Do You Suddenly Need To Stop Using Apple’s iMessage?

It’s suddenly headline news. A serious iMessage warning has just been issued for Apple’s 1.5 billion iPhone users. So serious, in fact, that it could be reason enough to quit the app and switch to something else…

Apple’s walled garden has been built on privacy, security and trust, but there’s a gaping hole in that wall—an iMessage-shaped hole. Security experts—myself included—have been calling out this issue for years. Apple built iMessage around end-to-end encryption—it was first to market to do so. But its refusal to extend that full encryption to non-Apple users—put more simply, to allow secure comms to Android as well as iPhone devices, undermines its entire security premise.

“Apple is willing to make the iPhone less secure and less private,” the US government’s antitrust lawsuit against Apple warned this week. “Text messages sent from iPhones to Android phones are unencrypted as a result of Apple’s conduct. If Apple wanted to, Apple could allow iPhone users to send encrypted messages to Android users while still using iMessage on their iPhone, which would instantly improve the privacy and security of iPhone and other smartphone users.”

Leaving the arguments for and against monopolistic behavior to the legal process, and focusing on just the security aspects, there’s a seemingly clear issue. The DOJ suit is much more wide-ranging than iMessage, of course. But the messaging platform take center stage, with the claim that commercial interests have trumped user interests.

This situation is made worse because the alternative to iMessaging cross-platform is SMS—an appallingly insecure technology dating back to the 1990s. While many think Apple’s u-turn on RCS—the SMS upgrade now the default on Android—will fix this, it won’t. RCS technology isn’t end-to-end encrypted either. Google adds that extra security to its own platform, but again only within its walled garden, not to other platforms or even other RCS apps on Android.

There were brief signs of change late last year, when the upstart Beeper Mini platform fudged an iMessage interface to bring blue bubbles to Android. Apple quickly and repeatedly shut that down, though, arguing security vulnerabilities in the interface. That raised regulatory concerns in the US, and it always seemed unlikely those concerns would fade away.

“Recently,” the DOJ says of Beeper Mini, “Apple blocked a third-party developer from fixing the broken cross-platform messaging experience in Apple Messages and providing end-to-end encryption for messages between Apple Messages and Android users. By rejecting solutions that would allow for cross-platform encryption, Apple continues to make iPhone users less secure than they could otherwise be.”

The argument runs that Apple can’t have it both ways—either end-to-end encryption is critical to secure user privacy or it isn’t. If it is—as Apple says, then it needs to be available cross-platform. If it isn’t, Apple should stop using it to differentiate and promote its products and services, especially as regards iMessage.

This iMessage debate has run for years, and the DOJ cited reports from 2013 that “Apple’s SVP of Software Engineering explained that supporting cross-platform OTT messaging in Apple Messages ‘would simply serve to remove [an] obstacle to iPhone families giving their kids Android phones’.” And later, in 2016, that ‘moving iMessage to Android will hurt us more than help us.” And of course Tim Cook’s “buy your mom an iPhone” response to someone raising the issue.

But the landscape has recently changed, and this is making the issue much more acute than it’s been before. Google has made end-to-end encryption the default on Messages for the first time, Facebook Messenger has adopted the same level of security, and perhaps even more importantly, Meta has shown how end-to-end encryption—for transmission at least—can be achieved between different apps and platforms, using an API architecture and a common protocol.

Apple has pushed back hard, promising to fight the suit, arguing that it goes to the very essence of Apple’s DNA, its focus on privacy and security, its innovation. And while there may be debate on so-called super apps that wholesale content or integrate other apps into a single UI, or on the security weaknesses in allowing third-party app stores, or on restricted wallets or watches, it’s harder to argue security issues with running iMessage cross-platform, when the alternative is as appalling as SMS. You don’t need to open Apple’s own encryption, just as Meta has shown, there are compromises.

“Apple could have made a better cross-platform messaging experience itself by creating iMessage for Android but concluded that doing so “will hurt us more than help us,” the DOJ claims.

