Tbtech looks into the recent discovery that not all encrypted messages are as safe as everyone thought, and the methods users can take to maintain privacy.
Tech users want to know that their information is kept private, and this is a large selling point for end-to-end encrypted message services. For many years now, iMessage and WhatsApp have competed to be the best and most well-known in the communications sector, each claiming to be the most secure messaging system available. Both companies have done well to champion cybersecurity trust, but recently, a significant flaw has revealed a crack in this trust.
The news came via a release by Property of the People, a non-profit organization that explained its motives as being ‘devoted to governmental transparency’ on Twitter. This showed an official FBI training document detailing different messenger services and the ability to gain information on a suspect via legal means through that service.
iMessage, the exclusive Apple messenger service, was placed at the top of this list as the most easily accessible messaging service for gaining access to private information. On this file, it listed that those who access iMessage can recover message history and contact details. The flaw in the system is the cloud backup system; all the messages are encrypted as promised and secure while being sent; however, once the message history is backed up to the cloud, they are accessible. This is due to the encryption keys being backed up to the same file; not the most brilliant move by Apple.
WhatsApp, the well-known message service owned by Meta Platforms, only allows access to a list of contacts created within the app. Much less information than potentially incriminating messages but still not as secure as people were made to believe.
Of course, all access requires a legal subpoena first; however, if one person has been in contact with someone being investigated (even in passing), all of their messages would be legally included in a subpoena. This is avoidable by simply turning off your automatic backup (shown below). This does mean if you lose your device, your old messages will not be recoverable when syncing a new phone or tablet.
Apple has not commented on this flaw and it’s not surprising after its year of PR nightmares, including the August announcement that images being sent in this messenger service would be screened by an AI in order to determine if they are sexual in nature, which brought on tremendous backlash.
It is interesting that the news of this FBI document came to light only two months after WhatsApp struck out against Apple for its message security. As mentioned before, it is more reassuring to know that there is no access to message content for WhatsApp users, however the FBI has been quoted saying it can request contact lists and metadata “sent every 15 minutes”. WhatsApp did release an update to fix this error, including a user warning advising them to remove the iCloud back-up during a step-by-step setup process in September.
Presently, Apple’s public image is suffering, not only due to encryption errors but also because of its struggles with the ongoing Malware issue known as Pegasus (created by NSO Group, the Israeli spyware company). This malware reportedly gains access to your phone in an attempt to ‘investigate terrorism’.
When asked about the situation, head of Apple security engineering and architecture, Ivan Krstic stated “Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”
In a rebuttal statement, a spokesperson from NSO commented that “thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.” This shows NSO sees themselves as providing a service to the community, begging the question, when is full privacy allowed, and when is breaking it acceptable?
Interestingly, the NSO Group was sued for the same malware issue by WhatsApp owners Meta, (formerly Facebook) back in 2019, which means it has taken Apple two years to jump to action on this issue. While filing the lawsuit they did make a statement that “to prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.”
- Increased consumer privacy is an opportunity for marketers
- Inside Apple’s powerful new privacy protections in iOS 15
- WATI secures fundraise as it scales WhatsApp experience for businesses
- Risk Before Popularity: 4 Factors for Determining Security Vulnerability
Google has been on the move to surpass Apple and make Android the new secure go-to device that Apple has always been known for. Google’s new global RCS—Rich Communication Services release is much stricter than iMessage’s previous end-to-end encryption as it does not allow any group chats or use of multiple devices. The only thing allowed (to ensure security) is 1:1 messages between two people. Apple has considered joining this system and becoming a cross-platform messenger previously, allowing an Android phone to use Apple-exclusive apps. However, just like then it has now again refused to join, clearly due to its resistance to break away from the closed ecosystem Apple is known for. Google have since taunted Apple and the feud over who is the most secure continues.
The issue at the end of this is that users can not feel comfortable on any messaging service as new reports constantly come in of security breaches (mostly propaganda based it seems). The companies behind the messaging services refuse to work together to solve this problem and it is the users that suffer in the long run.