At a Glance
It’s true that Apple’s iMessage is much more secure than the texting app included in Android. However, even if iMessage is encrypted end-to-end, your messages are only totally secure when you’re sending and receiving messages from another Apple device. iMessage is not secure if you’re communicating with someone on an Android device (they of the green message bubbles).
In this article, I’ll explain how iMessage works, how well it is secured, and what happens when you send a message to an Android user and explain why your message is no longer secure when communicating with Android devices. I’ll also explain why it’s not a good idea to use the default settings when saving messages in iCloud Backup.
What Is iMessage and How Does It Work?
Apple iMessage is an encrypted messaging service for iPhones, iPads, Apple Watch, Vision Pro, and Mac devices. Users can start a conversation on one Apple device and can continue it on another Apple device.
When a user first sends a message in the Messages app, the device first searches the Apple Identity Service (IDS) to locate the intended recipient.
The IDS then stores the public keys that are used in the message’s asymmetric encryption. Asymmetric encryption uses public and private keys to protect the data. The message, which is encrypted with a public key, can only be decrypted using the associated private key.
iMessage saves the private keys in the device’s keychain. The keys are not readable unless the device is first unlocked (using a passcode, ace ID, or Touch ID).
The IDS also stores the receiving device’s Apple Push Notification service (APNs) address, which is required to properly route the message.
Now the device that is sending the message has collected the recipient’s public keys and their device’s APN address, the message is encrypted and then signed for authenticity.
Once the sending device has obtained the recipient’s public keys and their device’s APN address, the message undergoes encryption before being signed for authenticity. If you’re interested, Apple provides a detailed explanation of what happens in the background. If you’d like more details about this process, you can visit the Apple website.
Now that the message includes the encrypted message text, the encrypted message key, and the sender’s digital signature, the message is sent to the APN for delivery.
This process is quite secure, as long as one Apple device is sending a message to another Apple device. Apple itself has told law enforcement and government officials that it cannot decrypt messages that are in transit between devices. Apple cannot intercept iMessage communications and there are no accessible iMessage communication logs.
The only thing that Apple has access to or can provide are “iMessage capability query logs.” These logs contain only when a query has been initiated by iMessages and routed to Apple’s servers for a lookup handle.
Unfortunately for investigators, iMessage capability query logs are of little benefit to them, as the logs don’t actually indicate that any communication between two users took place, Apple can’t identify which app initiated the query, and query logs do not confirm that an iMessage event happened.
When Is iMessage NOT Secure?
While iMessage is absolutely secure when communicating between Apple devices. There are a few instances where the security of your messages could be at risk.
Messaging With Android Devices
Messages sent from an iPhone or another Apple device to an Android device are NOT secure. This is because Apple converts texts between an iPhone and an Android phone into SMS and MMS text messages.
SMS is completely insecure. SMS does not have any type of built-in security features when compared to a modern secure messaging service, like iMessage.
To address this privacy issue, global carriers and Android device manufacturers adopted the Rich Communication Services (RCS) protocol. RCS is a replacement for SMS messages, which allows for better quality images to be sent and also offers read receipts like iMessage. The protocol also offers support for extensions. Google took advantage of the extensions support to add end-to-end encryption to RCS.
While RCS was first launched in 2008, Google did not make RCS available globally in the Google Messages app on Android until 2020. Google of course immediately began criticizing Apple for not switching to RCS, even though it took Google 12 years to implement the encryption.
Apple at first resisted, with Apple CEO Tim Cook saying in 2022 that Apple users were now “asking that we put a lot of energy” into RCS. However, in 2023, Apple changed its tune, announcing that it would add support for RCS messaging to iMessage sometime in 2024.
However, unlike Google, which added end-to-end encryption via an extension, Apple said it would focus its efforts on modifying the RCS standard so that it incorporated end-to-end encryption by default. However, considering that Apple will need to work in cooperation with GSM Association members worldwide, the process will likely be a long drawn-out one.
