>When someone starts an iMessage conversation with you, they fetch your public key(s) from Apple’s servers. Before that message leaves the sender’s device, it’s encrypted into something that only your device knows how to decrypt.
From the article, that's the part where Apple could MITM the communication, because public keys retrieved from Apple would be automatically trusted. They can just silently inject an extra public key for which they have the private key. That said, it seems like the protocol at least has forward secrecy, meaning that if they didn't inject a bad key when the message was sent, there's not much they can do later to decrypt the message (unless they have a backdoor that allows them to force your phone to send them its private key)
From the article, that's the part where Apple could MITM the communication, because public keys retrieved from Apple would be automatically trusted. They can just silently inject an extra public key for which they have the private key. That said, it seems like the protocol at least has forward secrecy, meaning that if they didn't inject a bad key when the message was sent, there's not much they can do later to decrypt the message (unless they have a backdoor that allows them to force your phone to send them its private key)