In a discussion with some senior members of Apple’s engineering and security teams, Rich Mogull has learned about some interesting details about the company’s security approach, while also finding out that iMessage is much more secure than we think (via SixColors). In a recent blog post, Mogull gives an overview of how Apple has designed the security of iMessage.
He explains that users can’t add devices to an iCloud account without triggering an alert because that analysis happens on your device. “Apple put the security logic in each device, even though the system still needs a central authority. Basically, they designed the system to not trust them”, he writes.
According to the Electronic Frontier Foundation, iMessage is one of the more highly-rated secure messaging systems available to consumers. While it may not be perfect, it is however extremely secure considering the fact that its security is basically invisible to end users and in active use on almost a billion devices.
Here’s a simplified overview of how iMessage security works:
- Each device tied to your iCloud account generates its own public/private key pair, and sends the public key to an Apple directory server. The private key never leaves the device, and is protected by the device’s Data Protection encryption scheme (the one getting all the attention lately).
- When you send an iMessage, your device checks Apple’s directory server for the public keys of all the recipients (across all their devices) based on their Apple ID (iCloud user ID) and phone number.
- Your phone encrypts a copy of the message to each recipient device, using its public key. I currently have five or six devices tied to my iCloud account, which means if you send me a message, your phone actually creates five or six copies, each encrypted with the public key for one device.
- For you non-security readers, a public/private keypair means that if you encrypt something with the public key, it can only be decrypted with the private key (and vice-versa). I never share my private key, so I can make my public key… very public. Then people can encrypt things which only I can read using my public key, knowing nobody else has my private keys.
- Apple’s Push Notification Service (APN) then sends each message to its destination device.
- If you have multiple devices, you also encrypt and send copies to all your own devices, so each shows what you sent in the thread.
While features like iCloud Keychain and Keychain Backup use a different security approach, FaceTime uses a similar security mechanism as the iMessage, with complete end-to-end encryption.