If you’re one of Apple’s 1.3 billion iMessage users, then these are worrying times. Alarming new security warnings have been made worse by Apple’s awkward silence. And now WhatsApp has suddenly issued a huge new strike at its biggest rival.
There has been an major battle this year between Facebook and Apple over privacy, data harvesting and tracking. iMessage versus WhatsApp has been front and center. iMessage had come out on top. Yes, it’s for Apple users only, but it harvests very little of your data, and its security architecture seems impossible to beat. Until now.
Meanwhile, WhatsApp’s nightmare start to the year saw Apple’s privacy labels expose its approach to data harvesting—metadata not content—that seems unhappily befitting a member of the Facebook family. And then everything got even worse for with a forced change of terms followed by an embarrassing backtrack.
In fairness to WhatsApp, its response to the turbulent first few months of 2021 was both effective and ruthless. It mounted a relentless PR campaign, hammering home the security of its end-to-end encryption, taking a public swipe at rival Telegram and even giving a billion users of its stablemate Facebook Messenger a reason to switch.
But you can forget Telegram and Messenger, it’s iMessage that WhatsApp really has in its sights. “We increasingly see Apple as one of our biggest competitors,” Facebook CEO Mark Zuckerberg said back in January. “iMessage is a key linchpin of their ecosystem, which is why iMessage is the most used messaging service in the U.S.”
Apple’s plans to ramp up iMessage functionality with iOS 15 due in the fall are intended to make its house messenger even more of a “key linchpin.” Expanded options to share content, essentially bringing a circle of friends into elements of your iPhone experience, is designed to make the platform stickier.
Much more so than Google Messages, iMessage is a core part of the mobile OS, it’s not possible to change out the default messenger, Apple doesn’t really want you using anything else. Let’s remember, the reason iMessage doesn’t extend to Android is that Apple wants to dissuade families on iOS from going cross-platform.
None of that is game-changing, though—but here’s what is.
Let’s start with that industry-beating security architecture that underpins iMessage. The platform runs multi-device end-to-end encryption, where there is a seamless sync of your message history across all your existing and any new devices. You don’t need a specific backup, you essentially run a rolling cloud-based backup that keeps everything updated and ensures you can restore a lost or replaced device.
There is a major caveat to all that, though. To keep iMessage end-to-end encrypted when using its multi-device “Messages in iCloud,” you need to disable the generic iCloud backup on your devices. Otherwise, Apple unhelpfully stores a copy of your encryption key in your backup, which means it can access your key and your content.
By contrast, WhatsApp’s architecture has not aged at all well. No options for native apps on PCs, Macs and tablets, unsecured backups that rely on basic Apple and Google cloud security, and which are used to shift accounts to new devices.
All that has now changed. “For years,” WhatsApp said this month, confirming its new plans, “people have been asking us to create a true multi-device experience that allows people to use WhatsApp on other devices without requiring a smartphone connection.”
That is now here. “To achieve this,” WhatsApp says, “we had to rethink [our] architecture and design new systems to enable a standalone multi-device experience while preserving privacy and end-to-end encryption.”
This has been WhatsApp’s biggest missing feature when compared to iMessage—but without encrypted backups it still has a major weakness. WhatsApp wouldn’t confirm to me when this additional update will arrive, only that it’s being worked on. Well, WhatsApp watcher WABetaInfo suggests it’s not far away now.
For Apple, the combination of multi-device access and encrypted backups will bring WhatsApp uncomfortably close to iMessage. And because WhatsApp operates cross platform with all these benefits, in reality it’s streets ahead.
There are other features coming to WhatsApp as well, as the platform plays catch-up with rivals—iMessage but also Signal and Telegram. Disappearing messages and now view-once media are fantastic options, neither of which are available on iMessage. And WhatsApp encrypted voice and video calls, now with the addition of “joinable calls.”
And so to Pegasus. The NSO’s notorious spyware has been headline news for a fortnight as the extent of its usage has been reportedly exposed. And while Pegasus has been pushed to users across multiple platforms—WhatsApp most famously, it’s iPhone and iMessage that are taking the flak this time around.
“iMessage may not be as secure as people think it is,” warns Cyjax CISO Ian Thornton-Trump, “and folks dealing with sensitive data and/or an elevated risk should not use iMessage for anything but the most mundane communication.”
