How secure is iMessage?

Apple users often believe their devices are more secure than those running Android. And yes, Apple’s sandboxing does indeed help keep all manner of nasties out. However, life doesn’t exist in a bubble. There are times when you might like to send a message to an Android-user – so how secure is iMessage?

We advise that you don’t send anything sensitive. Similarly, it’s wise not to use the default settings for iCloud Backup for particularly sensitive messages. We’ll explain why below.

How does iMessage security work?

Apple iMessage is a messaging service for iOS and iPadOS devices, Apple Watch and Mac computers. It works across registered devices, enabling users to continue conversations while switching between their iPhone and iPads, for example.

When a user tries to send a message, the device first searches the Apple Identity Service (IDS)  to locate the person they’re sending the message to.

The IDS stores the public keys that are used in asymmetric encryption. If you’re new to cryptography, asymmetric encryption like RSA uses public and private keys to keep data safe. Messages encrypted with a public key can only be decrypted using the associated private key.

In the case of iMessage, the private keys are saved in the device’s keychain. They are only available after the device is first unlocked. The IDS also stores the receiving device’s Apple Push Notification service (APNs) address. This is needed to properly route the message.

Once the sending device has obtained the recipient’s public keys and their device’s APN address, the message undergoes encryption before being signed for authenticity. If you’re interested, Apple provides a detailed explanation of what happens in the background.

The resulting message consist of:

  • The encrypted message text
  • The encrypted message key
  • The sender’s digital signature

The message is then dispatched to the APNs for delivery.

As you can infer from the above, iMessage itself is very secure when sending messages to other Apple devices. It uses effectively uncrackable encryption and ensures that the relevant keys are given to the sender and recipient.

Apple’s Legal Process Guidelines provide Government and Law Enforcement with guidance to what is – and isn’t – possible with relation to its users’ data. The company is clear that it “has no way to decrypt iMessage data when it is in transit between devices”. Furthermore, it “cannot intercept iMessage communications” and “does not have iMessage communication logs”.

What it can do is provide “iMessage capability query logs”. These logs indicate when a query has been initiated by iMessages and routed to Apple’s servers for a lookup handle to determine whether that lookup handle is “iMessage capable”.

However, iMessage capability query logs are of limited use to investigators for the following reasons:

  • The logs do not indicate that any communication between customers actually took place.
  • Apple cannot identify the actual application that initiated the query.
  • iMessage capability query logs do not confirm that an iMessage event was actually attempted.

When iMessage isn’t secure

Although iMessage is generally secure, it’s not perfect. We discuss the instances where the security of messages is at risk below.

iCloud Backup

The majority of people with iPhones and iPads have iCloud Backup enabled. After all, it’s reassuring to know that your messages are safe if something should happen to your device. What some users don’t realize is that the default setting for iCloud Backup doesn’t use end-to-end encryption.

Apple has two options for storing data in iCloud: Standard Data Protection and Advanced Data Protection.

Standard data protection is the default setting used for iCloud Backup. It encrypts your data, which is great. However, the encryption keys are stored in Apple data centers. This means Apple can access your messages.

If this bothers you, make sure you opt for Advanced Data Protection. This setting means your devices have sole access to the encryption keys for iCloud Backup data.

If you’d like to turn on Advanced Data Protection for iCloud, do the following:

  1. Open the Settings app.
  2. Tap your name, then tap iCloud.
  3. Scroll down, tap Advanced Data Protection, then tap Turn on Advanced Data Protection.
  4. Enable Advanced Data Protection.

Apple will ask you to set up at least one recovery contact or recovery key before you turn on Advanced Data Protection. You’ll also need to update all of your Apple devices to a software version that supports this feature.

Interestingly, Apple has previously shied away from providing end-to-end encryption for iCloud backups. In 2020, Reuters reported that the company had secretly dropped plans to allow fully encrypted backups “after the FBI complained that the move would harm investigations”.

Apple’s own figures show how useful its iCloud Backup data is to investigators. In the first half of 2019, U.S. authorities armed with regular court papers “asked for and obtained full device backups or other iCloud content in 1,568 cases”. Furthermore, Apple said it “turned over at least some data for 90% of the requests it received”.

Apple didn’t introduce end-to-end encryption for iCloud Backup until the end of 2022. In its announcement, the company justified its decision in relation to the rise in data breaches. “Companies across the technology industry are addressing this growing threat by implementing end-to-end encryption in their offerings,” it said. Whatever the reason, it’s a welcome development.

Messaging Android devices

Messages sent from an iPhone to an Android device using iMessage aren’t secure. The problem, according to Google, is that “Apple turns texts between iPhones and Android phones into SMS and MMS”.

SMS is notoriously insecure, and prone to both interception and spoofing. Dekra, a safety certifications and testing lab, found that SMS lacked any built-in security functionality when compared to a modern secure messaging protocol.

To address these issues, most global carriers and Android device manufacturers adopted the RCS protocol. Rich Communication Services (RCS) replaces SMS messages with a system that is “richer” in terms of its capabilities – for example allowing better quality pictures and read receipts. The protocol has native support for extensions, which Google used to add end-to-end encryption to RCS – a feature lacking in SMS.

Although RCS was launched in 2008, it wasn’t until 2020 that RCS became available globally in Google Messages on Android. Apple was soon coming under fire – primarily from Google – for not switching to RCS itself. However, Apple seemed determined to resist. Tim Cook, Apple Managing Director, said in 2022 that he didn’t “hear our users asking that we put a lot of energy” into RCS.

However, in late 2023, Apple announced that it would add support for RCS messaging to iPhones sometime in 2024. The company said that this would “work alongside iMessage, which will continue to be the best and most secure messaging experience for Apple users”.

Although this means that iPhone and Android users will be able to send each other RCS messages using their device’s default messaging apps, Apple has stated that it won’t use tacked on end-to-end encryption like Google.

Instead, it would focus its efforts on changing the RCS standard itself so that it incorporated end-to-end encryption. To do this, it will need to work with GSM Association members. As these represent the interests of mobile network operators worldwide, it’s not likely to be a quick process.

The take home here is that you shouldn’t send sensitive information to Android phones using iMessage. You may be able to send secure messages at some point, but it’s probably not worth holding your breath for.

Message forwarding

Apple devices allow you to automatically forward messages to another device. Someone with access to your device could therefore enable it to forward messages to their device. This is easy enough to check:

  1. Go to Settings > Messages > Text Message Forwarding.
  2. If you don’t see Text Message Forwarding, go to Settings > Messages.
  3. Turn off iMessage, then turn it back on. Tap Send & Receive > Use Your Apple ID for iMessage and then sign in with the same Apple ID used on your other devices.
  4. Look for any unfamiliar devices and disable them.

Can I trust iMessage?

On the whole, yes – particularly when it’s used for contacting other Apple devices. However, when sending messages from Apple devices to Android devices, the lack of encryption means they risk being intercepted. Once captured, attackers could view the contents of the message, or even change it and forward it on as part of a man-in-the-middle attack. This is far from ideal, though there’s hope of a modified RCS protocol in the not-too-distant future.

End-to-end encryption for messages backed up in iCloud has been available since 2022. As this isn’t enabled by default, you’ll need to opt for Advanced Data Protection if you want sole access to messages stored on Apple’s servers.