A Formal Analysis of Apple's iMessage PQ3 Protocol [pdf]
82 comments
·May 9, 2025modeless
eddyg
More people need to watch Ivan Krstic's Black Hat presentation to understand the efforts Apple goes to to ensure sensitive data (like User Escrow Keys stored in Apple's Cloud Key Vault) is protected... even from Apple.
https://www.youtube.com/watch?v=BLGFriOKz6U&t=26m50s
(Be sure to watch through the section from 34m to 36m...)
miki123211
Most users demand:
1. That their messages won't be lost when they migrate between devices.
2. That their messages won't be lost when their device is stolen and they set up the new one from nothing but a password.
3. That Apple's password recovery flows work like any other password recovery flows, AKA that forgetting your password is a minor inconvenience, to be overcome at the Apple Store at worst, not a data loss disaster.
4. That they don't have to spend $$$ on some strange device called a "Yoobby Key", which they don't understand and will lose anyway.
There's no way to satisfy those demands and have your desired level of security, hence why iCloud backup encryption is a strictly opt-in feature.
There are tradeoffs to be made here, and Signal made different tradeoffs, which makes it significantly more secure but also significantly more annoying to use for somebody whose main life interest isn't figuring out why tech works the way it does. Apple does the best it can under the constraints they are given.
matthewdgreen
Apple has the opportunity to add “extra security” features like disappearing messages, or to treat certain chats the same way they treat your web history (back this chat up, but require my passcode.) For the latter feature one can argue that it’s too advanced for the ordinary Apple user. But disappearing messages are a common security feature in virtually every messaging app, and Apple still won’t deploy those.
I used to think this was because they were intimidated by law enforcement, but they claimed otherwise. The recent UK attempt to backdoor Advanced Data Protection has made me believe them a bit less.
trollbridge
You can set messages to auto-delete. (I do this so I won’t get into the bad habit of relying on finding ancient messages.)
But it’s all or nothing and has to be applied to the entire account.
jwr
You can turn it off.
dostick
What about the “Advanced Data Protection” end to end encryption? Or by “sending copy of keys to iCloud” you mean those? It even says that “Apple will not be able to help you recover if you switch to End to end advanced data protection”.
int_19h
> the only cloud backup solution Apple allows you to use
Not quite. You can still have automatic local backups set up for iOS and macOS devices to your own NAS. And that NAS can then do cloud backups of whatever is on it in any way you want. It's certainly more effort than the stock iCloud solution, but it's still an option.
ysleepy
How? Genuine Question, this is something I really want.
macOS yes, but iOS?
miki123211
via USB (or possibly local Wi-Fi) and your computer.
iTunes (or Mac OS's built-in iPhone sync) is the recommended way to do this, although the protocol has been reverse-engineered to hell and back and third-party software exists for it. iMazing is the most notable one, although there are probably others, and you could hack something on top of libimobiledevice if you really wanted to.
Getting those backups from your computer to the NAS is an exercise for the reader.
isodev
I think the story around privacy and security in general has become diluted in marketing talk. Every single default on both iOS and macOS effectively makes one’s data, well, accessible and not private.
The gap between perception and reality when it comes to Apple as a “privacy champion” has never been so big as it is today.
9dev
Most customers do want it this way, but Apple still allows to exchange comfort for privacy, if you want to. I actually think it's a pretty sensible approach to capture both the big segment of people who don't care, and those who do and know which knobs to tweak.
You can still turn everything compromising off and end up with a device secured to paranoid levels. That's definitely more than an empty promise, or what other vendors provide.
iamkonstantin
> Most customers do want it this way, but Apple still allows
I don't believe this is the case. Apple generally prefers to diminish the importance and risks of specific actions unless they have some monetary advantage. e.g. Apple is happy to warn you (multiple times) that an alternative marketplace is "dangerous" and yet iMessage iCloud Backups are just a click away with a friendly "so your messages are available everywhere".
Another example is Photos - Apple has no problem activating features that collect "anonymized" information from my pictures. Yes, there is an opt-out, but having all that on by default is not in the spirit of a privacy-minded operation.