Apple’s defense against the Pegasus PR backlash has been to point to the highly targeted nature of the attacks, the expense, sophistication and rarity of the exploit, and the fact that “the overwhelming majority of our users” should not be concerned.
The issue for Apple is that it locks down its OS so well to make attacks more difficult that it also makes it difficult for security software and researchers to investigate and identify vulnerabilities.
“iPhone is a much more closed system,” Check Point’s billionaire CEO Gil Shwed told me in March. “Apple regulates much more what’s on the platform, which theoretically or practically make it a little more secure. On the other hand, there is also limitations about what security software can do an iOS.”
This issue with iOS being “black box compared with Google’s Android” has now come home to bite. Shwed’s warning has proven timely. And while Apple’s approach does lock out more of the widespread malware that continues to plague Android, that doesn’t help when a tier-one adversary develops an exploit.
“With Android,” Shwed told me, “it’s much easier to develop software, to use software, and that software can be more malicious than on iOS. But at the same time, on Android, you can build much better security software because the same openness exists also towards security systems.”
“Attacks like the ones described,” Apple’s security engineering head Ivan Krstić said, responding to the latest headlines, “are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
Let’s put that into simpler terms. If a security agency or one of their private proxies wants to target high-profile individuals, they will likely do so successfully. Money is no object, and because the volume of attacks will be limited, there is a good chance that they will escape attention for some time.
“iPhones will always remain the favorable target of choice,” warns ESET’s Jake Moore, “and therefore, iMessage will never be able to completely hide from the persistent threat that is Pegasus. Apple continue to distribute reactive updates, but these fail to protect their most targeted victims in those fateful weeks from this impressive spyware which can and will continue to exploit future vulnerabilities.”
Agencies don’t need to compromise end-to-end encryption to target users, they just need to compromise an endpoint. The irony here, of course, is that secure messengers, initially WhatsApp and now iMessage, are being used as delivery mechanisms for either zero-click or social engineered one-click attacks.
Cue WhatsApp head Will Cathcart, who has rightly criticized Apple’s standoffish approach to publicly responding to security issues that impact its devices. WhatsApp has been vocal about the risks from NSO and equivalents.
“I hope that Apple will start taking that approach too,” he told the Guardian. “Be loud, join in. It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say ‘oh this is only thousands or tens of thousands of victims’… If anyone’s phone is not secured that means everyone’s phone is not secure.”
And on that front, it’s been a bad month for Apple. Its silence on Pegasus followed its silence on the Wi-Fi vulnerability that risked its devices “joining a malicious Wi-Fi network [that] may result in a denial of service or arbitrary code execution.” That issue has been patched with iOS 14.7. The state of its Pegasus fix is less clear-cut.
I asked Apple to confirm whether its last set of updates fixed the known Pegasus vulnerabilities and for any comment on Cathcart’s criticisms. It did not respond. And so, users continuing to play a waiting game. In the interim, the best you can do is ensure automatic updates are enabled and you reboot your iPhone weekly.
“Based on the information we’ve been given,” says security researcher Sean Wright, “the ordinary user should have little to worry about. If individuals are concerned based on their personal circumstances, they could consider using other messaging platforms. I’d hope to see a patch from Apple soon.”
One can imagine some schadenfreude for WhatsApp as it has watched Apple’s discomfort over Pegasus, given the privacy battles earlier in the year. But for most users who are not at risk from Pegasus but do want a secure messenger, the landscape has changed. WhatsApp has launched new features and is running ahead of iMessage, meanwhile Apple’s silence on recent security issues is not a good look.
“iMessage is one of the most venerable perhaps even the oldest Apple platform messaging app around and indeed is showing its age,” Thornton-Trump tells me. “It lacks many of the ‘new’ features of Signal, Telegram and even WhatsApp such as disappearing messages and has a default setting that is annoying and deeply problematic,” he says, referencing Apple storing encryption keys by default in iCloud.
Apple needs to adopt a different approach—the openness across big tech in discussing malware, in shining a light, is good for users and the tech industry. Its claim that “security researchers agree iPhone is the safest, most secure consumer mobile device on the market” is not enough on its own. Come the next emergency update, when yet another iPhone exploit is being exploited in the wild, we need a different approach.
Meanwhile, for any worried iMessage users out there, WhatsApp is now a much more credible and appealing alternative than it was earlier in the year. These latest updates are genuinely game-changing. If you’re not yet ready to shift wholesale to Signal, then WhatsApp should now be the daily messenger you use.