Apple might have figured out a way to close what some privacy activists saw as a major loophole that undermined the security and privacy of some users of its popular chat app iMessage.
Back in 2011 Apple launched iMessage, a then-new messaging service that, among a myriad of features, also promised "secure end-to-end encryption." That, in other words, is a type of encryption that in theory only allows the sender and the receiver of the messages—and no one else, including Apple or the cops—to read them. It was two years before Edward Snowden warned of NSA surveillance and popularized the importance of encrypting all the things and inadvertently accelerated the race to put end-to-end encryption in every chat app you can think of.
But, as several security and privacy researchers warned over the years, there's always been a major, somewhat overlooked catch: If you back up iMessages to iCloud, then Apple—or authorities who can force the company to turn the back ups over—can still read those messages, which to some extent defeats the purpose of the encryption.
With Apple's new mobile operating system, that might not be the case anymore.
This week at WWDC, the company announced that it was moving iMessage onto the iCloud platform with iOS 11. During the WWDC keynote, the company's Senior Vice President of Software Engineering Craig Federighi presented it as a user experience improvement.
Starting with the upcoming iOS11 all your conversations in iMessage will be automatically synchronized across your iPad, iPhone, Mac and whatever other iGizmo you own, he said. As anyone who uses iMessage knows, that's something that you can't do right now. And it leads to annoyances such as having to manually delete messages on all your devices if you want to get rid of an embarrassing message, or having to restore a full backup if you want old iMessages on a newer iDevice.
But if iMessages, which are supposed to be end-to-end encrypted, now sync, doesn't that mean Apple can decrypt and read them at some point? Apple says that soon won't be the case.
"Even if [users] store information in the cloud, it's encrypted with keys that Apple doesn't have."
During an interview with Apple blogger and Daring Fireball's owner John Gruber, Federighi said that the company has figured out a way to do syncing while still remaining unable to read your iMessages. Here's what he said (this exchange is around the 01:05:30 timestamp in the video):
"Our security and encryption team has been doing work over a number of years now to be able to synchronize information across your, what we call your circle of devices—all those devices that are associated with the common account—in a way that they each generate and share keys with each other that Apple does not have."
"And so, even if they store information in the cloud, it's encrypted with keys that Apple doesn't have. And so [users] can put things in the cloud, they can pull stuff down from the cloud, so the cloud still serves as a conduit—and even ultimately kind of a backup for them—but only they can read it."
It's unclear exactly how Apple is able to pull this off, as there's no explanation of how this works other than from those words by Federighi. The company didn't respond to a request for comment asking for clarifications. It's possible that we won't know the exact technical details until iOS 11 officially comes out later this year.
Meanwhile, cryptographers are already scratching their heads and holding their breath.
"The $6 million question: how do users recover from a forgotten iCloud password? If the answer is they can't, that's a major [user experience] tradeoff for security. If you can, maybe via email, then it's [end-to-end] with Apple managed (derived) keys," Kenn White, a security and cryptography researcher, told Motherboard in an online chat.
"If recovery from a forgotten iCloud password is possible *without access* to the device (or possibly the keychain via the Secure Enclave), it's not truly [end-to-end encryption]," White said."It's encrypted, but decryptable by parties other than the two people communicating. In that sense, it's closer to the default security model of Telegram than that of Signal."
The quote at the end of this post has been updated to amend a technical error Kenn White made in his analysis.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.