says it has destroyed the administrative access cards that allow firmware changes.

Even Apple can’t change the system without physically replacing whole clusters of HSMs in their data centers – which is a pretty intense physical security barrier for would-be attackers. And even if they pulled that off, the attack would only work on newly-stored Keychains: existing ones would still be safe.

Lightning in a bottle

Apple has confirmed long-standing suspicions that manufacturers in Apple’s Made for iPhone program must include a cryptographic circuit supplied by Apple for Bluetooth, Wi-Fi, or Lightning access to iOS devices. The circuit proves a device is authorized by Apple; without it, iOS accessories are limited to analog audio and audio playback controls: enough for speakers, but no access your apps or data. Some might argue this custom chip is an example of Apple forcing you to buy its own products, but it also means the odds are very low that plugging in somewhere to charge your device will compromise its security.

Tip of the iceberg

Apple’s white paper discusses many other technologies like Siri (including how long Apple holds on to data), the 64-bit A7 processor, and the iPhone 5S’s TouchID feature (Apple estimates the odds of a random fingerprint matching yours are about 1 in 50,000), and how apps and data are secured within iOS itself. Security experts will be pondering the contents for a long time.

Some might argue this custom chip is an example of Apple forcing you to buy its own products.

None of this makes Apple devices or services immune from attack or flaws. Apple could be leaving out important information, or it could simply be blowing smoke – Apple certainly isn’t going to allow teams of fact-checkers into its data centers. But there’s little reason to doubt Cupertino’s authenticity here. Moreover, the paper again reveals Apple to be a very different from the Googles and Facebooks of the world, which thrive off monitoring our communications and personal data. 

Apple’s paper is a solid step forward. One could hope it will inspire other companies to detail how they keep users’ data secure – but I wouldn’t hold my breath.


Leave the laptop at home, the iPad Pro is the travel buddy to take on vacay

The iPad Pro is a powerful tablet that's perfect for creatives and professionals. How does it fare when traveling with it as a laptop replacement? We took it on a two week trek in Japan to find out.

Which Macs are compatible with MacOS Mojave?

Is your computer ready for Apple's big Mojave update? Here's what you need to know about MacOS Mojave compatibility, what Macs can successful download Mojave, and the requirements you need to know about.

How to connect AirPods to your MacBook

If you have new AirPods, you may be looking forward to pairing them with your MacBook. Our guide will show you exactly how to connect AirPods to MacBook, what to do if they are already paired with a device, and more.

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.

How do Nintendo Switch, Xbox One X compare to each other? We find out

The Nintendo Switch is innovative enough to stand apart from traditional consoles, but could it become your primary gaming system? How does the Switch stack up against the Xbox One?

Google Maps makes it easier than ever to find a Lime bike or scooter

Google Maps has added a new feature that helps you find a Lime bike or scooter in just a few taps. The feature currently works in 11 U.S. cities served by Lime, with more coming next year.

Ditch your smartphone for a year and win $100k from Vitaminwater

Vitaminwater is willing to part with $100,000 if you're willing to part with your smartphone partner for a year. Could you last for a year armed with only a 1996-era phone? Here's your chance to find out.

Quirky smartphone accessories you never knew you needed

Looking for a few accoutrements to make your smartphone even better? If you, or someone you know, is a sucker for accessories, you'll want to check out our collection of quirky smartphone accessories you never knew you needed.

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.

Walmart drops prices on Apple Watches and other fitness trackers

Smartwatches, fitness trackers, and wearable heart rate monitors from Apple, Samsung, Fitbit, and Garmin are popular gifts. Wearables are smarter and more capable than in earlier years. We found the best wearables deals on Walmart.

The best Wear OS watches

There are a ton of different Wear OS watches out there, but which one's right for you? No matter what you're looking for from a smartwatch, here are the best Wear OS watches out there.
Emerging Tech

Capture app saves money by 3D scanning objects using iPhone’s TrueDepth camera

Capture is a new iPhone app created by the Y Combinator-backed startup Standard Cyborg. It allows anyone to perform 3D scans of objects and share them with buddies. Here's how it works.
Home Theater

How to master your equalizer settings for the perfect sound

You may know what an EQ is, but do you know how to adjust equalizer settings for the best possible sound? We go through the basics of the modern EQ and lay out some guidelines for how to achieve tip-top sound from your system.

How to switch from iPhone to Android: The ultimate guide

If you've decided to bridge the great tech divide and leave Apple's walled garden for the unknown shores of Android, then you'll find all the tips and advice you need to begin switching from an iPhone to an Android device.