At a time when there is a lot of chatter about how secure instant messaging apps are, Apple has updated the Platform Security conversation to give better perspective to how the data on your iPhone, iPad, Mac, Apple Watch, Apple TV, HomePod and indeed iMessage, FaceTime, iCloud and Car keys, to name a few apps and services. The iMessage and FaceTime security protocols that are in place are perhaps the most relevant for a lot of users, considering messaging is in focus. Apple iMessage messaging service, at this time, is available across a variety of Apple devices, including the iPhone, iPad, Apple Watch and Mac computing devices. FaceTime video and voice calling service is also available across these devices. In a nutshell, and let’s just say a spoiler alert in advance, it may just be a case of move over for WhatsApp, Zoom and a lot of other apps and services that deliver on these two use cases.
Let us look at how iMessage is secured. Apple clarifies from the outset that they do not log the contents of messages or attachments, and all of these are protected by end-to-end encryption. Just the sender and the receiver can access these messages. Apple cannot decrypt this data, something that has often put the tech giant at loggerheads with law enforcement, particularly in the US. For setting up iMessage, a phone number is verified by the carrier network and the SIM, which often requires an SMS be sent to complete the verification chain. Email addresses can also be used with iMessage, and the iCloud IDs would also be verified by a confirmation link.
Apple says that when a user turns on iMessage on a device, the device generates encryption and signing pairs of keys for use with the service. For encryption, there is an encryption RSA 1280- bit key as well as an encryption EC 256-bit key on the NIST P-256 curve. For signatures, Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit signing keys are used.
Every time you want to send an iMessage to a new contact or start a new conversation, your iPhone or iPad or Mac, for instance, would connect with the Apple Identity Service (IDS) to get access to the public keys and addresses for all devices associated with the ID or contact you are sending the message to. This is to enable seamless delivery of iMessage chats to all devices signed in with the same iCloud ID. Any outgoing message is individually encrypted for each of the receiver’s devices. These are 128-bit keys, a combination of a randomly generated 88-bit value and a HMAC-SHA256 key to construct a 40-bit value, says Apple.
FaceTime voice and video calls also get set up in a similar way, with SIM authentication if needed. All calls as well as audio and video content are end-to-end encrypted. The FaceTime connection is made through an Apple server infrastructure which relays data packets between the registered devices attempting a FaceTime call. The encryption is the AES256 and HMAC-SHA1. Group FaceTime can have up to 33 concurrent participants and all group calls are end to end encrypted.
The updated Apple Platform Security takes forward Apple’s focus on security and data privacy as the very core foundation of the apps and services that it builds for the iPhone and other devices. The guidelines that are part of the update cover iOS 14.3, iPadOS 14.3, macOS 11.1, tvOS 14.3, and watchOS 7.2 operating systems. “Apple believes privacy is a fundamental human right and has numerous built-in controls and options that allow users to decide how and when apps use their information, as well as what information is being used,” they say, in the documentation.