Sending the requests from the client is probably not the most secure idea. Requests should be proxied through a cloud server on Apple's end to reduce the security risk of these previews.
You could still have the client use Apple as a proxy. This would reduce the privacy of the message but only the URL and only exposing it to specific service at Apple. If it is a SOCKS proxy, you could reduce the exposure to just the IP address and some amount of leakage to whatever DNS server the phone is using.
Which is the right way to do it and exactly how ever email client does. Do you want to see previews? Have the device make the request. Do you not want to see previews? The device shouldn't make those requests.
The client can still ask the Apple server for the metadata, since Apple already knows your IP from the push notification channel anyway. Ideally Apple would ensure that this lookup is not logged or stored in any way so there's no repository of the links people have sent to you anywhere.
The client could send the request to Apple though, and pass the URL through that way, instead of requesting the actual URL. There's a trade-off there though that Apple gets to see all the links being sent over iMessage.
> There's a trade-off there though that Apple gets to see all the links being sent over iMessage.
Exactly, this is what all the other replies saying 'just proxy the client URL call through Apple' are missing. It's not just that the iMessage was encrypted. There's also _why_ it is encrypted in the first place.
There have been zero-days in the past that only require loading a website, right? So loading links automatically should be a massive concern for iOS security. Back in August, when zero-days used by the NSO Group were discovered, it was only because activist Ahmed Mansoor didn't click on a link in a text message.
https://citizenlab.org/2016/08/million-dollar-dissident-ipho...