Skip to main content

Despite FBI whining, iMessage isn’t invincible after all, researcher claims

FBI director James Comey has been campaigning against Apple and Google’s decision to introduce “end-to-end” encryption on the companies’ respective smartphones since they announced it last fall. Most recently, Comey testified before the Senate Judiciary Committee about the dangers of encryption and asked Senators to pressure tech companies into rolling it back so that the contents of smartphones would be accessible to law enforcement. Comey argued that criminals are “going dark,” hiding evidence of their wrongdoing behind encryption that his agency cannot break.

However, Comey’s arguments about encryption don’t align with how iPhone encryption actually works, claims computer-security researcher Nicholas Weaver. In a post on the blog Lawfare on Tuesday, Weaver points out that, even if encryption protects the contents of your iMessages, the FBI can still obtain plenty of information about you from your iPhone — for instance, your location data and your iMessage metadata would both be accessible to law enforcement with a warrant.

Recommended Videos

Crucially, Weaver also points out that iPhone users who enable iCloud backups would be vulnerable to a FBI search warrant. iCloud backs up the contents of messages to Apple’s servers, making the messages themselves easily accessible — a far cry from the inaccessibility described by Comey before the Senate Judiciary Committee.

“Finally, there is iMessage, whose ‘end-to-end’ nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes,” Weaver explains. Even though Apple CEO Tim Cook has claimed that there is no way for the company to read users’ iMessages, Weaver points out that it is possible to compromise the cryptography used to encrypt these messages.

Some encryption systems use a public keyserver, where users can look up and independently verify each other’s keys. However, Apple’s keyserver is private, so users have no way to independently verify each other’s keys. Apple could collaborate with law enforcement to provide a false key, thereby intercepting a specific user’s messages, and the user would be none the wiser. Weaver writes, “There remains a critical flaw: There is no user interface for Alice to discover (and therefore independently confirm) Bob’s keys.  Without this feature, there is no way for Alice to detect that an Apple keyserver gave her a different set of keys for Bob.  Without such an interface, iMessage is ‘backdoor enabled’ by design: The keyserver itself provides the backdoor.” Weaver says this vulnerability could also be used to tap into FaceTime calls.

“If one desires confidentiality, I think the only role for iMessage is instructing someone how to use Signal [an open-source encrypted messaging app],” Weaver concludes.

Kate Conger
Former Contributor
Kate is a freelance writer who covers digital security. She has also written about police misconduct, nail polish, DARPA…
This app put iMessage on my Android phone — and it blew me away
Launch screen of the Beeper Mini app.

The impossible has happened. Beeper set out to unify chat platforms into a single bundle, but has ended up solving the iMessage-on-Android conundrum in a terrific fashion. In fact, it has even fixed the revolting green/blue bubble problem in one fell swoop.

Say hello to Beeper Mini, an app that puts iMessage on your Android phone and also kills the green bubble for good. And it doesn’t sacrifice functionality either. All that happened without a shady hack, something that Sunbird or Nothing Chats couldn’t pull off.

Read more
Sunbird — the sketchy iMessage for Android app — just shut down
Sunbird messages app for Android

What was supposed to be an iMessage redeemer for Android smartphone users has quickly been consumed in a chaos of security and utter negligence. Merely days after the Nothing Chats app was removed from the Play Store, the tech at its foundation provided by Sunbird is also taking an unspecified leave, intensifying suspicions of something being seriously wrong.

Sunbird appeared on our radar late last year, promising blue bubbles for Android-to-iPhone messages. It also promised to bundle all messaging apps into a single cluster, somewhat like Beeper. Nothing adopted the Sunbird tech, bundled it into its own app for the Nothing Phone 2, and launched it with an ambitious video. “Sorry, Tim.” That’s the message Nothing CEO Carl Pei sent.

Read more
Nothing’s iMessage for Android app is unbelievably bad
The Nothing Chats splash page in the app.

Earlier this week, Nothing did the unexpected and launched the "Nothing Chats" app for the Nothing Phone 2. The premise? Let anyone with a Nothing Phone 2 send and receive texts via iMessage. Nothing partnered with Sunbird to make Nothing Chats work, with Nothing essentially using Sunbird's own messaging tech to bring iMessage to Android.

It was a bold idea ... but one that was short-lived. That's because Nothing Chats is already dead (for the time being) due to a shocking number of security vulnerabilities that were discovered almost immediately. And by security vulnerabilities, we don't mean minor oversights that could have been easy to overlook. We're talking about major, game-breaking design flaws that massively compromise the personal information of anyone who used Nothing Chats.
The problem with Nothing Chats
iMessage on an iPhone 15 Pro Max (left) and Nothing Chats on a Nothing Phone 2 Andy Boxall / Digital Trends

Read more