Apple risks losing out to other secure messaging platforms given encryption challenge.
With Apple’s iPhone 15 still relatively fresh on the shelf, the company’s first radical iPhone 16 update has already hit the headlines—but it has already become clear that there’s a huge potential issue in the mix that has just been made worse by a surprise new update.
12/12 update below; this article was originally published on 12/9.
iMessage is a cornerstone of its ecosystem, and one that has received increasing attention in recent years—some good, some bad. But it remains the sticky glue that helps keep Apple’s walled garden in place, prompting Meta’s Mark Zuckerberg to describe it as “a key linchpin of [Apple’s] ecosystem—which is why iMessage is the most used messaging service in the U.S.”
But Apple limiting its iMessage platform to those within its walled garden has been much criticized, especially when it appeared this was a decision more commercial than technical in the making. And so its semi-reversal, to seemingly bow to pressure and enable iMessage users to text cross-platform using the RCS standard being pushed by Google across the Android ecosystem, was very welcome.
But there’s a catch—and it’s a big one. The messaging platform end-to-end encrypts content between Apple users, but reverts to the appallingly insecure SMS architecture as soon as a green-bubbled Android device slips into the mix. And this is a problem the company appears to be only half fixing—which has been made much worse by the timing of Facebook’s surprise update of its own this week.
“Later next year,” Apple announced in November, “we will be adding support for RCS Universal Profile, the standard as currently published by the GSM Association.” And while Apple lauded the “better interoperability experience when compared to SMS or MMS” this will bring to cross-platform messaging, it also said that it will work in parallel with iMessage, “which will continue to be the best and most secure messaging experience for Apple users.”
RCS is not end-to-end encrypted—it is a protocol that manages messaging traffic between client devices, replacing SMS but essentially running across the same inter-network architecture. RCS is more secure than SMS, but not fully secure like WhatsApp or Signal or Google’s own Messages app now that it has piloted and more recently defaulted to end-to-end encryption. But this is a layer it has wrapped around RCS—it has not changed RCS itself.
And with timing being everything, Apple’s news was quickly followed by Zuckerberg’s, which gets to the very heart of that iMessage vulnerability. Four years after being first announced, Facebook is finally end-to-end encrypting its Facebook Messenger app, despite huge pressure from governments and security agencies to hold back. This means that Meta, Apple’s long-standing nemesis, will be offering two hyper-scale, end-to-end encrypted, cross-platform messaging apps when Apple itself has none, while still not letting its users change the default device messaging app from iMessage.
“Meta’s tight integration into Facebook’s user profiles make it crucial to have untampered communications,” ESET’s cyber guru Jake Moore told me. “This will make law enforcement that much harder. However, the latter is a price to pay given that the vast majority of messaging platforms offer encryption to the masses.”
I have been vocally critical of Messenger’s lack of encryption, albeit there is a genuine issue with Messenger encryption versus WhatsApp or Signal, given its linkage to a social media platform, where users can be searched, profiled and messaged by strangers. Facebook puts in place various security measures to monitor underage accounts, and in my view the focus should be on those accounts, flagging messaging in and out and ever, perhaps, changing privacy measures accordingly.
But what this move does mean is that the world’s three largest non-Chinese messaging platforms, WhatsApp, Google Messages and Facebook Messenger, now end-top-end encrypt by default and essentially democratize access to this level or peer-to-peer security. Telegram remains an outlier, with its lack of end-to-end encryption belying its security PR messaging. As does iMessage right now—outside that walled garden. The plea to Apple is to engage with Google on a cross-platform encryption architecture that would properly resolve this issue for billions of users.
“Apple will go as far as offering a level of encryption to conform,” Moore says, “but ultimately it wants everyone to be pure iMessage users with Apple products only.” That “level of encryption” is no better than Google provided before its move to end-to-end encryption—it’s not fully secure.
Google has long pressured Apple to adopt RCS, eroding the seeing green bubble / blue bubble hierarchy; Apple does have the option to put pressure back on Google to open its RCS end-to-end encryption to integrate with iMessage’s adoption of the protocol. Apple users should then be able to choose whether to use fully encrypted RCS or iMessage as their default.
