Skip to main content
  1. Home
  2. Mobile
  3. News

From iMessage to Lightning cables, here’s how Apple secures your digital life

By
apple imessage ios lightning icloud security

We rely on our smartphones, tablets, and computers, so digital security matters to us whether we know anything about it or not. But it’s also tough to understand: we have little choice but to trust that when a company says it’s doing everything it can to keep our data and information secure, they’re actually doing it. They’re the experts, right? You know, like Target. And Adobe. And Yahoo. And Facebook. And many, many others.

Apple is not immune to security problems (it just patched a huge SSL bug in iOS and OS X – if you haven’t updated, back up and do it now). But unlike other big tech players, the company has published a detailed overview of its security measures, answering key questions about how Apple secures users’ passwords, data, and messages, and devices – an unusually public statement from such a famously secretive company.

Recommended Videos

The upshot: Apple takes this stuff very seriously – and perhaps differently than other companies. Here are a few examples.

Related

The (private) keys are in your hands

Much of Apple’s security infrastructure relies on public key cryptography, also called asymmetric cryptography – a widely-accepted idea that’s been around since the 1970s. (Read up on how public key encryption works here.)

Even if someone cracks Apple’s servers, Apple probably won’t have much (or any) iMessage data to turn over.

Public-key cryptography is only as secure as the private key – which you, and only you, should have. If your private key is published, copied, or stolen, your data is not secure. Apple has consistently claimed it can’t snoop on iMessage and FaceTime even if it wanted to; that claim was challenged by several security researchers (Matthew Green laid out a succinct-but-technical argument) because Apple can restore recent iMessages to a new device if (say) you lose your iPhone. Therefore, Apple must be able to decrypt your messages, right?

Well, no. It turns out Apple only has the public keys for services like iMessage and FaceTime, but the private keys never leave a particular iOS device. Apple uses those public keys to encrypt every iMessage separately for every device (and only that device). Further, Apple deletes iMessages once they’re successfully delivered (or after seven days if they’re not received) so they don’t linger long on Apple’s servers. (Photos and long messages get encrypted separately, subject to the same deletion rules.) That means even if someone cracks Apple’s servers (or a government serves them a subpoena), Apple probably won’t have much (or any) iMessage data to turn over. Apple also alerts users immediately when a new device is added to their account, hopefully preventing someone from illicitly adding a device so they can receive their own copies of your messages.

What about your Keychain?

Apple’s iCloud keychain handles sensitive data – like passwords and credit card numbers – and keeps them synchronized between devices. So iCloud must keep a copy of that data to do the syncing, right? Well, no.

iMessage

Apple uses a similar public-keys-only method to synchronize Keychain items. Apple encrypts each item separately for each device, and Apple only syncs one item at a time as needed, making it very difficult for an attacker to capture all your Keychain data, even if Apple’s core system was compromised. To get your Keychain, an attacker would need both your iCloud password and one of your approved devices to add one of their own – along with fervent prayers you never see those notices Apple sends immediately when a new device is added.

Okay, so what about the optional iCloud Keychain Recovery? Apple must have all your Keychain data in order to restore it all, right? Well, yes. But Apple’s done something clever here too. By default, Apple encrypts Keychain Recovery data with Hardware Security Modules (HSMs), hardened devices used by banks and governments to handle encryption tasks. Apple has programmed the HSMs to delete your data after ten failed attempts to access it. (Before that, users have to contact Apple directly before making more attempts.) To prevent anyone from reprogramming the HSMs to change their behavior, Apple says it has destroyed the administrative access cards that allow firmware changes.

Even Apple can’t change the system without physically replacing whole clusters of HSMs in their data centers – which is a pretty intense physical security barrier for would-be attackers. And even if they pulled that off, the attack would only work on newly-stored Keychains: existing ones would still be safe.