The suit also references Apple’s iOS lock that restricts the core messenger to iMessage only. That means that no other app can replace iMessage as the core network SMS client, in essence becoming the messaging hub on iPhone as is possible on Android devices. “Apple designates the APIs needed to implement SMS as ‘private,’ meaning third-party developers have no technical means of accessing them and are prohibited from doing so… If a user wants to send somebody a message in a third-party messaging app, they must first confirm whether the person they want to talk to has the same messaging app and, if not, convince that person to download and use a new messaging app.”

The DOJ also references the network effect in its commentary on iMessage, “as more people use the app, there are more people to communicate with through the app, which makes the app more valuable and in turn attracts even more users.”

The lawsuit argues that by opening up SMS to third-party messengers, those apps would “grow their network and attract more users—instead, Apple limits the reach of third-party messaging apps and reinforces network effects that benefit Apple.” I see this differently. The network effect works against iMessage and in favor of over-the-tops like WhatsApp. That’s why third-party messengers are so much more popular than iMessage in most markets. The exception is the US, where iPhone’s dominance amongst certain demographics reinforces the network effect, but only within the group.

That said, the DOJ’s core argument remains that “Apple makes third-party messaging apps on the iPhone worse generally and relative to Apple Messages, Apple’s own messaging app. By doing so, Apple is knowingly and deliberately degrading quality, privacy, and security for its users.”

Gareth Mills, TMT Partner at Charles Russell Speechlys, told me that while “Apple has already pushed back against [the iMessage] element of the DOJ’s case, should that finding be upheld then it could have serious ramifications for encrypted messaging services and their usage worldwide.” According to Mills, “damningly, the DOJ’s complaint states quite clearly that Apple is happy to use privacy and security of its users as a foundational principle when it suits its economic interests—such as promoting end to end encryption on its iMessage service, but abandons these principles completely when they might benefit a competitor or when not in line with its own commercial interests.”

Apple’s RCS u-turn clearly lurks in the background as all this has been released, whether that was done to help sooth US regulators, Europe’s DMA stipulations, or even Chinese regulations as some have claimed. But the DOJ argues that RCS “would not cure Apple’s efforts to undermine third-party messaging apps because third-party messaging apps will still be prohibited from incorporating RCS just as they are prohibited from incorporating SMS. Moreover, the RCS standard will continue to improve over time, and if Apple does not support later versions of RCS, cross-platform messaging using RCS could soon be broken on iPhones anyway.”

Again the more pertinent argument, in my view, is slightly different. RCS is not end-to-end encrypted by default. Google has added that extra security layer to its RCS deployment in Messages, arguing it’s needed for security and privacy, just as Apple argues with iMessage. But RCS messaging from iPhone to Android will not get that level of security absent a complex change in RCS itself across all its stakeholders, or Google and Apple directly collaborating.

“This lawsuit threatens who we are and the principles that set Apple products apart in fiercely competitive markets,” Apple’s spokesperson said in response to the lawsuit. And while the arguments on all aspects of the suit will be complex, in my opinion the arguments over iMessage are much more straightforward. It’s 2024, users should not need to compromise security and privacy to use default messengers to chat Android to iPhone. There are no longer any technical impediments, and WhatsApp’s own two-tier security approach that delineates third-party chats as just that—encrypted green bubbles, if you like—would resolve most of the claimed issues here.

So, should you stop using iMessage? You can’t—not if you have an iPhone. It will be the SMS client whatever else you use. But the DOJ’s argument that messaging outside Apple’s walled garden is a huge compromise is not wrong. More than the other elements in its lawsuit, the DOJ’s claims against iMessage are clear cut and stand out.

I have advised before that you should use WhatsApp or Signal to message cross-platform, keeping iMessage for SMS OTPs, marketing texts and the occasional message from an elderly relative. Unless you live in the US, of course, where the cachet of those blue bubbles seems to hold some magical appeal.

It’s inappropriate to speculate where all this might go, but change is coming to messaging this year anyway, and this is now part of the mix. Between this lawsuit, Apple’s reported discussions with Google on Gemini AI, and the resurgence of Huawei with its own OS threatening the smartphone duopoly, 2024 is getting more and more interesting by the week.

Click Here To Read More

Related posts