Tyler Cross
Published on: June 5, 2024
Messages sent using iMessage are encrypted, but with some caveats. iMessage encrypts text messages you send to or receive from other iOS users. The content of the messages can only be deciphered using a key stored by the Apple Identity Service. Basically, this means that the only people who can read your texts are you and the recipient.
This doesn’t mean that everything you send over iMessage is 100% secure. There are some significant problems with iMessage’s encryption. For example, messages you send to non-iOS users aren’t protected by any level of encryption. On top of that, Apple collects metadata from encrypted texts.
If you’re concerned about your privacy, I recommend using a third-party messaging app. Remember that any text you send over iMessage to Android users will be transmitted over your regular cellular network and you won’t benefit from any level of encryption. The only way around this is to avoid using iMessage entirely (I’ll get into some of my favorite alternatives later). You might also want to consider using a VPN. This will add an extra layer of encryption to your web browsing and any data that you send while using Wi-Fi or mobile data. Editors’ Note: ExpressVPN and this site are in the same ownership group.
How iMessage Security Works
iMessage security is built using end-to-end encryption (E2EE), which means only you and your intended recipient can read a particular message. When you send a message on iMessage, it’s encrypted on your device using a unique key. This encrypted message is then transmitted to the recipient. Upon arrival, the recipient’s phone uses the same unique key to decrypt and display the message. This entire process happens automatically, without requiring any action from you.
Apple uses 256-bit AES encryption, which is also used by banks and militaries around the world due to its uncrackable nature. The benefit of this is that nobody, not a basement-dwelling hacker or a nosy tech enthusiast, can read your texts.
These safety measures only apply to iMessage, however, which is just one small part of the iOS ecosystem. If you worry about privacy and want all of your online activities to be properly encrypted, the only effective solution is to use a VPN.
iMessage also uses two-factor authentication (including Face ID), which requires you to verify your Apple credentials whenever you unlock your phone. This prevents someone from sneakily opening your iMessage account and reading your messages.
Newer iPhones benefit from Contact Key Verification, an advanced security feature that can thwart hackers attempting to intercept your conversations. This is no easy feat for cybercriminals to accomplish, but the most talented among them are capable of inserting themselves into your conversations, making it so your iMessages actually land in their mailboxes instead of your recipient. With Contact Key Verification enabled, you can manually check to ensure your messages are actually being sent to the intended recipient.
All of that said, iMessage isn’t perfect, as I’ll explain below.
iMessage Privacy and Security Risks
Even though Apple has top-of-the-line security features, iMessage isn’t without some risks. To maximize your online privacy, you should be aware of how Apple handles data privacy for iCloud backups, texts sent to non-iOS users, and the general risks you run into on iMessage. Some of these risks have simple solutions, but some require constant vigilance on your part, so read through them carefully.
iCloud Backups
When you backup data on iCloud, it gets encrypted and stored on Apple’s servers. Sounds safe enough, right? The problem is that Apple keeps a copy of the encryption key, meaning it can view anything you upload to iCloud if it wants to.
The company keeps the key to help recover accounts and data. But at the end of the day, Apple has access to most of the data you’ll put on the iCloud. They do have pretty good data protection policies, but keep in mind that Apple regularly decrypts customers’s iMessage data when asked to do so by law enforcement.
Having said that, it’s still important to regularly back up your data in case of an emergency, but there are more private ways to do it. Instead of uploading data to the iCloud, consider making a backup using iTunes instead or turning on Advanced Data Protection. Since it encrypts your data without providing Apple with a key, it’s significantly more secure.
Messaging Apps Outside the iOS Ecosystem
Apple doesn’t encrypt messages that are sent to or received from non-iOS devices. If you’re using iMessage to text your friend who’s using an Android phone, you’re not afforded any protection against third parties reading your texts.
I think this is a larger security flaw than Apple keeping a record of your encryption key during iCloud backups. Not every user will use iCloud backups and even if they do, this encryption at least prevents hackers from being able to read your texts. Nearly everyone who uses an iPhone will eventually text someone who uses an Android phone and those texts are simply not secure.
This means you’ll have to take matters into your own hands. If you frequently communicate with Android users, the only way you can protect your texts is by using an E2EE third-party app like WhatsApp or Telegram.
Social Engineering Schemes
You still need to worry about social engineering schemes and phishing scams. Even on Apple, hackers can still send texts with malicious links or fake forms to fill out, meaning there are innumerable ways you can be misled into downloading sketchy apps or giving out personal information to crooks. The truth is, even the best security in the world can’t protect us from ourselves, which is why you need to stay vigilant against threats.
Don’t open links from senders you don’t know, avoid phone calls from numbers you don’t recognize, and be cautious when visiting new websites. The best way to protect yourself against phishing scams is by installing good web protection tools with anti-phishing protection. iOS has some features that can prevent you from visiting phishing sites, but in my experience, third-party tools like Norton and TotalAV are more effective. Norton even comes with an SMS filter that can stop suspicious texts from appearing in your iMessage inbox.
Metadata Collection
iMessage does collect some data, even from E2EE messages. The data in question is called metadata, meaning it’s data about your data. This can include the time your messages were sent and received, the time your messages were read, and the IP addresses of both parties. There is a long history of law enforcement and repressive governments using metadata to prosecute iOS users.
There is no foolproof way to hide your iMessage metadata from Apple. A VPN will fully encrypt your mobile data, but this won’t affect iMessage texts sent over the SMS network. The best VPNs have ironclad no-logs policies, meaning they don’t keep any data whatsoever. But if you’re worried about Apple harvesting your metadata or bad actors snooping on your texts to Android users, your best move is to use a messaging app like WhatsApp alongside a VPN.
