Apple's iMessage Service and Privacy

Apple has provided a messaging service since the dawn of the iPhone many years ago and expanded on it to be a very privacy conscious and secure way of communicating. Now, nearly every person who has an iPhone, iPad, Mac, or iPod Touch uses iMessage. What hasn’t really hit the spotlight and been discussed is the fact that messages sent iPhone to iPhone that show up as blue are sent fully encrypted end-to-end. When you first start using iMessage, your device creates two sets of private and public keys: one for encrypting and one for signing.

Your private keys never leave your device, but your public keys are sent to Apple’s servers to be used by others whom you communicate with. iMessage uses 128 bit AES for encrypting the messages and ECDSA keys using a 256-bit NIST curve for signing. This ensures both the authenticity of the messages and the strength of encryption is maximized. However, Apple does this fluently and the user never has to worry about enabling extra features or downloading other applications like Signal to make this work. The only issue with iMessage that will hopefully be addressed soon by Apple is that the key servers are located in the United States. If they really wanted in, Apple will not be able to stop them at this stage of the game. A good step forward would be for able to separate the signing keys into say 3 different geographical locations around the globe to maximize the effort needed for a full compromise.

Recently as well, Apple has begun encrypting device backups to iCloud using your device passcode, which means if you are using a strong enough passcode to protect your device, you are also keeping that same security across the board when your phone uploads its important data to the cloud for backup.

See: Encrypted and Secure Instant Messaging on PrivacyTools.io