[poorman]

How safe is the contact that is uploaded to the iCloud? How safe is the contact from being modified by some app on your iPhone? The contact containing the verification code seems to be one of the weaker link in this whole thing.

If Mallory can change the verification code in the contact to their own, the communication between Alice and Bob is no longer protected.

[thamer]

They can't just change the verification code, and it's not based on the fields of the contact card. You can think of it as a fingerprint for their iMessage public key, the one used to encrypt messages end-to-end. If the key with which your phone encrypts iMessage payloads has changed, it indicates that the conversation is being intercepted.

WhatsApp supports this too, see "Verify Security Code" on this page: https://faq.whatsapp.com/820124435853543

So does Signal: https://support.signal.org/hc/en-us/articles/360007060632-Wh...

So does Telegram: https://telegram.org/faq#q-what-is-this-39encryption-key-39-...

[grgar]

But the verification code is stored in the contact card, so the parent comment still stands. Anything that can access contacts, e.g. apps or iCloud (since Contacts are not part of Advanced Data Protection i.e. E2E encryption), can modify the verification code in the contact used by Messages for validation.

[lilyball]

According to https://security.apple.com/blog/imessage-contact-key-verific..., the actual verified hash of the account key is stored in an end-to-end encrypted CloudKit container and merely linked to from the contact card.

[_rs]

Oh interesting, that is not at all clear based on the Contacts UI which shows it like any other field

[varenc]

The iOS Contact APIs shouldn't allow modifying this.

You can also try exporting the contact to a vCard .vcf file using the Share Contact button. I believe the iMessage key verification info won't be included. (But as you noted the most important thing is that it can't be modified)

[blurrybird]

That’s just good UI design. Make complex stuff look dead simple.

[brookst]

Are you saying the iOS contacts API lets apps read and write the verification code? That seems like terrible design. What need would a 3P app have for that capability?

[isodev]

No, there is no way for apps to read and write this information.

[rootsudo]

It doesn’t matter, the keyword is “in transit” but since it requires iCloud Keychain - it also means it’s compromised with LE. Also the fact that most people they have iCloud also will backup their messages….

So it’s nice that it’s encrypted in transit but since iMessage is apple only and requires.. see above!

[turquoisevar]

iCloud Keychain compromised with LE? As in law enforcement?

How do? iCloud Keychain is E2EE with a key derived from your device password/passcode.