With Apple’s iPhone 15 still relatively new on the shelf, the company’s first radical update to the iPhone 16 has already made headlines — but it’s already become clear that there’s a major potential problem in the mix that’s just been exacerbated by a surprise new update. .
A cornerstone of its ecosystem, iMessage has received increased attention in recent years — some good, some bad. But it remains the sticky glue that helps keep Apple’s walled garden in place, prompting Meta’s Mark Zuckerberg to call it “a key linchpin of Apple’s success.” [Apple’s] Ecosystem – This is why iMessage is the most widely used messaging service in the US.
But Apple’s limitation of its iMessage platform to that found within its walled garden has come under significant criticism, especially when that decision appeared to be more business than technical. And so the semi-reversal, to seemingly bow to the pressure and enable iMessage users to send cross-platform text messages using the RCS standard that Google is pushing across the Android ecosystem, was very welcome.
But there’s a big problem – and it’s a big problem. The end-to-end messaging platform encrypts content between Apple users, but reverts to a horribly insecure SMS architecture once a green-bubbled Android device enters the mix. The company appears to be working on only half of this issue, which was exacerbated by the timing of Facebook’s surprise update this week.
“Later next year, we will add support for RCS Universal Profile, the standard currently published by the GSM Association,” Apple announced in November. While Apple praised the “better interoperability experience compared to SMS or MMS” that it will bring to cross-platform messaging, it also said that it will work in parallel with iMessage, “which will continue to be the best and most secure messaging experience” for Apple users.”
RCS is not end-to-end encrypted, it is a protocol that manages message traffic between client devices, replacing SMS but essentially operating over the same shared networking architecture. RCS is more secure than SMS, but it’s not quite as secure as WhatsApp, Signal, or Google’s own messaging app now that it’s recently been piloted and defaulted to end-to-end encryption. But this is a layer wrapped around the RCS, it doesn’t change the RCS itself.
And since timing is everything, the Apple news was quickly followed by the Zuckerberg news, which gets to the heart of the iMessage vulnerability. Four years after it was first announced, Facebook has finally encrypted its Facebook Messenger app, despite massive pressure from governments and security agencies to back down. This means that Meta, Apple’s old enemy, will offer two broad, encrypted, cross-platform messaging apps when Apple itself has neither, while not allowing its users to change the device’s default messaging app from iMessage.
“Meta’s close integration into Facebook user profiles makes it essential to have connections that can’t be tampered with,” Jake Moore, an internet expert at ESET, told me. “This will make law enforcement more difficult. However, the latter is a price to pay given that the vast majority of messaging platforms offer encryption to the masses.”
Meanwhile, Meta’s other large-scale messaging platform, WhatsApp, continues to cement its position as the world’s leading secure messaging platform, combining ease of use, privacy and security – despite the apparent contradiction given its ownership by Meta/Facebook.
For some time now, users have been able to add an extra layer of security to selected messages that aren’t opened by default. They can now hide those messages behind a PIN, and it will become clear that there are any hidden messages when they enter the correct PIN in the search bar.
Some were quick to point out that this might be a cheaters’ charter, and there’s definitely an element of that. But for political activists, journalists and activists, especially in countries where secure messaging is a necessity for personal safety, this will become essential.
I’ve been highly critical of Messenger’s lack of encryption, though there’s a real issue with encrypting Messenger versus WhatsApp or Signal, given its connection to the social media platform, where users can be searched, profiled, and messaged by strangers. Facebook has various security measures in place to monitor underage accounts, and in my view the focus should be on those accounts, flagging incoming and outgoing messages, and perhaps changing privacy measures accordingly.
But what this move means is that the world’s three largest non-Chinese messaging platforms, WhatsApp, Google Messages, and Facebook Messenger, now have encryption by default, essentially democratizing access to that level of peer-to-peer security. Telegram remains an outlier, as its lack of end-to-end encryption belies its security PR messaging. Like iMessage is now, outside that walled garden. The appeal to Apple is to engage with Google on a cross-platform encryption architecture that would properly solve this problem for billions of users.
“Apple will go so far as to offer a level of encryption for compatibility, but ultimately it wants everyone to be pure iMessage users with only Apple products,” Moore says. This “level of encryption” is no better than what Google offered before it moved to end-to-end encryption, and it’s not completely secure.
Google has long pressured Apple to adopt RCS, eroding the green bubble/blue bubble hierarchy; Apple has the option to push back on Google to open end-to-end RCS encryption to integrate with iMessage’s adoption of the protocol. Apple users should then be able to choose whether they want to use fully encrypted RCS or iMessage as the default.
Instead, it seems more likely that Apple will work with the Global Mobile Telecommunications Association (GSMA) mobile standards body to strengthen the security of the RCS platform itself – but realistically, the push towards any form of end-to-end encryption, with all owners… Interest and Google’s deployment will take many years and will be full of complexity. Until this fixes the issue, iMessage will continue to offer full security only to Apple users.
Apple has already fixed another huge iMessage privacy vulnerability this year, with end-to-end encryption device ADP (Advanced Data Protection) backups to iCloud and message decryption keys that Apple previously had access to when cloud backups were enabled. Somewhat ironically, this also closed the same security gap in WhatsApp, without users having to revert to the somewhat outdated encrypted backup option that provided the workaround required before ADP.
Despite Facebook’s security update, my advice doesn’t change. Facebook is Facebook, after all. WhatsApp has often demonstrated a welcome level of rebellious independence, which can give users confidence that it’s still staying as true to its roots as possible within the device.
So, stick to WhatsApp for daily messaging, and use Signal where confidentiality about who you’re messaging when, as well as the content, is important.
The other tip is to enable Apple’s ADP in your iCloud settings. ADP is the most significant update on any platform this year, finally securing the cloud ecosystem around your mobile devices. But be careful, you’ll need to write down your encryption key or nominate an emergency contact. Because blocking Apple’s access to your backups means you’re stuck if you lose access.
ADP is actually an important step in the right direction, and I hope there is a logical meeting of the minds at Google and Apple, as they come together to bring this level of security to cross-platform messaging. Anything else would be a real shame, leaving users exposed for some time to come.
Follow me Twitter Or LinkedIn.