After word of the U.S. government’s PRISM data gathering program broke, Apple reiterated its commitment to customer privacy in a statement which implied that the company isn’t able to access to encrypted iMessages. A group of researchers don’t agree.
A group of researchers showed how it would be possible for someone inside Apple to intercept said messages either on their own or due to a government order, they were speaking at the Hack in the Box conference in Kuala Lumpur, Malaysia. Cyril Cattiaux, who has developed iOS jailbreak software in the past, said that Apple’s claim of protecting iMessages with unbreakable encryption is “just basically lies.” Though an important distinction must be made here. Even if Apple is able to intercept encrypted iMessages, there’s no evidence to suggest that the company is doing so either on its own or as a result of a government order.
To encrypt iMessages between sender and recipient, Apple users public key cryptography, but the researchers say that Apple’s system for managing public keys is opaque. When a message is sent, it requests the public key of the recipient’s device to encrypt the message, upon receipt the message is decrypted by a private key. This makes it impossible to know if the messages are being sent to a third party. Cattiaux says that the problem is the fact that “Apple has full control over this public key directory.” So it could essentially add a public key to intercept an outgoing message, and the sender wouldn’t even be aware of it.
The researchers say that to plug users’ privacy concerns once and for all, Apple can employ true end-to-end encryption and store public keys on each iOS device, thus allowing users to compare keys in order to see whether their messages are reaching the intended recipient or not.