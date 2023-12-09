Apple risks losing out to other secure messaging platforms given the encryption challenge. Nurfoto via Getty Images

Apple’s iPhone 15 is still relatively fresh on the shelves, the company’s first revolutionary iPhone 16 update has already made headlines — but it’s already become clear that there’s a big potential issue in the mix that a surprise new update has addressed and Made even worse. ,

iMessage is a cornerstone of its ecosystem, and has received increased attention in recent years – some good, some bad. But it remains the sticky glue that helps hold Apple’s walled garden in place, leading Meta’s Mark Zuckerberg to describe it as a “key lynchpin.” [Apple’s] ecosystem—this is why iMessage is the most used messaging service in America”

But Apple was criticized for limiting its iMessage platform within its own walls, especially when it felt like the decision was more business than technical. And so its semi-reversal, seemingly bowing to the pressure and enabling iMessage users to text cross-platform using the RCS standard being pushed by Google in the Android ecosystem, was very welcome.

But there’s a catch—and it’s a big one. The messaging platform encrypts content end-to-end between Apple users, but as soon as a green-bubble Android device slips into the mix, it falls back on the catastrophically insecure SMS architecture. And it’s a problem the company has only half-fixed — made even worse by the timing of Facebook’s own surprise update this week.

“Late next year,” Apple announced in November, “we will add support for the RCS Universal Profile, which is the standard currently published by the GSM Association.” And while Apple lauded the “better interoperability experience than SMS or MMS” that cross-platform messaging would bring, it also said it would work in parallel with iMessage, “which will remain the best and most secure messaging experience Apple can provide.” For users.”

RCS is not end-to-end encrypted – it is a protocol that manages messaging traffic between client devices, replacing SMS but running on essentially the same inter-network architecture. RCS is more secure than SMS, but not as completely secure as WhatsApp or Signal or Google’s own messaging app, as it is now piloted and recently defaulted to end-to-end encryption. Is. But this is a layer that it has wrapped around the RCS – it has not changed the RCS itself.

And timing being everything, Apple’s news was quickly followed by Zuckerberg’s news, which got to the root of the iMessage vulnerability. Four years after it was first announced, Facebook is finally end-to-end encrypting its Facebook Messenger app, despite heavy pressure from governments and security agencies. This means that Meta, Apple’s long-time foe, will offer two hyper-scale, end-to-end encrypted, cross-platform messaging apps, while Apple itself has none, while still Will not allow its users to change the default device messaging app. iMessage.

“Facebook’s tight integration of meta into user profiles makes seamless communication critical,” ESET cyber guru Jake Moore told me. “This will make law enforcement more difficult. However, the latter comes at a price to pay as most messaging platforms offer encryption to the public.

Meanwhile, Meta’s other hyper-scale messaging platform, WhatsApp, continues to cement its position as the world’s leading secure messenger with its combination of usability, privacy and security – an apparent contradiction given its Meta/Facebook ownership. despite.

For some time now, users have been able to add an extra layer of security to selected messages that are not opened by default. Now they can hide those messages behind a PIN code, and it will be visible only when the correct PIN is entered in the search bar.

Some people were quick to point out that this could be the charter of impostors – and there is certainly an element of that. But for political activists, journalists and campaigners, especially in countries where secure messaging is a personal security requirement, it will become essential.

I have been vocally critical of the lack of encryption in Messenger, however there is a real issue with Messenger encryption vs. WhatsApp or Signal, as it is tied to a social media platform where users can be discovered by strangers, Can be profiled and messaged. Facebook takes various security measures to monitor underage accounts, and in my view those accounts should be focused on, flagging messages in and out and, perhaps, changing privacy measures accordingly.

But the move means that the world’s three largest non-Chinese messaging platforms, WhatsApp, Google Messages and Facebook Messenger, now encrypt end-to-end by default and are essentially peer-to-peer at this level. Democratizing access to peer security. Telegram remains a separate topic, with its lack of end-to-end encryption weakening its security PR messaging. As iMessage does now—outside those walls. There are calls for Apple to join forces with Google on a cross-platform encryption architecture that would appropriately solve this problem for billions of users.

“Apple will offer levels of encryption for the sake of conformance,” Moore says, “but ultimately it wants everyone to be pure iMessage users only with Apple products.” That “level of encryption” is no better than the level provided by Google before the move to end-to-end encryption – it is not completely secure.

Google has long pressured Apple to adopt RCS, thereby destroying the green bubble/blue bubble hierarchy; Apple has the option of pressuring Google to open up its RCS end-to-end encryption to integrate with the adoption of the protocol by iMessage. Apple users should then be able to choose whether to use fully encrypted RCS or iMessage as their default.

Instead, it is more likely that Apple will work with the GSMA mobile standards body to strengthen the security of base RCS – although the process of moving towards some form of end-to-end encryption is realistic with all stakeholders involved. . Google’s own deployment will take years and be shrouded in complexity. And until this is resolved, iMessage will continue to provide its full security only to Apple users.

Apple has already fixed other huge iMessage privacy holes this year with iCloud’s fantastic ADP (Advanced Data Protection) end-to-end encrypting device backups and messaging decryption keys, which are previously accessed by Apple when cloud backups are enabled. it was done. Somewhat ironically, this also closed the same security gap for WhatsApp, preventing users from having to revert to its somewhat clunky encrypted backup option that had provided the necessary workaround pre-ADP.

Despite Facebook’s security update, my advice doesn’t change. After all, Facebook is Facebook. WhatsApp has often shown a welcome level of wild, rebellious independence, which may lead users to believe it will remain true to its roots within the machine.

And so, stick to WhatsApp for everyday messaging, and use Signal where privacy is important, above and beyond the content and who you message when.

Another tip is to enable Apple’s ADP in your iCloud settings. ADP is the most important update on any platform this year, ultimately securing the cloud ecosystem around your mobile devices. Be careful, though, you’ll need to note down your encryption key or nominate an emergency contact. Because blocking Apple’s access to your backups means you’ll be stuck if you lose access.

ADP is really an important step in the right direction, my hope is that Google and Apple will have a common sense meeting and come together to provide that level of security for cross-platform messaging. Anything more would be a real shame, leaving users exposed for some time to come.