How to Prevent Apple From Reading Your Messages If you are an iPhone user, and your friends, too, probably use the Apple iMessage app for day-to-day communication. Apart from the app being intuitive and convenient, it also provides to safeguard your conversations. The encryption, by default, can protect your messages from Apple’s eyes, too. end-to-end encryption Last month, there was a report detailing the Problem in the end-to-end encryption of Whatsapp. This time, I would like to take a closer look at another popular messaging platform — Apple iMessage. In General, Apple Cannot Read Your Messages. The iMessage, by design, uses end-to-end encryption in a way that messages from the sender’s Apple device to another Apple device are only viewable by them. Each party contains a unique “key” to open the “envelope” containing the message. As such, without the key, if someone theoretically intercepts the conversation, the message is protected. Fundamentally, this end-to-end encryption works as expected. Only your connected devices and the Apple devices that receive your messages have the keys to unlock and read those messages. Law enforcement or any other third party cannot read your messages without access to your unlocked device, nor Apple can. *Note that only iMessages are encrypted; SMS texts are not encrypted (the other hand shows up as green bubbles in Messages instead of the standard blue). There’s One Problem — iCloud Although messages are encrypted, When we talked about data encryption, we considered three stages of data: it is not always encrypted. Data-in-use Data-in-transit Data-at-rest In this case, iMessage protects your message in data-in-motion primarily. However, if you are like everyone — keeping the messages around in case we want to read them later; few of us delete all texts immediately once they come in — which means the messages stored on the device (data-at-rest) and might need to back up somehow. Here comes the problem, you back up your messages might decide between having a genuinely secure iMessage history and how giving Apple the key to unlock all your conversations. Using iCloud vs. iCloud Backup First of all, let’s talk about . As the name suggests, it backs up your messages to your account and sync across your connected Apple devices. So it’s handy to start a chat on your iPhone and then continue it on your Mac or iPad and doubles as a reliable backup method (messages are stored locally among devices). Messages in iCloud Second, the is for backing up the contents of your iPhone. Besides, an iCloud Backup can store many things, from app data to device settings, configurations, photos and videos, and obviously, messages. So the two aren’t mutually exclusive; you can use both at once. And when you do, though, iCloud Backup Apple keeps your message history separately from your device’s iCloud Backup. iCloud Focuses on Availability, Not Confidentiality As mentioned, — that’s why there’s no way to access your texts on the web (as described above in end-to-end encryption, data-in-use), such as by logging in to . However, there’s one big problem: messages kept in iCloud are end-to-end encrypted icloud.com your iCloud Backup isn’t end-to-end encrypted, i.e., for data-at-rest. Apple does this to provide a “backup” to your Backup. Because Apple doesn’t want you to lose your data forever, imagine that you forget your Apple ID password or your device’s unlock passcode, which means you lost access or lost the key stored on the device. As a result, That’s what would happen if iCloud backups, and the data inside, were end-to-end encrypted. the Backup would be inaccessible forever. To avoid this from happening, iCloud Data Recovery Service can retrieve any data backed up to iCloud that is not encrypted (most of your data). Many people are likely relieved when Apple “saves” their messages in this situation. But for those who are privacy-conscious, sadly, they are likely unsettled. Apple stores the key to opening your encrypted messages within that Backup. In addition, apple’s Apart from messages, information like Keychain, Screen Time, and Health data are included in the iCloud Backup that Apple has the key to decrypt. Fortunately, I cannot find any news or report claiming Apple has ever decrypted users’ messages and data using the keys they have stored in iCloud. But that’s not the problem. Instead, the problem is the possibility that Apple could do so if they wanted to, or, even worse, when they were forced to share the key with law enforcement by order. I want to extend the seriousness of the problem here: if there was a data breach within the iCloud, hackers could acquire the key and thus your data. Because, as you already know, the key is stored with the safe itself. How to Prevent Apple From Peeping Your Messages That’s is pretty straightforward: . That said, you lose the convenience of recovery on any device (or, oppositely, you gave up your privacy when choosing over comfort). On the other hand, your privacy is preserved without storing your end-to-end encryption key and the rest of your messages in plaintext. Don’t use iCloud Backup to store old texts Of course, that doesn’t mean you can’t back up your messages. Messages in iCloud are still end-to-end encrypted, which implies that even though you’re saving those messages in the cloud, Apple doesn’t have the key to decrypt them. If you are using iCloud Backup, you can turn it off by: . Settings > Apple ID > iCloud > iCloud Backup Ensure the toggle next to is gray. iCloud Backup When you disable iCloud Backup, your last Backup will remain in the cloud for 180 days. That means is that once iCloud Backup is disabled, a new key is generated for future messages; from here on out, your new messages are protected. you need to wait half a year until you can be assured Apple no longer has the key to your messages on its servers. However, the good news Alternative Backup Method If you want to use the secure Messages in iCloud feature to Backup and sync your conversations, you can check its status from the iCloud settings page: the toggle next to should be green. Messages If you want an alternative backup solution, you can: Use your iPhone to your computer via Finder (macOS Catalina or later) or iTunes (Windows or macOS Mojave or earlier). Apple has an easy-to-follow for data backup locally. guide If you want to enhance the availability of your Backup (in case the local copies are corrupted or lost), before you upload it to the iCloud or other storage services, But remember, (no matter it is a password, certificate, or token). you can encrypt those backups. please keep the encryption key safe and secure Final Words — You’re Never Fully Protected Using iMessage You can take the steps above to make sure that the messages on your side are end-to-end encrypted. But you need to know that most of us do not talk to ourselves using the messaging platform; we speak to someone else. Thus, there’s no way to know if the person you are texting has iCloud Backup enabled. And if they do, that would give Apple the encryption key to all the messages you sent that person. You can’t control the actions of everyone you text. Moreover, even if you know the messages never leave the devices of the people involved in the conversation, or even better, you use messaging apps like Signal to send self-deleted messages; nothing stops other people from taking photos of your discussions or handing their device over to another party. This is what we are facing — . But we should try our best with the data on our reach to control and encourage those around us to employ privacy practices and cyber hygiene. the problem of trust versus the control of our privacy Thank you for reading. May InfoSec is with you🖖.

Apple

Transit

Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.

You're Never Fully Protected Using iMessage

Too Long; Didn't Read

Companies Mentioned

Zen Chan

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...