While Apple’s iPhone 15 is still new to shelves, the company’s first radical iPhone 16 refresh has already made headlines, but it’s already become apparent that there’s a huge potential challenge in the mix that just got worse with a wonderful new update. Formation
Update 12/12 below; This article was originally published on September 12.
iMessage is a cornerstone of its ecosystem, and one that has received increasing attention in recent years—some good, some bad. But it remains the sticky glue that helps keep Apple’s walled garden in place, prompting Meta’s Mark Zuckerberg to describe it as “a key linchpin of [Apple’s] ecosystem—which is why iMessage is the most used messaging service in the U.S.”
But Apple’s restriction of its iMessage platform to those in its walled garden was the subject of heavy criticism, especially when it emerged that it was more of a commercial resolution than a technical one in the making. The strain and allow iMessage users to send text messages across multiple platforms, the popular RCS powered through Google in the Android ecosystem, was very well received.
But there’s a problem, and it’s a big one. The messaging platform end-to-end encrypts content between Apple users, but reverts to the woefully insecure SMS architecture as soon as a green bubble Android device sneaks into the mix. It’s a challenge the company turns out to be only partially solving, and one that’s gotten worse with the timing of Facebook’s wonderful update this week.
“By the end of next year,” Apple announced in November, “we will upload the RCS Universal Profile, the popular profile recently released by the GSM Association. “And while Apple praised “the increased interoperability experience compared to SMS or MMS” that this will bring to cross-platform messaging, it also said that it will work in parallel with iMessage, “which will continue to be the most productive and secure messaging experience for Apple users. “
RCS is not end-to-end encrypted: it is a protocol that handles message traffic between consumer devices, replacing SMS but necessarily running on the same architecture between networks. RCS is more secure than SMS, but not completely secure like WhatsApp or Signal. or Google’s Messages app now that has been tested and more recently changed to end-to-end encryption by default. But it’s a layer that wrapped around the RCS, it didn’t replace the RCS itself.
And since timing is everything, Apple’s news was temporarily followed by Zuckerberg’s, which goes to the very heart of this iMessage vulnerability. Four years after it was first announced, Facebook is nonetheless end-to-end encrypting its Facebook Messenger app. , despite enormous pressure from governments and security agencies to prevent it. This means that Meta, Apple’s old enemy, will offer two large-scale end-to-end encrypted cross-platform messaging apps, while Apple itself has neither, although it does not allow its users to replace their device’s default messaging app. . iMessage.
“Meta’s tight integration into Facebook user profiles makes communications security crucial,” Jake Moore, cyber guru at ESET, told me. “This will make enforcement even more difficult. However, the latter is worth paying for given that the vast majority of messaging platforms are offering encryption to the general public.
I have been vocally critical of Messenger’s lack of encryption, albeit there is a genuine issue with Messenger encryption versus WhatsApp or Signal, given its linkage to a social media platform, where users can be searched, profiled and messaged by strangers. Facebook puts in place various security measures to monitor underage accounts, and in my view the focus should be on those accounts, flagging messaging in and out and ever, perhaps, changing privacy measures accordingly.
But what this move means is that the world’s three largest non-Chinese messaging platforms, WhatsApp, Google Messages, and Facebook Messenger, now encrypt end-to-end by default and necessarily democratize access to this peer-to-peer security point. Telegram remains an exception, as its lack of end-to-end encryption hides its PR security messages. Just like iMessage right now, outdoors in this walled garden. The call for Apple is to collaborate with Google on a cross-platform encryption architecture that would nicely solve this challenge for billions of users.
“Apple will even go so far as to offer a compatible encryption point,” Moore says, “but at the end of the day, it needs everyone to be natural iMessage users and only have Apple products. “no bigger than what will be offered through Google before switching to end-to-end encryption: it’s not entirely secure.
Google has long lobbied Apple to adopt RCS, eroding the green/blue bubble hierarchy; Apple has an opportunity to push Google to open up its end-to-end RCS encryption to integrate with iMessage’s adoption of the protocol. Apple users will then be able to decide whether to use RCS or fully encrypted iMessage by default.
On the other hand, it is more likely that Apple will work with cellular criteria that frame the GSMA in the security of the central RCS itself; However, realistically, this procedure moves towards any form of end-to-end encryption, with all stakeholders and those of Google. Its own launch will take years and will be complex. And until that’s fixed, iMessage will continue to offer its full security only to Apple users.
