WhatsApp’s 2 billion users can look enviously at Apple’s latest iMessage update, which puts the rival messenger well ahead. Worse, seriously misleading comments from Mark Zuckerberg last week suggest he doesn’t understand how far WhatsApp has now fallen behind. If you use WhatsApp on an iPhone, here’s why you should be concerned.
Somewhat ironically, Apple’s iMessage has been notably absent among messengers reporting growth surges as millions reportedly quit WhatsApp. Ironically, because the public fracas between Apple and Facebook over WhatsApp and iMessage privacy labels was one of the initial triggers for the backlash, with iMessage coming out on top.
The reason we’re all writing about Telegram and Signal and not iMessage is obvious—it’s for Apple users only, it doesn’t extend cross platform. But iMessage is an exceptional platform, arguably with the best architecture of any, beating Signal, Wickr, Threema, Line, to say nothing of WhatsApp, Telegram and Android Messages.
“I want to highlight that we increasingly see Apple as one of our biggest competitors,” Mark Zuckerberg told analysts in January. “iMessage is a key linchpin of their ecosystem—which is why iMessage is the most used messaging service in the U.S.”
Zuckerberg was using iMessage as an example of what he says is Apple “using their dominant platform position to interfere with how our apps and other apps work.” Facebook’s issue is the imminent privacy update that will offer Apple’s iOS users an opt-out from the device tracking that drives a critical part of its advertising business model. “Apple may say that they’re doing this to help people,” Zuckerberg complained, “but the moves clearly track their competitive interests.”
But on that same call, Zuckerberg also showed how little he (or the person crafting his comments) understands about the innovations that have put iMessage well ahead of WhatsApp. “iMessage stores non-end-to-end encrypted backups of your messages by default unless you disable iCloud,” Zuckerberg said. “So, Apple and governments have the ability to access most people’s messages. So, when it comes to what matters most—protecting people’s messages, I think that WhatsApp is clearly superior.”
Those comments were very misleading. It’s actually WhatsApp that has an issue with “non-end-to-end encrypted backups” in the cloud, whether from an iPhone or Android. iMessage did have this issue, but it was addressed in 2017 with iOS 11. With the introduction of “Messages in iCloud,” Apple fixed a problem no other mainstream messenger has cracked, extending end-to-end encryption to cloud backups.
“iMessage is currently the only messaging app that supports syncing messages across multiple devices while still maintaining end-to-end encryption,” says Talal Haj Bakry, one of the security researchers behind the infamous iOS clipboard disclosure. “When you send a message through iMessage, it is individually encrypted for each of the recipient’s devices, since each device has its own public key. The same technique is used to sync messages across your own devices.”
Apple users can enable Messages in iCloud on all devices under their iCloud account, as long as two-factor authentication and iCloud Keychain are enabled—both basic security measures. Messages in iCloud takes secure messaging to a level no other platform can match—secure attachments, synchronized content and deletions across all devices, transfer of chat history to a new device, and a safety net if a phone is lost.
There is a caveat to this extension of iMessage’s end-to-end encryption to iCloud. If you have Messages in iCloud enabled and iCloud backup enabled, then a copy of the iMessage end-to-end encryption key is included in the backup. This would enable Apple to access your content to service a law enforcement warrant, but it doesn’t mean you are storing a “non-end-to-end encrypted backup of your messages.”
Contrary to what Zuckerberg said, you don’t need to “disable iCloud” to prevent this potential risk. You just need to disable the duplicate backup, a throwback to the days before continuous cloud usage and multi-device access. It’s a single setting and it won’t impact your daily use of your iPhone and your other Apple devices.
Using iCloud is an intrinsic part of the iPhone experience—this will not be impacted. It just means that you’re not storing backups of any non-Apple Apps that don’t use the cloud as they work. In Apple’s words, the iCloud backup helps you “set up a new device or restore information on one you already have.” If you disable it, you can use Apple’s new (and excellent) direct transfer instead of restoring from a backup.
If you want to use an iCloud backup instead, you can backup your device and then disable automatic backups. You can even do this periodically if you want. When you turn off the iCloud backup setting, “a new [end-to-end encryption] key is generated on your device to protect future messages and isn’t stored by Apple.”
