Apple’s new iOS and iCloud security initiative includes a new way for iMessage users to verify that they’re talking to the person they think they’re talking to. The company claims the new iMessage Contact Key Verification will let people who “face extraordinary digital threats,” such as journalists, activists, or politicians, make sure that their conversations aren’t being hijacked or snooped on.
According to a press release on Wednesday, if both people in an iMessage conversation have the feature enabled, they’d get an alert if “an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.” They’ll also be able to compare contact keys via other means — such as a secure call or in-person meeting — to make sure that they’re actually having a conversation with each other and not unknown third parties. That sort of thing has long been a security best practice, whether you’re verifying that software you downloaded is legitimate or setting up PGP encryption for email conversations.
If this all sounds like hardcore spy business, that’s probably not by accident. Apple’s acknowledging that iMessage has been targeted by nation-states, many of which may not have people’s best interests at heart. And while iMessage has long been end-to-end encrypted, there have been a few caveats and incidents that have potentially driven the platform’s most sensitive users to look for other secure messaging apps like Signal or WhatsApp. Journalists have had their phones targeted by nation-state-level spyware, potentially with the intent of reading their messages.
As critics (including Mark Zuckerberg) have pointed out, messages you send and receive may also be included in iCloud Backups, depending on certain settings you or the person you’re talking to have. Until now, those weren’t fully end-to-end encrypted, so Apple could get at your messages if it really needed to (read: if a subpoena told it to). Apple’s addressing that point in other ways — Wednesday’s announcement also included Advanced Data Protection for iCloud, which adds end-to-end encryption for those iCloud Backups. You can read more about that from my colleague Jay Peters here.
While it’s not exactly clear whether iMessage Contact Key Verification will be able to help if your phone has been completely taken over by advanced spyware (though Apple’s recently introduced an extreme lockdown mode to help people who may be targeted by those sorts of things), it’s definitely a step-up for people looking to use iMessage for their most sensitive conversations.
It is, however, worth noting at this point that iMessage exclusively remains a platform for using your Apple device to talk to other people with Apple devices — a point that many critics have said is part of the company’s lock-in strategy (and part of the reason why alternate secure messaging apps with cross-platform support are so popular). With hints that regulators could be looking to force Apple to open up iMessage, the company could theoretically argue that doing so would break important security protections for some of its most vulnerable users. Plus, if you’re relying on iMessage to keep you safe, what are the odds that you’ll move to another phone?
With that said, I doubt anyone’s going to complain about having access to this feature when it becomes available worldwide sometime next year.