[happyhardcore]

It's really impressive that a high school student [1] has managed to reverse engineer iMessage. What I'm wondering is:

1. How stable is it; would it be trivial for Apple to patch this?

2. If it's as simple as reverse engineering the protocols, how has it taken this long?

[1] https://github.com/JJTech0130

[Obscurity4340]

Its more a commentary on how amateur it is in my respectful view. iMessage is a fundamentally unserious "product" in search of enough collateral flaws to harm those foolish enough to depend on it for anything.

[foobiekr]

Do you somehow think complexity is the opposite of amateur - that is, complex = professional?

Because I have bad news for you. If iMessage is simple that means literally the opposite of what you think it means.

[happyhardcore]

How so? Other than the security issues that get exploited by NSO group from time to time (that appear to be mitigated fairly well by lockdown mode if that's something that's important to you) or the obvious flaw that you can't talk to anyone that doesn't have an iPhone it seems to be a perfectly good platform. The alternatives either have worse encryption (Telegram, RCS), worse privacy (WhatsApp), or the same platform lock-in as iMessage (Google's RCS).

[standardUser]

> the obvious flaw that you can't talk to anyone that doesn't have an iPhone

That's because iMessage is a first and foremost a marketing tool that Apple compels users to rely on.

[Obscurity4340]

iMessage is the LastPass of messaging apps. This has been endlessly discussed and I want people to use their curiosity to help direct them to why I would comment in this way. In practice (not whitepaper or the ideal implementation), it is no more secure than sms (actually worse)

[saagarjha]

This is absolutely not true. iMessage is a full E2E implementation; it’s nothing like SMS.

[Obscurity4340]

I'm curious how Apple implements Keychain in the sense that they claim it is also e2ee but they also use e2ee for ADP and its absolutely not (or at least not zero knowledge), rather it is convergent encryption which is not zero-knowledge and also allows for knowledge of filenames and hashes cuz "de-dupe" is so important for people with TB of cloud storage at the expense of their privacy.

[saagarjha]

Pretty sure they use a different implementation, iCloud Keychain long predates Advanced Data Protection.

[modeless]

"E2E" is a joke when Apple holds the encryption keys to the vast majority of all messages, and uses them to respond to law enforcement requests. (It's how iCloud backup works by default and we know people don't change defaults. This is documented by Apple, not a conspiracy theory.)

[Bagged2347]

> It's how iCloud backup works by default and we know people don't change defaults

Are you referred to Advanced Data Protection being opt-in?

If I'm using ADP then these concerns are moot, right?

[jwells89]

It’s still a substantial upgrade over SMS or unencrypted (non-Google) RCS, where anybody can snoop on conversations with little effort.

[saagarjha]

Ok, but you can change yours, yes? Just like Signal isn’t installed by default on your phone and if you want what it offers you can use it.

[nickpeterson]

The joke will be when they increase iMessage security to prevent these solutions from working well ;)

[Obscurity4340]

That's the thing tho: it will never be secure because its the skeleton key. It was never truly intended to be secure. Same reason why only WebKit's allowed on all billion+ iPhones. Access is only guranteed if its monocultural.