And about the choice - someone already pointed out in other comments, there really is no way to replace iCloud with anything else for backups and app data sync. So the choice is not really a choice.
StopDisinfo910
> Most customers do want it this way, but Apple still allows to exchange comfort for privacy […] more than an empty promise, or what other vendors provide.
That’s pretty much exactly what all the other vendors in the market provide: insecure and spying by default.
I don’t really understand why Apple should somehow get good points for their stance on privacy when they are actually doing pretty much the same thing than everyone else.
znpy
> Apple still allows to exchange comfort for privacy, if you want to.
Does it really? There is no option to use my own hardware/software for backup storage. I mean what would usually go to icloud.
That i would really trust.
So to me the answer is no.
IceHegel
Digital feudalism is the norm today. We’re all subjects, of big tech + the security state. Maybe it had to be this way.
Just wish we had more options…
Hilift
iOS is a second class operating system platform, with Android not far behind. iMessage has been the subject of multiple device takeover zero days, no user intervention required. "20 zero-days patched by Apple in 2023".
https://www.infosecurity-magazine.com/news/apple-update-extr...
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...
fsflover
Speak for yourself. Sent from my Librem 5 GNU/Linux smartphone.
conradev
Not if you have "Advanced Data Protection" turned on: https://support.apple.com/en-us/108756
modeless
Unlike Google's comparable backup encryption feature, ADP is off by default. And ADP protects your messages from Apple only to the extent that everyone you message also turns on this non-default option; otherwise your messages are still Apple's to read as they please with no notification to you.
commandersaki
To be clear, ADP default on would mean a massive influx in support requests for people that lose their data because they don't have the recovery key.
Same reason FileVault isn't on by default on macs.
ThePowerOfFuet
Not if you live in the UK.
joshstrange
I’m not sure how that, specifically, is Apple’s fault. Maybe I’m missing something obvious but I think disabling that in the UK was Apple’s least abhorrent option. They also put down their foot rather firmly on not providing a backdoor.
Maybe people think that was all for show but I’m struggling to think of other examples of massive companies saying that so publicly/firmly. See also, all the times the police/FBI/etc have complained or even tried to force Apple to provide a backdoor.
All that said, I guess a, very legitimate, argument could be made that if Apple provided ways to swap out iCloud for whatever service you wanted then there might be an escape hatch of sorts even if iCloud was compromised/limited.
charliebwrites
Do we have any guarantee that enabling ADP utilizes a new key that isn’t already in a previous non-ADP back up?
Would be a shame if they claimed they can’t decrypt but an old back up had the keys to the kingdom
conradev
You're trusting a whole lot of trust in the first place. But I imagine that they did not do that.
I can't sign into Apple Music on Android because it doesn't support security keys – small price to pay.
contact9879
This is a revision of a paper that first appeared as an eprint back in September when PQ3 was announced.
methuselah_in
Host your own xmpp server and done with these issues. Why bother
frontfor
Both of us know this is a non-starter for most people, even technically inclined ones.
9dev
Nice! That way you can chat with yourself at all times! I mean, everyone else will continue using a different messenger, but they don't have anything interesting to say anyway!
ezst
Not OP, so I don't have to bear the snark, but also, let's not pretend that iMessage is some virtuous and ethical standard worth recommending in general. It's nothing but a tool by the monopolist Apple to execute vendor lock-in and subjugate its users into a closed ecosystem. Of course, that says nothing about the quality of said ecosystem (or that of XMPP, for that matter), only about a well-placed sense of priorities that I find laudable.
azinman2
What are the issues?
some_furry
Ah yes, so you can host your own plaintext on your XMPP server and not get end-to-end encryption.
All that security, and then by default Apple literally just sends themselves a copy of your encryption keys to store in iCloud backup, the only cloud backup solution Apple allows you to use. "to help you recover your data" [1] (oh and also to send law enforcement your message history in plaintext on request, but we don't talk about that).
[1] https://support.apple.com/en-us/102651#:~:text=in%20iCloud%2...