When I asked about the inaccuracy of Zuckerberg’s comments, Facebook appeared confused about the way in which iMessage and iCloud interoperate, mixing up Apple’s decision to refrain from fully encrypting iCloud backups with the way iMessage extends end-to-end encryption to its own Messages in iCloud storage. If this is enabled, your message history is not included in your general iCloud backup.
As Apple explains, “use iCloud Backup so that you have a copy of the information on your iPhone, iPad and iPod touch… Your backups only include information and settings stored on your device. They do not include information already stored in iCloud such as Contacts, Calendars, Bookmarks, Notes, Reminders, Voice Memos, Messages in iCloud, iCloud Photos and shared photos.”
WhatsApp, by contrast, does not offer multi-device access or secure cloud backups or any centralized repository to save disk space. Furthermore, WhatsApp continues to recommend using unsecure cloud backups as the default way to switch to a new phone. Apple users should always opt for a direct transfer instead. So, no, WhatsApp is not “clearly superior.” Its only advantage over iMessage is that it’s cross-platform.
Responding to Zuckerberg’s confusion, ESET’s Jake Moore cautioned that, “making comments like this unfortunately makes it more complicated for the user and may make people less likely to care about their data… fully encrypted and secure backups should be a default necessity, if the general user is to enable this feature and trust it.”
iMessage was already well ahead of WhatsApp before iOS 14—and that lead has just been significantly extended with the latest OS. The most serious risk to users from hyperscale messaging platforms is their potential to send malware-laced attachments to target devices. This has been an issue for WhatsApp and iMessage, with nation state hackers reportedly exploiting those vulnerabilities.
Apple had already assured that iOS 14 introduced security improvements to prevent “zero-click” iPhone attacks, that researchers assumed used iMessage. Now we know the improvement is a new sandbox erected around iMessage that will safely contain any such threats. The disclosure was made by Samuel Groß of Google’s Project Zero in a blogpost last week. After “reverse engineering” the update, he reported on “major changes [that] Apple implemented in iOS 14 which affect the security of iMessage.”
The change is BlastDoor, Groß explained, “a tightly sandboxed service responsible for almost all parsing of untrusted data in iMessages… and should have a significant impact on the security of iMessage and the platform as a whole. It’s great to see Apple putting aside the resources… to improve end users’ security.”
This is a serious step forward, a major improvement to iPhone security given the broad attack surface that iMessage and similar platforms provide. “This is a very impressive security enhancement made by Apple,” Check Point’s head of cyber research, Yaniv Balmas, tells me. “It doesn’t completely mitigate the risk, but it very well addresses the robustness of iMessage based on the common attack surface used today.”
According to Balmas, “this delivers a significant update of the iMessage architecture, in what can only be described as a rewrite that takes into account the known ‘attack plan’ and tries to address each and every step of it. It shows us that Apple learned how remote zero-click attacks are designed (at least how public exploits are constructed) and targeted pretty much every part of this ‘attack plan’ to render it useless.”
But this comes with a warning, Balmas says. “It is going to make iPhone exploitation via iMessage much harder for attackers and will probably shift their attention to other methods and messaging applications like WhatsApp, Telegram, Signal or others which have not yet implemented similar mitigations into their platform/software.”
Put more simply, iMessage may have been largely shut down as an attack vector, but the same cannot be said for other platforms, including, critically, WhatsApp. When you add this to the marked difference in privacy labels and the Facebook data harvesting factor, there is a stark and growing difference between the two.
“Apple does some very cool things,” Wickr CEO Joel Wallenstrom told me as messaging security hit the headlines in December, explaining that he tracks the company’s advances in encryption. Wickr is as secure as Signal, sanctioned for use within the DoD. Wallenstrom has warned that the risks in trusting Facebook “with protecting critical IP or a warfighting unit from harm are simply too great.”
All that said, WhatsApp’s convenience and scale cannot be overlooked. My advice is to use (cross-platform) Signal for secure messaging, but WhatsApp is safe to use and you can run that in parallel. Change these settings first, though. But, in the unlikely event iMessage was ever extended cross-platform, then given its significant architectural and security advantages, it would easily be my first choice.