Lightning in a bottle

Apple has confirmed long-standing suspicions that manufacturers in Apple’s Made for iPhone program must include a cryptographic circuit supplied by Apple for Bluetooth, Wi-Fi, or Lightning access to iOS devices. The circuit proves a device is authorized by Apple; without it, iOS accessories are limited to analog audio and audio playback controls: enough for speakers, but no access your apps or data. Some might argue this custom chip is an example of Apple forcing you to buy its own products, but it also means the odds are very low that plugging in somewhere to charge your device will compromise its security.

Tip of the iceberg

Apple’s white paper discusses many other technologies like Siri (including how long Apple holds on to data), the 64-bit A7 processor, and the iPhone 5S’s TouchID feature (Apple estimates the odds of a random fingerprint matching yours are about 1 in 50,000), and how apps and data are secured within iOS itself. Security experts will be pondering the contents for a long time.

Some might argue this custom chip is an example of Apple forcing you to buy its own products.

None of this makes Apple devices or services immune from attack or flaws. Apple could be leaving out important information, or it could simply be blowing smoke – Apple certainly isn’t going to allow teams of fact-checkers into its data centers. But there’s little reason to doubt Cupertino’s authenticity here. Moreover, the paper again reveals Apple to be a very different from the Googles and Facebooks of the world, which thrive off monitoring our communications and personal data. 

Apple’s paper is a solid step forward. One could hope it will inspire other companies to detail how they keep users’ data secure – but I wouldn’t hold my breath.

Editors’ Recommendations

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Apple’s latest iPhone SE can be yours for $149 today
The Apple iPhone SE (2022) being held in a mans hand.

Alongside the many Prime Day deals that Amazon has been running, Walmart has also offered its own sale in the form of Walmart+ Week. One of the best deals there is on the third-generation iPhone SE for just $149. It's a huge saving of $230 compared to the original price of $379 although there is a catch -- the phone is locked to a Straight Talk prepaid subscription. Still, if that isn't an issue for you, this is a super sweet deal. You're going to need to be fast though as with Prime Day running to a close in a matter of hours, it's also likely that deals like these will end soon too. Here's what to expect from it.

Why you should buy the third-generation Apple iPhone SE
The third-generation Apple iPhone SE, which was released in March 2022, is powered by Apple's A15 Bionic chip -- the same one that you'll find in the iPhone 13 and the iPhone 14. That means the Apple iPhone SE 2022 is pretty powerful for its price, with snappy performance when you launch even the most demanding apps and when you're multitasking between them. The device is also equipped with a 4.7-inch Retina HD display, which may be small compared to the screens of other modern smartphones, but it makes up for the lack of size with excellent color accuracy and overall high quality.

Read more
I finally got an Apple Watch Ultra. Here are 3 ways it surprised me
Apple Watch Ultra with Starlight Alpine Loop on wrist.

The first Apple Watch (later dubbed Series 0) originally came out in April 2015, but I was skeptical at that point. I eventually gave in a few months later and bought an Apple Watch to replace my old Fitbit, and I haven’t turned back since.

My first Apple Watch lasted several years before I upgraded to an Apple Watch Series 3, which I purchased because the price on those had fallen low enough to make me go, “Why not?” Then in 2019, Apple showed off the Apple Watch Series 5, which was a huge turning point for the Apple Watch because of the always-on display. I purchased the titanium version of that, and it has served me well for the past three years — thanks to the titanium material, it still looks brand new.

Read more
How to turn a Live Photo into a video on your iPhone
Live Photo to video with hand holding iPhone.

Live Photos is a fun feature Apple brought to the iPhone 6s many years ago, turning static photos into three-second clips by capturing what happens in the 1.5-second interval before and after you tap the shutter button. This feature has been a staple of every iPhone model since then, and even if you're new to the iPhone, you've likely already used it already since it's turned on by default — you have to take specific steps to disable it if you want to go back to taking normal snapshots.

There aren't any significant downsides to leaving Live Photos enabled. You can share them as a normal, static photo just like other image, and while they will take up a bit more space on your iPhone, that's not as significant as it once was, thanks to Apple's switch to the more efficient HEIC format in 2017. While Live Photos could once grow nearly twice as large as the same static JPEG, today you'll more typically see only a 25% difference, on average.

Read more