Q

Apple iMessage security: Is iMessage encryption strong enough?

Is Apple iMessage encryption strong enough to mitigate reverse-engineering attacks? Learn more about one of the top iMessage security risks.

I recently read that Apple can use reverse-engineering to read the messages that are sent through its iMessage

service. What is preventing hackers from reverse-engineering my messages, and how can I prevent them from being seen?

Ask the expert

Do you have a security question for Michael Cobb? Submit it now via email! (All questions are anonymous.)

Following Edward Snowden's revelations of the PRISM surveillance program run by the NSA, there has been a lot of debate as to how secure various third-party messaging systems may be. Like most other vendors, Apple has assured that its iMessage conversations are "protected by end-to-end encryption so no one but the sender and receiver can see or read them." However, the company also stated that it "cannot decrypt that data" -- a claim that has sparked controversy with researchers from QuarksLab alleging this is not the case.

So what is the real situation? Should enterprises be concerned?

The end-to-end encryption protecting iMessages uses a random Advanced Encryption Standard key that's encrypted with a Rivest-Shamir-Adleman algorithm key belonging to the recipient. A separate Elliptic Curve Digital Signature Algorithm key is used for authentication. To circumvent these controls an attacker must install fraudulent certificates on the target Apple devices and then set up a rogue server masqueraded as an Apple server to redirect and capture the traffic from both targets. Such a man-in-the-middle attack against the iMessage infrastructure is highly complex and is beyond just about everyone outside of the three-letter agencies. If a device is compromised, it is much simpler to just access the message before it is even encrypted and processed by Apple's servers.

What is a concern, though, is that Apple controls the entire iMessage infrastructure. IMessages are sent to one or more Apple servers and then delivered to one or more devices belonging to the recipient(s). Apple is already playing the role of the man-in-the-middle so could, in theory, introduce fake public keys since it's the mediator of any public key exchanges during an iMessage conversation. Unlike third-party attacks, Apple or a rogue Apple employee could change the proper keys with keys controlled by Apple or other parties without having to ever hack into a user's device. This would allow the company or rogue user to read the content of targeted conversations without any knowledge of interception by the parties exchanging iMessages. The ability to use counterfeit digital credentials is made easier due to Apple's lack of certificate pinning between clients and servers.

The privacy of iMessage is good enough for the average user, but, as with any closed messaging service, users can never be exactly sure of how it works and are reliant on verbal assurances. Operators may even be prevented from admitting if messages are being intercepted by a government order.

To help enterprises mitigate potential risks, QuarksLab developed iMITMProtect, an open source tool that keeps a record of keys retrieved by iMessage on OS X so any changes to keys can be spotted. It's important to note, however, that if the information being exchanged is sensitive to the point that complete secrecy is essential, messaging services like iMessages are simply not an option. Any such messages should be encrypted using certificates issued by a trusted certificate authority -- not by anyone in control of the messaging infrastructure -- and routed through the Internet by a standard mail client such as Thunderbird or Windows Live Mail.

This was first published in March 2014

Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close