Instead, it seems more likely that Apple will work with the GSMA mobile standards body to strengthen the security of the base RCS itself—realistically, though, that process of driving towards any form of end-to-end encryption, with all the stakeholders and Google’s own deployment, will take years and will be wrapped in complexity. And until that results in a fix, iMessage will continue to offer its full security just to Apple users.
12/12 update:
It hasn’t taken long after Apple’s RCS announcement, for its defensive position on iMessage and lessening its sticky nature when it comes to iPhone versus Android to come to light once again. Echoes here of the controversy when an Apple exec dismissed opening iMessage up to other platforms on competition grounds.
The latest Android workaround for iMessage, Beeper, which had for a time opened up a gate into Apple’s walled garden was fairly quickly blocked, with Apple fixing the breached walls of its high-value garden, saying in a statement that it had “taken steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage.”
“Beeper Mini launched on Tuesday and rocketed to top 20 of Play Store charts,” its maker said in a blogpost. “Beeper Mini was the fastest growing paid Android application launch in history. In the first 48 hours, it was downloaded by more than 100,000 people… Android and iPhone customers desperately want to be able to chat with high quality images/video, encryption, emojis, typing status, read receipts… For a glorious 3 days last week, Beeper Mini made this possible.”
The level of remains and news interest in Beeper does illustrate that Apple has a job on its hands to keep this contained. Yesterday, Beeper was recut such that it would work again. But this does appear to be game of Wacamole that Apple can’t lose. “Beeper Mini is back,” its maker said in a new post—but for how long.
And its maker knows that there’s unlikely to be smooth waters ahead. “We’ve made Beeper free to use,” it posted. “Things have been a bit chaotic, and we’re not comfortable subjecting paying users to this. As soon as things stabilize (we hope they will), we’ll look at turning on subscriptions again.”
Clearly, any app that does open up iMessage on a non-Apple device is going to introduce potential security vulnerabilities, as it can’t replicate the genuine security that’s inherent in the system itself. Apple described such techniques as a “significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.”
Apple’s move was strongly criticized by Senator Elizabeth Warren. “Green bubble texts are less secure,” she posted on X, “so why would Apple block a new app allowing Android users to chat with iPhone users on iMessage? Big Tech executives are protecting profits by squashing competitors. Chatting between different platforms should be easy and secure.”
Apple doesn’t seem likely to shift on this approach though, saying in a statement that. “we will continue to make updates in the future to protect our users.”
The Beeper drama perfectly illustrates the dilemma for Apple as it grapples with its competing priorities. How to maintain user security and a walled garden, given that hampering comms between the world’s two biggest smartphone ecosystems isn’t an easily defensible position, not when the over-the-tops address this so well.
iMessage needs to decide what it is. If it’s to be the default comms platform for Apple users, regardless of who they message, then its security should come first. If it’s to be more an Apple-only platform, then other messaging apps should be able to take the default slot on an iPhone, just as Google allows. Doing neither, maintains this uncomfortable contradiction for security and privacy-first Apple.
And there’s an irony here. Beeper strongly claims that it’s enhancing not reducing security for Apple users, and that it “has increased security and decreased exposure for Apple's users—especially compared to standard SMS.”
Beeper CEO Eric Migicovsky told The Verge and TechCrunch that “Beeper did not allow for unwelcome messages, spam, or phishing and also said that Beeper does not use ‘fake credentials.’ Migicovsky said that “Beeper's core iMessage technology has its source code available on GitHub and that, with escrow provided by a third-party research firm, his company would offer its Android source code to Apple or other involved parties.”
The Beeper drama does mean that Apple users are well advised to use a different platform as their day-to-day messenger. WhatsApp would be my recommended go-to, given it does seem to focus on security and privacy above all else, and most of the people you know will have it installed. For even more secure messaging, use Signal.
Apple has already fixed the other huge iMessage privacy hole this year, with iCloud’s brilliant ADP (Advanced Data Protection) end-to-end encrypting device backups and the messaging decryption keys that were previously accessible by Apple when cloud backups were enabled. Somewhat ironically, this also plugged the same security gap for WhatsApp, without users having to revert to its somewhat clunky encrypted backup option that had provided the needed workaround pre-ADP.
ADP is in fact such a significant step in the right direction, that my hope is there will be a common sense meeting of minds at Google and Apple, coming together to deliver that level of security for cross-platform messaging. Anything else would be a real shame, leaving users exposed for some time to come.
