Apple Confirms iMessage Security

Apple released a new paper describe the security of iMessage application that is widely used to connect with other apple devices. The document includes the security used to protect user’s data and files encryption.

iMessage is very convenient for user so you can use it for chat but the remaining question is whether law enforcement agencies have access to data shared over this application?

iMessage works using Apple Push Notification (APNs), the good thing that Apple do not store data on their servers. Content is protected by a secure end-to-end encryption, this to make only sender and the recipient are able to read files and data.

When you start iMessage the device generates two key pairs: 1280- bit RSA key encryption and 256 -bit key for the ECDSA signature of the message. For each pair, the private key is stored in a local keychain, and the public key is sent to a central repository (IDS), where it is tied to user’s phone number or email address, including the address for the device APN.

If a user adds an additional device, where it wants to receive copies of messages, the relevant information is added to the IDS. Apple certainly informs the user when their account is connected to an additional device, phone number or email address.

When you start a chat session, the device accesses the IDS and requests the public key and APN address recipient.

Apple iMessage scheme

Data transmission process over iMessage (click to enlarge)

Each outgoing message is encrypted with AES-128 and transmitted in encrypted form in the APN. There is information that are not encrypted which is the metadata including the timestamps and the routing path. APN communication is secured with TLS. Long messages and files are encrypted with a random key and transmitted to the iCloud.

you can find the pdf document here:

Notify of
Inline Feedbacks
View all comments