Researchers have reverse-engineered the protocol for Apples popular iMessage and conclude that, while the protocol makes sense from a security standpoint with high cryptographic standards, the fact remains that Apple controls the encryption key infrastructure and as such has access to the data.
“Apple can read your iMessages if they choose to, or if they are required to do so by a government order. As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages,” the report contends.
The researchers also point out that Apple has access to messaging metadata,which is the information that describes elements of data contained in the digital packets communicated between systems, which can reveal who made the communications, as well as when where they took place.
“A good way to to think about it is like postal mail. Metadata is like the envelope or a package – you can see where it is being delivered, who it’s from, the date like with the post-stamp, you can also see the size, the weight – so general information about that message, but you can’t access the contents,” said Tripwire’s Ken Westin.
The researchers concur that metadata access is a privacy issue, stating that “the content of the message is one thing, but the metadata are also sensitive. And there, you rely on Apple to carry your messages, thus they [Apple] have your metadata.”
In addition, the researchers revealed that Apple does not sue certificate pinning for iMessage, leaving the system vulnerable to Man-in-th-Middle attacks (MitM), where a third-party can surreptitiously insert themselves into the communications stream to intercept sensitive data and impersonate either party in the exchange.
The researchers were able to create a bogus certificate authority and then add it to an iPhone keychain to “proxify” SSL encrypted communications to and from the device, and in the process discovered that their AppleID and password was being transmitted in clear text.
“Firstly, it means that Apple can replay our password using for instance our email also on many websites. Ok, Apple has no reason to do so. But what of intelligence agencies?” the researchers said.
“Secondly, it also means that anyone capable of adding a certificate and able to proxify the communications can get user’s AppleID and password, thus get access to iCloud accounts, backups, buy apps….”
Read More Here…