Illustration by Alex Castro / The Verge
Appleâs new iOS and iCloud security initiative includes a new way for iMessage users to verify that theyâre talking to the person they think theyâre talking to. The company claims the new iMessage Contact Key Verification will let people who âface extraordinary digital threats,â such as journalists, activists, or politicians, make sure that their conversations arenât being hijacked or snooped on.
According to a press release on Wednesday, if both people in an iMessage conversation have the feature enabled, theyâd get an alert if âan exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.â Theyâll also be able to compare contact keys via other means â such as a secure call or in-person meeting â to make sure that theyâre actually having a conversation with each other and not unknown third parties. That sort of thing has long been a security best practice, whether youâre verifying that software you downloaded is legitimate or setting up PGP encryption for email conversations.
Image: Apple
A journalist or politician getting this notification would likely be a very bad sign, but itâs better than not knowing it happened.
If this all sounds like hardcore spy business, thatâs probably not by accident. Appleâs acknowledging that iMessage has been targeted by nation-states, many of which may not have peopleâs best interests at heart. And while iMessage has long been end-to-end encrypted, there have been a few caveats and incidents that have potentially driven the platformâs most sensitive users to look for other secure messaging apps like Signal or WhatsApp. Journalists have had their phones targeted by nation-state-level spyware, potentially with the intent of reading their messages.
As critics (including Mark Zuckerberg) have pointed out, messages you send and receive may also be included in iCloud Backups, depending on certain settings you or the person youâre talking to have. Until now, those werenât fully end-to-end encrypted, so Apple could get at your messages if it really needed to (read: if a subpoena told it to). Appleâs addressing that point in other ways â Wednesdayâs announcement also included Advanced Data Protection for iCloud, which adds end-to-end encryption for those iCloud Backups. You can read more about that from my colleague Jay Peters here.
While itâs not exactly clear whether iMessage Contact Key Verification will be able to help if your phone has been completely taken over by advanced spyware (though Appleâs recently introduced an extreme lockdown mode to help people who may be targeted by those sorts of things), itâs definitely a step-up for people looking to use iMessage for their most sensitive conversations.
It is, however, worth noting at this point that iMessage exclusively remains a platform for using your Apple device to talk to other people with Apple devices â a point that many critics have said is part of the companyâs lock-in strategy (and part of the reason why alternate secure messaging apps with cross-platform support are so popular). With hints that regulators could be looking to force Apple to open up iMessage, the company could theoretically argue that doing so would break important security protections for some of its most vulnerable users. Plus, if youâre relying on iMessage to keep you safe, what are the odds that youâll move to another phone?
With that said, I doubt anyoneâs going to complain about having access to this feature when it becomes available worldwide sometime next year.