Apple iMessage research sparks corporate security debate

Research that counters Apple's claim it can't intercept communications on iMessage highlights the precautions companies should take using IM

Researchers at the Hack in the Box conference in Kuala Lumpur Thursday showed that Apple on its own or per orders by the U.S. government could harvest messages sent over its proprietary service, which lets people using Apple mobile devices send text messages for free.

[Experts recommend safeguards with Chrome personal data store]

Apple has said that its end-to-end encryption prevents the company or anyone else from descrambling the messages. That claim is "just basically lies," Cyril Cattiaux, a developer of iOS jailbreak software and a researcher at Quarkslab, said, as reported by IDG News Service.

Whether the IM service is from Apple or another vendor, if the communications are sensitive, then companies need to incorporate additional security, experts say.

"If you're concerned about trusting Google or Apple with your data, but still want to use their hosted services, you need to use another layer of encryption," Zak Dehlawi, senior security engineer for Security Innovation, said.

"For example, you can use Off-the-Record Messaging with many of these instant messenger protocols to encrypt your conversations. Or, if you're concerned about your email provider, you can encrypt emails with S/MIME or PGP certificates."

The iMessage encryption architecture is a combination of private and public keys, with the latter held on an Apple server. When an iPhone or iPad user is ready to send an iMessage, a public key for the recipient is downloaded to the device, which then encrypts the message and sends it on its way.

The receiving device is the only place where the private key resides to decrypt the message. However, Apple has full control over the public key directory, making it possible to send additional public keys that also route the message to other places, according to the researchers.

"The biggest problem here is you just cannot control that the public key you are using when you are ciphering the message is really the key of your recipient and not, for example, the public key of some guy in Apple," Cattiaux said.

Nevertheless, Apple has maintained that it cannot unscramble iMessages. In June, the company, which does not discuss its security architectures, issued a statement that said conversations over iMessage were "protected by end-to-end encryption, so no one but the sender and receiver can see or read them. Apple cannot decrypt that data."

Apple issued the statement following media reports that it, Google, Microsoft and other major Internet companies were feeding customer communications to the National Security Agency as part of its anti-terrorism program. The revelations stemmed from documents leaked by former NSA contractor Edward Snowden.

[Researcher argues for open hardware to defend against NSA spying]

Apple's encryption claims are overblown to many experts.

"Apple has surrounded iMessage with a lot of mysticism, and security practitioners have shown it to have several gaps in security," Ken Pickering, director of engineering for CORE Security, said.

"It's still better than SMS, but a lot worse than an encrypted email service."

With any encryption architecture that involves public keys, there's never a guarantee that the key won't be misused by the provider, said Jeremy Scott, senior research analyst at Solutionary.

"The encryption is only as good as the trust (in the provider)," Scott said.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile applicationsApplesecuritymobile securitymobileprivacy

More about AppleGoogleIDGMicrosoftNational Security AgencyNSAPGPScott Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place