Update 12/12:
It didn’t take long after Apple’s RCS announcement for its defensive stance on iMessage and mitigation of its sticky nature when it comes to iPhone versus Android to be revealed again. This echoes the controversy when an Apple executive rejected opening iMessage to other platforms. at the festival site.
Android’s most recent workaround for iMessage, Beeper, which for some time had opened a gate to Apple’s walled garden, was temporarily blocked, and Apple repaired the damaged walls of its high-value garden, saying in a statement that it had “taken steps” to protect our users through lockout techniques that exploit fake credentials to gain access to iMessage.
“Beeper Mini was introduced on Tuesday and has risen to the 20th most sensible spot on the Play Store charts,” its creator said in a blog post. “Beeper Mini is the fastest growing paid Android app launch in history. In the first 48 hours, it was downloaded by over 100,000 people. . . Android and iPhone consumers desperately need to be able to chat with images/videos high quality, encryption, emojis, writing status, reading receipts. . . For 3 great days last week, Beeper Mini has made it possible.
The point of leftovers and the news’ interest in Beeper illustrate that Apple has a few things to do to keep this contained. Yesterday, Beeper cross-checked to get it working again. But it turns out to be a Wacamole game that Apple can’t lose. “Beeper Mini is back,” its manufacturer said in a new post, for how long.
And its author knows that the waters are unlikely to be calm. “We have released Beeper,” he posted. Things have been a bit chaotic and we don’t feel comfortable subjecting paid users to that. As soon as things stabilize (hopefully, they will), we’ll reactivate subscriptions.
Obviously, any app that opens iMessage on a non-Apple device will introduce potential security vulnerabilities, as it can’t reflect the true security inherent in the formula itself. Apple has described those techniques as “significant dangers to user security and privacy. “adding the possibility of metadata exposure and activation of unwanted messages, spam and phishing attacks. “
Apple’s resolution was harshly criticized by Senator Elizabeth Warren. “Green bubble texting is less secure,” he posted on X, “so why would Apple block a new app that allows Android users to chat with iPhone users on iMessage?Big tech executives protect their profits by crushing their competitors. Chatting between other platforms will be undeniable and secure.
Apple doesn’t seem likely to shift on this approach though, saying in a statement that. “we will continue to make updates in the future to protect our users.”
Beeper’s drama is the best representation of the dilemma Apple faces when faced with its competing priorities. How to protect the user and a walled garden, given that hampering communications between the world’s two largest smartphone ecosystems is not an easily defensible position, not when over-the-top products solve this challenge very well.
iMessage has what it is. If it’s the default communication platform for Apple users, no matter who you message, your security deserves to come first. If it’s more of an Apple-only platform, other messaging apps deserve to be able to occupy the default location on an iPhone, as Google allows. Doing neither perpetuates this uncomfortable contradiction for Apple’s security and privacy.
And an irony here. Beeper strongly argues that it improves, but does not reduce, security for Apple users, and that it “has greater security and less exposure for Apple users, especially compared to popular SMS. “
Beeper CEO Eric Migicovsky told The Verge and TechCrunch that “Beeper does not allow spam, spam, or phishing and also said that Beeper does not use ‘fake credentials. ‘Migicovsky said that “Beeper’s core generation of iMessages has their source code available on GitHub and that, with the repository provided through a third-party studio company, his company would be offering its Android source code to Apple or other stakeholders.
The Beeper drama means Apple users are advised to use another platform as their daily messaging. WhatsApp would be my recommended solution, since it happens to focus on security and privacy first and foremost, and at most other people you know will have it installed. For even more secure messages, use Signal.
Apple has already fixed iMessage’s other big privacy flaw this year, with iCloud’s brilliant ADP (Advanced Data Protection) end-to-end encryption device backups and email decryption keys that in the past were available through Apple when cloud backups were enabled. Ironically, it also closed the same security loophole for WhatsApp, without users having to resort to its clunky encrypted backup option that provided the mandatory workaround before the ADP.
ADP is such a vital step in the right direction that I hope there will be a common-sense convergence between Google and Apple, coming together to offer this point of security for cross-platform messaging. Any other solution would be a real shame, leaving users exposed for some time.