Dec 9, 2023

NurPhoto via Getty Images With Apple’s iPhone 15 still relatively fresh on the shelf, the company’s first radical iPhone 16 update has already hit the headlines—but it has already become clear that there’s a huge potential issue in the mix that has just been made worse by a surprise new update. iMessage is a cornerstone of its ecosystem, and one that has received increasing attention in recent years—some good, some bad. But it remains the sticky glue that helps keep Apple’s walled garden in place, prompting Meta’s Mark Zuckerberg to describe it as “a key linchpin of [Apple’s] ecosystem—which is why iMessage is the most used messaging service in the U.S.” But Apple limiting its iMessage platform to those within its walled garden has been much criticized, especially when it appeared this was a decision more commercial than technical in the making. And so its semi-reversal, to seemingly bow to pressure and enable iMessage users to text cross-platform using the RCS standard being pushed by Google across the Android ecosystem, was very welcome. But there’s a catch—and it’s a big one. The messaging platform end-to-end encrypts content between Apple users, but reverts to the appallingly insecure SMS architecture as soon as a green-bubbled Android device slips into the mix. And this is a problem the company appears to be only half fixing—which has been made much worse by the timing of Facebook’s surprise update of its own this week. “Later next year,” Apple announced in November , “we will be adding support for RCS Universal Profile, the standard as currently published by the GSM Association.” And while Apple lauded the “better interoperability experience when compared to SMS or MMS” this will bring to cross-platform messaging, it also said that it will work in parallel with iMessage, “which will continue to be the best and most secure messaging experience for Apple users.” MORE FOR YOU RCS is not end-to-end encrypted—it is a protocol that manages messaging traffic between client devices, replacing SMS but essentially running across the same inter-network architecture. RCS is more secure than SMS, but not fully secure like WhatsApp or Signal or Google’s own Messages app now that it has piloted and more recently defaulted to end-to-end encryption . But this is a layer it has wrapped around RCS—it has not changed RCS itself. And with timing being everything, Apple’s news was quickly followed by Zuckerberg’s, which gets to the very heart of that iMessage vulnerability. Four years after being first announced, Facebook is finally end-to-end encrypting its Facebook Messenger app , despite huge pressure from governments and security agencies to hold back. This means that Meta, Apple’s long-standing nemesis, will be offering two hyper-scale, end-to-end encrypted, cross-platform messaging apps when Apple itself has none, while still not letting its users change the default device messaging app from iMessage. “Meta’s tight integration into Facebook’s user profiles make it crucial to have untampered communications,” ESET’s cyber guru Jake Moore told me. “This will make law enforcement that much harder. However, the latter is a price to pay given that the vast majority of messaging platforms offer encryption to the masses.” Meanwhile, Meta’s other hyper-scale messaging platform, WhatsApp, continues to cement its position as the world’s leading secure messenger, combining usability, privacy and security—despite the apparent contradiction given its Meta/Facebook ownership. For some time now, users have been able to add an additional layer of security to selected messages that don’t open by default. Now they can hide those messages behind a PIN code , and it will only become apparent there are any hidden messages when the correct PIN is entered into the search bar. Some have been quick to point out that this could be a cheaters’ charter—and there’s definitely an element of that. But for political activists, journalists and campaigners, especially in countries where secure messaging is a personal safety necessity this will become a must-have. I have been vocally critical of Messenger’s lack of encryption, albeit there is a genuine issue with Messenger encryption versus WhatsApp or Signal, given its linkage to a social media platform, where users can be searched, profiled and messaged by strangers. Facebook puts in place various security measures to monitor underage accounts, and in my view the focus should be on those accounts, flagging messaging in and out and ever, perhaps, changing privacy measures accordingly. But what this move does mean is that the world’s three largest non-Chinese messaging platforms, WhatsApp, Google Messages and Facebook Messenger, now end-top-end encrypt by default and essentially democratize access to this level or peer-to-peer security. Telegram remains an outlier, with its lack of end-to-end encryption belying its security PR messaging. As does iMessage right now—outside that walled garden. The plea to Apple is to engage with Google on a cross-platform encryption architecture that would properly resolve this issue for billions of users. “Apple will go as far as offering a level of encryption to conform,” Moore says, “but ultimately it wants everyone to be pure iMessage users with Apple products only.” That “level of encryption” is no better than Google provided before its move to end-to-end encryption—it’s not fully secure. Google has long pressured Apple to adopt RCS, eroding the seeing green bubble / blue bubble hierarchy; Apple does have the option to put pressure back on Google to open its RCS end-to-end encryption to integrate with iMessage’s adoption of the protocol. Apple users should then be able to choose whether to use fully encrypted RCS or iMessage as their default. Instead, it seems more likely that Apple will work with the GSMA mobile standards body to strengthen the security of the base RCS itself—realistically, though, that process of driving towards any form of end-to-end encryption, with all the stakeholders and Google’s own deployment, will take years and will be wrapped in complexity. And until that results in a fix, iMessage will continue to offer its full security just to Apple users. Apple has already fixed the other huge iMessage privacy hole this year, with iCloud’s brilliant ADP (Advanced Data Protection) end-to-end encrypting device backups and the messaging decryption keys that were previously accessible by Apple when cloud backups were enabled. Somewhat ironically, this also plugged the same security gap for WhatsApp, without users having to revert to its somewhat clunky encrypted backup option that had provided the needed workaround pre-ADP. Despite Facebook’s security update, my advice doesn’t change. Facebook is Facebook, after all. WhatsApp has oft shown a welcome level of petulant, rebellious independence, which can give users confidence that it continues to remain as core to its roots as it can within the machine. And so, stick to WhatsApp for day-to-day messaging, and use Signal where the secrecy around who you message and when, above and beyond content, is important. The other piece of advice is to enable Apple’s ADP in your iCloud settings. ADP is the most significant update on any platform this year, finally securing the cloud ecosystem around your mobile devices. Beware, though, you’ll need to make a note of your encryption key or nominate an emergency contact. Because blocking Apple’s access to your backups means you’re stuck if you lose your access. ADP is in fact such a significant step in the right direction, that my hope is there will be a common sense meeting of minds at Google and Apple, coming together to deliver that level of security for cross-platform messaging. Anything else would be a real shame, leaving users exposed for some time to come.