The battle between Apple and Facebook has just taken another twist. Hundreds of millions of iMessage users are caught in the midst of that battle, with shocking security and privacy issues at stake. If you’re a daily iMessage user, then you need to understand these issues and what you need to do to stay secure.
This has been an awkward week for iMessage. An urgent security update to fix a serious security issue was released alongside glitzy PR promising iOS 15 feature updates. And then rival WhatsApp dropped its own surprise bombshell—the platform’s biggest missing feature was suddenly here—as easy as that, a real game-changer.
WhatsApp has been hit by its own NSO exploits in the past, of course. But now, its surprisingly timed update exposes a different iMessage security vulnerability. If you back up WhatsApp from your iPhone to iCloud, then Apple can currently access that backup. It’s the same with Android devices and Google Cloud. Now, WhatsApp is ending that vulnerability, cutting Apple’s access. But that same vulnerability still remains by default in iMessage, undermining its end-to-end encryption.
WhatsApp’s update was announced by Mark Zuckerberg himself—on Facebook. We knew it was in the works but had not expected this confirmation and technical detail so soon. The timing hitting the same week as the iPhone launch could be a coincidence, but Zuckerberg has called out iMessage’s security vulnerability in the past. “Apple and governments have the ability to access most people's messages,” he warned, as his privacy-focused battle with Apple intensified earlier this year.
With this update, WhatsApp ends its exposure to Apple’s security. Its end-to-end message and call encryption is backed off with the same level of security for the chats and media you save to the cloud. It now presents a stark improvement over Apple’s muddled approach to cloud encryption.
I reported on WhatsApp’s update a week ago, and since then have fielded multiple questions from users as to how they secure iMessage against this vulnerability—you can find details below. It’s a stupidly simple setting tweak that is little talked about.
WhatsApp’s backup encryption is cleverly designed—it’s clearly taken considerable work to provide a solution for 2 billion users across most of the world. Put simply, your backup is guarded by a 64-character encryption key. You can either create and store your own, manually, or protect one online in a third-party vault that is protected by a simple to remember password. The key being WhatsApp has no access.
And it’s this concept of “access” that undermines iMessage security. Apple’s encryption architecture for what it calls “Messages in iCloud” is also cleverly designed. It’s the best multi-device, fully encrypted architecture available, beating WhatsApp’s own multi-device update, given that it creates a circle of trusted devices without the concept of a master messenger to which all other devices are linked.
Apple provides you with an end-to-end encryption key that ensures that messages sent to and from your devices cannot be read by anyone but you and your counterparties. But it then stores a copy of that key in your iCloud Backup, and that iCloud Backup is not end-to-end encrypted, meaning Apple can access the backup, retrieve the key and then access all those “Messages in iCloud.”
“iMessage users may wrongly believe that their communication is private,” ESET’s Jake Moore has warned, “but with access granted from just with a backup created, it somehow defeats its success in protection.”
As Apple acknowledges, “Apple retains the encryption keys in its U.S. data centers. iCloud content, as it exists in the customer’s account, may be provided in response to a search warrant issued upon a showing of probably cause, or customer consent.”
This is all very timely. Apple came under fire for its plans to add a machine learning iMessage filter client-side (on your iPhone) that would warn minors sending or receiving sexually explicit images. Critical argued it was a potential backdoor. Apple denied this was the case but stalled its plans along with on-device CSAM screening.
This backup vulnerability, though, is a backdoor. “With access granted from just a backup created,” Moore told me, “it somehow defeats its success in protection.”
To understand the iMessage backup vulnerability, you need to think back to the evolution of iCloud and cloud services in general. What started as a means of automated or triggered off-device backups and data storage has become a seamless, always-on platform that drives apps and services in real-time.
In among the syncing iCloud services that keep your calendar and reminders and Safari data in sync across your devices, you have Messages in iCloud—a running backup of all the messages and which all your trusted devices can access.
But you also have the generic iCloud Backup, which primarily stores data from apps on your phone that don’t rely on their own cloud services, plus your device settings and home screen layouts. You don’t need this—you can run a direct transfer when you change device and most decent third-party apps offer cloud data backups of their own now, which is useful if you lose your device.
If you have Messages in iCloud enabled and also iCloud Backups enabled, then that iMessage encryption key is saved. Disable iCloud Backups and you’re fine. Or, if you want to keep an iCloud Backup in place while maintaining fully encrypted messaging, then switch to WhatsApp or (better) Signal.
And the concept of “fully encrypted” messaging leads us to the other serious issue for iMessage, the lack of cross-platform interoperability. Those of you old enough will remember the early days of SMS, when it wasn’t possible to message across networks. The current Apple/Google approach to messaging is sadly creating a similar paradox.
With iMessage you can send secure texts, but only to other Apple users; with Google Messages, you can now send secure RCS messages from your Android device, but not to iPhones. Crossing platforms (instead of networks, this time around) will see your messages revert to unsecured SMS, and that is best avoided.
Apple and Google are inadvertently making the case to switch from their own OS-based messengers to cross-platform over-the-tops. In recent months, WhatsApp has fixed its most serious issues—multi-device access and encrypted backups. Meanwhile, Signal continues to offer a more secure alternative that can do all the same.
As the shadow of Pegasus now recedes (Apple hopes), post iOS 14.8 and its welcome (albeit belated) transparency, Apple has serious iMessage questions to address. This backup anomaly needs to be fixed or at least more clearly communicated to users who should have the option to withhold encryption keys from being backed up. I asked Apple about this, but the company does not “comment or speculate” on future plans.
This is becoming a serious issue for Apple. iOS 15 was intended did to bring cool new iMessage features. But all we’ve talked about in recent months is iMessage security vulnerabilities. Apple needs to recognize that WhatsApp has now caught up and overtaken iMessage on the security front, while offering cross-platform and other secure features such as disappearing messages and view-once media.
With all this in mind, I can no longer recommend iMessage as a daily messenger for Apple users, and I suggest they opt for WhatsApp or Signal instead.
"Stop" - Google News
September 18, 2021 at 05:30PM
https://ift.tt/3AnwZ7v
Why You Should Stop Using Apple iMessage After Shock Update - Forbes
"Stop" - Google News
https://ift.tt/2KQiYae
https://ift.tt/2WhNuz0
Bagikan Berita Ini
0 Response to "Why You Should Stop Using Apple iMessage After Shock Update - Forbes"
Post a Comment