Protecting iMessage Communications

November 4th, 2020 by Oleg Afonin
Category: «Clouds», «Mobile», «Tips & Tricks»

How secure are your chats in your favorite instant messenger? Can someone intercept and read your secret conversations, and can you do something about it? Apple users have access to the highly popular instant messaging system, the iMessage. But how secure it really is? Let’s find out.

When it comes to instant messaging, there are generally three ways to gain access to your chats:

  • Intercept messages in transit
  • Obtain conversation backups from a cloud
  • Extract messages from the endpoints (devices)

Whatever messenger you use (built-in or third-party with “military-grade encryption”), it is important to understand all the risks. We covered some issues in Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition. There is also Secure Messaging Scorecard (by the EFF), a nice though outdated source.

What are the most popular messengers? I know you’re going to hate the answer, but… it depends.

In most countries, the top hits are Facebook Messenger and WhatsApp, and we have an app for the latter (Elcomsoft eXplorer for WhatsApp). In China, there are some very different instant messengers in use (WeChat, QQ, Momo and so on). In Russia it’s a different story altogether (have you heard about Viber?), and Brazil is quite unique with heavy WhatsApp dominance. Today, we are going to talk about another one, which is pre-installed and intensively used on Apple devices: the iMessage.

Messages in transit

You may forget about iMessage interception. The iMessage protocol has no known vulnerabilities (although some security flaws may exist), so there is absolutely no way to decrypt messages in transit. You don’t need to do anything to protect your iMessages in transit; they are already secure.

Protecting iMessages in local backups

Local backups (the ones you may or may not have made with the iTunes app) do have contain the entire iMessage database, complete with messages and all the attachments. If you never protected your backups with a password, is easily available as a part of the iTunes backup. The only way to protect the backup (and encrypt your iMessage database) is setting a backup password in iTunes. Once you do, the entire backup, including your iMessages, will be encrypted with that password. Since you’re likely won’t be using that password very often, do yourself a favor and set up a long, complex and, most importantly, unique password. Once you configure a password, all backups you make from then on will be protected with that password.

Can someone bypass the backup password? If they have physical access to your iPhone and they happen to know your passcode, they can reset the backup password through iPhone settings by going through a simple walkthrough.

Can you protect yourself against this scenario? Yes, you can block the reset attempts by enabling the Screen Time password in your iPhone settings. We have a comprehensive article detailing how you can do it; read Using Screen Time Password to Protect iPhone Local Backups for details.

Once you configure a (unique!) Screen Time password, you are well-protected against so-called logical acquisition attempts. Unless they happen to know both your screen lock passcode AND your Screen Time password, your messages will be safe from extraction (but can still be read in the Messages app if they can unlock your phone).

Protecting your iPhone

If the password cannot be reset, your messages might be pulled from your iPhone. If you are using an older model (up to and including the iPhone 8, 8 Plus and iPhone X range), your iPhone is vulnerable to a hardware exploit. This exploit cannot be patched by Apple.

Older versions of iOS have known vulnerabilities that can be also exploited to access the file system. Therefore, if someone has your phone and knows your passcode (or there is no screen lock passcode at all), they can jailbreak it by installing the checkra1n jailbreak or extract data by using the agent with Elcomsoft iOS Forensic Toolkit.

One more thing you should be aware of: if you are using the older device (the use of checkra1n allows extracting some message data (up to and including the iPhone 8, 8 Plus and iPhone X range), some iMessage-related data such as the message drafts and some message attachments can be extracted even from locked devices with full file system acquisition in BFU (Before First Unlock) mode.

How can you protect your iPhone against these attacks? If you are still using an older device, upgrade it to at least the iPhone SE 2, iPhone Xr/Xs/Xs Max or newer. The iPhone 11 and 12 range is immune to the hardware exploit.

If you are still using an older version of iOS, update it to the latest one.

Finally, make sure you are using a 6-digit or better screen lock passcode that can not be easily guessed.

Your iMessages in iCloud

Depending on whether or not you had enabled the Messages in iCloud feature available in recent versions of iOS. In Keep all your messages in iCloud, Apple provides information about enabling and disabling the feature. What this article does not tell is how enabling this feature affects the security of your iMessages. Does it increase or reduce security?

In fact, enabling Messages in iCloud does indeed make them more secure. With this feature disabled, your entire iMessage is saved to iCloud backups (if you have them enabled). Not only can anyone with access to your Apple account download the backup with Elcomsoft Phone Breaker, but Apple will also provide them to the law enforcement when facing a legal order.

If, however, the Messages in iCloud feature is enabled, Apple will encrypt your messages with end-to-end encryption. If Messages in iCloud is enabled, the iMessage database is not included to iCloud backups (local backups remain unchanged); instead, they are directly synced with the your iCloud account. How secure is that? Look at the iCloud security overview:

Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple.

Apple’s implementation of “end-to-end” encryption is secure, at least on the most part. With proper account credentials, one can download messages along with attachments directly from iCloud. However, in addition to the login and password, one extra thing is needed: your iPhone screen lock passcode or the passcode of an already trusted device (just the passcode, not the device itself). Here is everything that is needed to pull iMesages if you have Messages in iCloud enabled:

  • Your Apple ID
  • Your Apple account password
  • Second authentication factor (SMS or trusted device)
  • Passcode of any of your trusted Apple devices

For more details, see iMessage Security, Encryption and Attachments.

Can you secure your account? The only thing you can do is choosing a long, complex (6 digits or more) screen lock passcode on all iOS devices with Messages in iCloud enabled. Make sure the passcodes are unique and cannot be easily guessed.

Conclusion

Are your iMessages secure? Yes, in the most part, but it is your duty and your responsibility to physically secure your personal devices and protect access to your Apple account.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »