Apple has made significant improvements to the security of iMessage with iOS 14. Apple itself is holding back on information about this, but there is an interesting analysis by Samuel Groß, who works as a security researcher at Google’s Project Zero and has written a blog post about it.
Groß describes that Apple introduced significant improvements in iOS 14 for iMessage that would not only have fixed existing security problems, but also introduced structural changes that would thus achieve the current best possible.
Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole. It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security. Furthermore, these changes also highlight the value of offensive security work: not just single bugs were fixed, but instead structural improvements were made based on insights gained from exploit development work.
.
Who thinks that iMessage just simply moves a few letters back and forth is mistaken. Since it has happened in the past that manipulated messages could take over the entire iPhone, Apple has come up with a complex process to secure the app.
An incoming message is broken down into its individual parts by a parser, which are then analyzed further. This happens in a sandbox, which is a workspace on the iPhone that does not have access to the rest of the system, so that malicious code cannot break out of this fenced-off area. The services necessary for the analysis of incoming messages are of course accessible, but nothing beyond that.
The diagram alone should make it clear to laymen how complex the reception of a simple text message alone is. Those who are more familiar with code will find more detailed information in the blog post linked above. For everyone else, it’s a case of always updating and keeping the operating system current. Even a seemingly simple app has a very complex substructure that can threaten the security of the entire iOS.