Researchers at the Hack in the Box conference in Kuala Lumpur Thursday showed that Apple on its own or per orders by the U.S. government could harvest messages sent over its proprietary service, which lets people using Apple mobile devices send text messages for free.
Apple has said that its end-to-end encryption prevents the company or anyone else from descrambling the messages. That claim is "just basically lies," Cyril Cattiaux, a developer of iOS jailbreak software and a researcher at Quarkslab, said, as reported by IDG News Service.
Whether the IM service is from Apple or another vendor, if the communications are sensitive, then companies need to incorporate additional security, experts say.
"If you're concerned about trusting Google or Apple with your data, but still want to use their hosted services, you need to use another layer of encryption," Zak Dehlawi, senior security engineer for Security Innovation, said.
"For example, you can use Off-the-Record Messaging with many of these instant messenger protocols to encrypt your conversations. Or, if you're concerned about your email provider, you can encrypt emails with S/MIME or PGP certificates."
The iMessage encryption architecture is a combination of private and public keys, with the latter held on an Apple server. When an iPhone or iPad user is ready to send an iMessage, a public key for the recipient is downloaded to the device, which then encrypts the message and sends it on its way.
The receiving device is the only place where the private key resides to decrypt the message. However, Apple has full control over the public key directory, making it possible to send additional public keys that also route the message to other places, according to the researchers.
"The biggest problem here is you just cannot control that the public key you are using when you are ciphering the message is really the key of your recipient and not, for example, the public key of some guy in Apple," Cattiaux said.
Nevertheless, Apple has maintained that it cannot unscramble iMessages. In June, the company, which does not discuss its security architectures, issued a statement that said conversations over iMessage were "protected by end-to-end encryption, so no one but the sender and receiver can see or read them. Apple cannot decrypt that data."
Apple issued the statement following media reports that it, Google, Microsoft and other major Internet companies were feeding customer communications to the National Security Agency as part of its anti-terrorism program. The revelations stemmed from documents leaked by former NSA contractor Edward Snowden.
Apple's encryption claims are overblown to many experts.
"Apple has surrounded iMessage with a lot of mysticism, and security practitioners have shown it to have several gaps in security," Ken Pickering, director of engineering for CORE Security, said.
"It's still better than SMS, but a lot worse than an encrypted email service."
With any encryption architecture that involves public keys, there's never a guarantee that the key won't be misused by the provider, said Jeremy Scott, senior research analyst at Solutionary.
"The encryption is only as good as the trust (in the provider)," Scott said.