iMessage has been one of the most successful delivery vector for these spyware attacks.
So, if you think you are a likely target of a state sponsored attack, best thing you can do on an Apple device is to turn on lockdown mode, turn off iCloud and iMessage, stop using keychain, use only a yubikey for all authentication, and restrict yourself to a limited number of essential apps on your primary device and use a dedicated burner device for all your throwaway browsing and communications, and erase/reset that device after every session. And still, assume everything you say and do online is fully compromised, because there are always system vulnerabilities that haven't been made known yet ('zero-day' attacks) and are being used to compromise highly targeted individuals. In the end, it is a very convoluted cat and mouse game.
Unless things have changed since I last looked, if those you talk to aren't also on iMessage, it feels like a net negative to use as you get inconsistent/negative behavior between contacts. From that end, it becomes sort of a moral issue with the clearly arbitrarily locked gates and poor experiences. So you disable and use a non-malicious and cross platform solution.
> Apple is malicious, but Facebook is totally okay?
This is such a bizarre comment to make, because OP never suggested that Facebook is "totally okay". You replied to them after their edit window passed, so they didn't say that and then edit it out either.
I'm in Europe, I haven't encountered anyone in my life who has used iMessage (everyone uses WhatsApp, now also Telegram/Signal), so I don't really have a use for it, when I wanted to try the weird AR emoji / heartbeat reaction message things with my partner we noticed we both had iMessage turned off, I guess it's like a setting that maybe we skipped during the phone setup? Not sure if it's on by default for some people.
imessage and rcs (and arguably mms, although that started as cost cutting) are backdoors for the legal protections on mining telephony provider metadata for marketing. with those two "opt in" (lol) techs, all safeguards are off.
Several CVEs in the past related to iMessage. And it has surprisingly high privilege. Since I seldom need it, turning it off is better for my security.
iMessage histories are backed up in the nightly automatic non-e2ee iCloud Backup, effectively backdooring iMessage’s “end to end encryption” by escrowing the plaintext to a not-endpoint.
Apple can read approximately everyone’s iMessages out of their backups. It’s not private or secure, and claiming it is end to end encrypted is misleading almost to the point of being actually false.
This is the same behavior as SMS if you have enabled “Messages backup.” If backup is not enabled you will not have a copy of iMessages stored in iCloud (though all compatible and configured devices will still receive messages).
This can be changed by opting in to the e2ee iCloud data service “Advanced Data Protection.”
Nope. Even opting into ADP, your iMessage conversations will still be backed up to Apple without e2ee - just from the non-ADP phones of all the people you iMessage with instead of your own phone.
iMessages are backed up in duplicate - once on the sender and once on the receiver. You can only control e2ee for half of it, so your conversations are still under surveillance unless everyone you message with has also turned on ADP.
Is there any E2EE messaging service, or network protocol of any sort, that doesn't suffer from this? If an endpoint is compromised in whatever way, it doesn't matter how encrypted the data is in transit.
Nobody remotely versed in this stuff would expect SMS to be end-to-end encrypted, though to be honest the more notable fact to me here is that Apple can read any plaintext in your backups. iMessage is an over the top messaging service more akin to WhatsApp or Signal than it is to SMS, so that is a more relevant comparison. I don't know if any of the clients store plaintext messages that would be backed up to Apple in a similar manner or not, but I'd hope at least the more security focused ones do not.
Apple makes privacy claims about iMessage including 'Apple can’t decrypt the data.', which is notably false in this (common) scenario, and requires a large asterisk on those claims, IMO bordering on making them unethical, period.
Albeit recent and optional, isn’t that a hole specifically fixed by the Advanced Data Protection option[0]? Granted, it doesn’t do much if your recipients don’t also have it enabled.
So, if you think you are a likely target of a state sponsored attack, best thing you can do on an Apple device is to turn on lockdown mode, turn off iCloud and iMessage, stop using keychain, use only a yubikey for all authentication, and restrict yourself to a limited number of essential apps on your primary device and use a dedicated burner device for all your throwaway browsing and communications, and erase/reset that device after every session. And still, assume everything you say and do online is fully compromised, because there are always system vulnerabilities that haven't been made known yet ('zero-day' attacks) and are being used to compromise highly targeted individuals. In the end, it is a very convoluted cat and mouse game.