Message Forwarding
Apple iMessage users can have messages automatically forwarded to another device. This means that anyone with access to your device could tell it to forward your messages to a device they have.
It’s easy to make sure this is turned off by doing the following:
- Go to “Settings” -> “Messages” -> “Text Message Forwarding.”
- If you don’t see Text Message Forwarding, go to “Settings” -> “Messages.”
- Toggle off iMessage, then toggle it back on.
- Tap “Send & Receive” -> “Use Your Apple ID for iMessage” and then sign in with the same Apple ID used on your other devices.
- Look for any unfamiliar devices and remove them.
iCloud Backup
I would venture to say that most iPhone and iPad users have iCloud Backup turned on. iCloud Backup gives peace of mind to users who are afraid they may lose documents and messages that they’ve collected over the years.
Unfortunately, the default setting for iCloud Backup does not use end-to-end encryption. Apple offers two options for storing data in iCloud: Standard Data Protection and Advanced Data Protection.
Standard Data Protection
Standard data protection is the default setting used for iCloud Backup. While it does encrypt your data, the encryption keys are stored in Apple data centers. This means Apple can access your messages.
Advanced Data Protection
If you have Advanced Data Protection turned on, your devices have sole access to the encryption keys for iCloud Backup data, meaning Apple cannot access your messages.
To turn on Advanced Data Protection for iCloud, do the following:
- Open the Settings app.
- Tap your name, then tap iCloud.
- Scroll down, tap Advanced Data Protection, then tap Turn on Advanced Data Protection.
- Enable Advanced Data Protection.
You will be required to set up at least one recovery contact or recovery key before you enable Advanced Data Protection. All of your Apple devices will need to be updated to a software version that supports this feature.
Why Is It Important That My iCloud Backup be Encrypted End-to-End?
I would say the best argument for encrypting your iCloud Backup end-to-end is that it irritates the FBI. In 2020 Reuters reported that Apple had secretly dropped its plans to allow fully encrypted backups after the FBI complained that the move would harm their investigations.
iCloud Backup data has proven to be useful to investigators, as during the first half of 2019, U.S. law enforcement officials asked for and received full device backups of other iCloud content 1,568 times. Apple itself admitted that it had turned over at least some data for 90% of the requests it received.
When Apple finally introduced end-to-end encryption for iCloud Backup in late 2022, it justified doing so due to the rise in data breaches.
Can I Trust That iMessage is Secure?
You can trust that iMessage is secure, at least when you’re communicating with users of other Apple devices, thanks to the end-to-end encryption used by Apple.
Unfortunately, your messages sent from your Apple devices to users with Android devices are not encrypted, meaning they could be intercepted. Bad actors could view the contents of your Apple to Android messages, or even change the message before forwarding the message to the original recipients.
In Closing
As we’ve seen, as long as you limit your iMessage activity to sending and receiving messages from other Apple users, you are secure. When communicating with Android users, your messages are not nearly as secure. We have also learned that iMessage’s effectiveness depends on how well users configure their device’s settings and how often they update their devices.
iMessage Security FAQs
Can I Use iMessage to Send a Message to an Android user?
While you can send a message from iMessage to an Android user, the message will not be encrypted, leaving it open to being intercepted or changed en route. You’ll know when you’re conducting a conversation with an Android user, as the text bubble will be green, not blue as it would with an encrypted message with an Apple user.
How Can I Send Encrypted Messages to an Android User from my iPhone?
Apple and Android users can send and receive encrypted messages to each other by using a third-party app, like Telegram, WhatsApp, or Facebook Messenger. Both parties will need to install and use the same third-party app.
Can Law Enforcement Access my iMessages?
Messages on the iMessage platform are encrypted end-to-end, making it impossible for law enforcement to read your messages. However, depending on your iCloud Backup settings, Apple could be compelled to provide access to your backed-up messages to law enforcement.
