Security is an extra-hot topic these days, as all sorts of government agencies short on letters but long on budgets keep getting accused of spying on their own citizens, and debates rage on whether what look like accidental bugs may actually turn out to be quite intentional.
In the midst of all the ruckus, Apple has updated its iOS Security whitepaper, a longstanding document outlining the thought processes and technologies that go into keeping its mobile platform as secure as possible. Here are just a few of the most interesting tidbits from this latest revision.
[ Also on InfoWorld: Apple's security flaws: Are you paranoid enough yet? | See InfoWorld's "iOS 7 for developers" special report for the scoop on the bells and whistles in Apple's mobile OS -- and how you can harness them. | Keep up with key Apple technologies with the Technology: Apple newsletter. ]
More keys than a hardware store
Remember how, back in June of last year, Apple published a statement in which it claimed that iMessage data is "protected by end-to-end encryption"? Well, it seems the company really meant it.
Like many Internet services, iMessage depends on public-key cryptography to function. This technology uses two very long numbers, based on cryptographically secure random data, that can each be used to decrypt information encrypted with the other. When you activate messaging on each of your devices, iOS generates a pair of keys and sends one of them--appropriately called a public key--to Apple, tucking the other one securely away in its local memory storage.
Now for the fun part: When someone wants to send you a message, they ask Apple for all the public keys that belong to all your devices, and then use each to encrypt a separate copy of the message, sending the encrypted messages to the company, which, in turn, forwards them to the appropriate device using iOS's push notification system.
Crucially, each device's private key, without which data encrypted using the corresponding public key cannot be decrypted, is never transmitted across the Internet, which means that the company really cannot read your messages, just as it claims.
Note, however, that this system is not absolutely secure. In theory, since Apple controls the directory of public keys used by all the devices, it could surreptitiously add--or be forced to add--its own set of public keys (for which it knows the corresponding private keys) and thus gain access to every last bit of information that is exchanged on its messaging network. Therefore, it would perhaps be fair to say that iMessage is secure as long as you trust Apple--just like your mail is secure as long as you trust that the mail service won't photocopy it on the way to its recipient, or that your phone company isn't rerouting your calls to someone who just pretends to be your mom.