Cloud Hosting

Despite Apples strong stance on privacy, weve always known the company has to walk a pretty fine line when it comes to locking things down too tightly, especially where dealing with law enforcement agencies is concerned.

Apple has always made a point that everything stored on your iPhone is quite securely encrypted, to the point that its basically impossible to get at it without knowing your passcode.

Except for targeted malware attacks, the only way to get into an iPhone is to brute-force the password, which basically means hooking it up to a specialized device that tries every possible combination of numbers and possibly letters until it finds the correct one. However, using longer alphanumeric passwords makes this effectively impossible to do in somebodys normal lifespan.

In fact, the iPhone is so secure that its put Apple at the centre of a pretty big controversy on whether big tech companies should be required to create a back door for government and law enforcement agencies.

U.S. lawmakers, in particular, have been taking steps to make end-to-end encryption illegal, raising the spectre of child exploitation as a bogeyman to justify their position the Apple should provide a master key for law enforcement to bypass encryption and easily perform a warranted search of any iPhone that comes under investigation. Its no wonder Apple has been trying to get ahead of the curve and appease lawmakers by finding a middle ground.

After all, if Apple doesnt tread carefully, it risks having all the privacy and security protections that its carefully built into iOS legislated out of existence by lawmakers under the guise of protecting kids.

This is undoubtedly also the thinking behind Apples new Communication Safety feature thats coming in iOS 15.2, particularly since the entire iMessage platform is already tightly end-to-end encrypted, not just on each users iPhone, but also as it travels through Apples cloud servers.

In other words, barring any industrial-strength spyware on your device, when you send an iMessage to somebody, theres no way for anybody to intercept or read that message apart from the intended recipient(s).

Unfortunately, as great as that sounds, there are a few other weak links in how the Messages app stores its data that could result in others getting access to your messages, and this is especially true for law enforcement agencies.

Apple has never made any secret that it will comply with any valid law enforcement request to provide whatever data it can, which generally includes everything in your iCloud Backup.

In fact, during a senate hearing two years ago, Apples head of user privacy, Erik Neuenschwander, shared that the company received 127,000 requests from law enforcement from 2012 to 2019, and in most cases, it responded to these within 20 minutes, usually by handing over all the pertinent data thats stored on its servers.

To be clear, Apple still cant open an iPhone. When senators accused Apple of blatantly refusing court orders to open an iPhone, Neuenschwander pointed out that no matter how much it may want to, Apple cant do what is essentially impossible, which includes breaking the strong encryption its created for the iPhone.

Many lawmakers and politicians refuse to buy into this particular point, however, maintaining that Apple should be required to re-engineer its devices so that this becomes possible.

Fortunately for user privacy, those wishes have yet to become enshrined in law, so for now, agencies such as the FBI will need to be content with whatever Apple can provide.

An internal FBI document recently obtained and shared by Property of the People (via AppleInsider) outlines how iMessage stacks up against other secure messaging systems from the perspective of the FBIs ability to legally access content and metadata from them. The document is unclassified but labeled as For Official Use Only (FOUO) and Law Enforcement Sensitive (LES).

While the document spells out what we already know, its an interesting inside look at where iMessage fits in alongside others such as Signal, Telegram, and WhatsApp.

In the case of iMessage, the key vulnerability is one that you should already be aware of, and it ultimately comes down to any data youve stored in your iCloud Backups.

Specifically, the document notes that the FBI can obtain Limited message content from iMessage. A subpoena can render basic subscriber information, and 25 days of iMessage lookups to and from a target number although a footnote explains that Apple includes a disclaimer that a log entry between parties does not indicate a conversation took place, and that these query logs have also contained errors.

On the other hand, a search warrant can render backups of a target device, and if target uses iCloud backup, the encryption keys should also be provided with content return that is, as part of the backup along with iMessages if target has enabled Messages in iCloud.

In laymans terms, this means that if youre using iCloud Backups, any Messages data from your iPhone is vulnerable to a search warrant or any hacker who gets access to your iCloud account. This can occur in two different ways:

In other words, if youre not using Messages in iCloud, then your messages are stored in your iCloud Backup in readable form.

If you are using Messages in iCloud, the key to decrypt them is stored in your iCloud Backup.

Either way, if youre using iCloud Backups, your iMessage history is vulnerable.

Fortunately, you can disable iCloud Backups and backup your iPhone or iPad directly to your computer instead. In this case, your Messages data is safe, since even if youre using Messages in iCloud, this data will be stored using end-to-end encryption, with the key nowhere to be found on Apples servers.

Of course, if youre not using Message in the Cloud, your messaging history wont be on Apples servers at all it will only be stored locally on your device and in your computer backups.

Note that even in this case, your actual iMessage conversations travel through Apples servers, and SMS conversations travel through your carriers network. While Apple cant provide the content of your messages, it may still be able to provide a log of who youve been communicating with.

Note that SMS text messages arent even that secure, and theres a good chance that your carrier can intercept everything going on through those channels.

Just keep in mind that all bets are off if youre using a company-provided iPhone, as there are numerous management tools that a corporate IT department can install to monitor your activity. In many jurisdictions, however, all communications that occur on company-owned hardware belong to the company, so you shouldnt have an expectation of privacy in those cases anyway.

The FBI document also provided details on what can be obtained from several other popular messaging systems, and many of these came out ahead of Apples iMessage.

For example, Signal, Telegram, Threema, Viber, WeChat, and Wickr were all listed as providing No Message Content. Line and WhatsApp provided Limited content, but only in specific cases.

WhatsApps users are vulnerable to the same loophole as iMessage users, with the FBI noting that If target is using an iPhone and iCloud Backups enabled, iCloud returns may contain WhatsApp data, to include message content.

Line, on the other hand, can maintain seven days worth of specified users text chats in the face of an effective warrant, but this is only possible when the user has not enabled end-to-end encryption.

Among the listed messaging apps, Signal was unsurprisingly the most private of the bunch, with the ability to provide only the date and time that a user registered for the service, and the last time they connected to it.

Telegram came in a close second, with a note that it may disclose IP addresses and phone numbers to relevant authorities for confirmed terrorist investigations, but it does so solely at its own discretion.

Lastly, WeChat may be a special case. While the FBI notes that it cant get any message content out of theChina-based chat service, thats probably not the case for Chinese authorities. In fact, the FBI notes that WeChat cannot provide records for accounts created in China, but will provide basic information such as name, phone number, email, and IP address for non-China accounts.

The same could be said for other messaging platforms owned by foreign companies, which might not be compelled to respond to U.S. law enforcement agencies, but could be required to do so for court orders from their own governments.

In most cases, these other messaging platforms maintain their security by avoiding iCloud Backups entirely. Developers can choose what data is stored in an iCloud Backup, and apps like Signal deliberately refuse to store anything at all, which is why you basically have to set it up from scratch when switching to a new iPhone.

After all, the best way to keep your data from falling into the wrong hands is to avoid keeping it in the first place.

Read this article:
How Secure Is iMessage? | Leaked FBI Document Reveals the Truth - iDrop News