Possible Security Changes
There are some valid concerns with how Apple manages its ecosystem. Now, while I have and will continue to say that Apple’s built-in encryption offers solid protection for iOS users, it has come under a lot of legal scrutiny for monopolistic practices within its ecosystem. The US Department of Justice is fighting to “open up” Apple’s ecosystem and has been for years, but Apple and its defenders argue that doing so could weaken the security the company has spent years building up.
What this means for you is that it’s possible some of the data collection and privacy policies Apple uses may change. For example, Apple is currently strict about what data it lets third-party companies like Facebook collect, but it’s possible that laws may change and Apple will be forced to share more data. There’s also the chance that any “opening up” could indeed lead to cybercriminals exploiting newly revealed flaws.
How to Protect Your Device & Data While Using iMessage
Using iMessage is already pretty secure (as long as you’re only texting other iOS users), but there are a few steps you should take to maximize your online privacy while messaging.
Turn on Advanced Data Protection
Advanced Data Protection encrypts the data in your iCloud so that only you have access to it. This eliminates the main problem with iCloud backups, but there are some requirements to using it. To start, you need to have an Apple ID with two-factor authentication enabled. You also need to have an established password or passcode and an account recovery key.
The biggest drawback is that every iOS device you own needs to be up to date in order to turn on Advanced Data Protection. Specifically, each Apple device you own needs to run on these or newer versions of their operating system:
- iOS 16.2.
- iPadOS 16.2.
- macOS 13.1.
- watchOS 9.2.
- tvOS 16.2.
- HomePod version 16.0.
- Windows computer with iCloud for Windows 14.1.
To enable Advanced Data Protection on your iPhone:
- Open the Settings app on your iPhone.
- Tap your name at the top to access your Apple ID settings.
- Go to iCloud.
- Select Advanced Data Protection.
- Toggle Advanced Data Protection on.
To enable it on a Mac:
- Open the Apple menu and choose System Settings
- Click on your profile name.
- Click iCloud.
- Click Advanced Data Protection and toggle it on.
Customize Your iMessage Privacy Settings
There are multiple settings you can toggle to customize iMessage and better protect your data. One thing I learned from playing video games is that you should always check out the settings for each new product you get. In the case of iMessage, you can easily enhance your privacy with just a few taps.
- Disable read receipts. This prevents others from knowing when you’ve read their messages. While it can help you avoid the pressure to respond quickly, it also prevents data from being collected about the time the message was read. Open up your Settings menu, click on Messages, and then toggle off Send Read Receipts.
- Hide message previews. You can avoid having messages appear on your lock screen just as easily. Open up Settings, then Notifications, and finally Messages. Finally, set Show Previews to Never.
- Filter unknown senders. To avoid getting scam calls and texts littering your inbox, make sure to filter unknown senders. Open up Settings and then Messages and simply toggle Filter Unknown Senders on. This is a pretty extreme measure, so if you don’t want to just block everything, consider getting a security app with a spam filter, like Norton.
Use iTunes Backup
iTunes backup is a second solution to securely back up your iOS data. It also prevents Apple from keeping a copy of your encryption key when you use iCloud to back up your data. iTunes saves the encryption key locally to your device, so only you have the key. To backup data using iTunes:
- Connect your iPhone to your computer using a USB cable.
- Open iTunes on your computer (or Finder if you are using macOS Catalina or later).
- Select your device when it appears in iTunes or Finder.
- Under the Backups section, check the box for Encrypt local backup.
- Create a password for the encrypted backup and write it down, as you will need it to restore the backup.
- Click Back Up Now to start the backup process.
Use a VPN
If you’re worried about your data being mishandled, you might want to look into using a VPN. VPNs encrypt the vast majority of your outgoing data, meaning nobody can use it to spy on you. The exception is phone calls and SMS data — because both of these are carried on a distinct network, a VPN will have no effect. It also won’t affect how Apple manages the data it collects on you (though if you always use a VPN, Apple won’t know your real IP address). Still, once you connect to a VPN all of your browsing activity and use of third-party apps will be more secure.
A good VPN company, like ExpressVPN, won’t keep logs of your data. Unlike Apple, ExpressVPN doesn’t keep a copy of an encryption key to view your data. Instead, its RAM-only servers completely wipe user data each time they reset.
I recommend choosing a VPN with a proven no-logs policy and security features that stand up to scrutiny. The best VPNs have servers all over the world and come with features like split-tunneling and a killswitch. Other features to look out for include support for torrenting and streaming services.
Use an Antivirus for iOS
Apple devices already have good built-in security features, but that doesn’t mean they’re perfect. iOS antiviruses don’t typically contain a malware scanner, but they do offer a wide range of extra security features you can use to keep yourself safe. Any iOS security tool will come with basics like anti-phishing protections that will stop you from visiting dangerous websites. Some come bundled with VPNs and dark web monitoring tools.
More to the point, some iOS antiviruses come with spam filters. These can protect iMessage users by hiding dangerous (and annoying) texts sent by scammers and marketers. These kinds of texts can be used to steal your data, so getting less of them is a huge plus in my book. Not every iOS security tool has such a feature, but a few top brands like Norton and Bitdefender do.
Use a Third-Party Messaging App
As you’ve learned, any iMessage you send to an Android user will not be encrypted. The only solution to this is to forgo iMessage entirely and use a third-party messaging app. There are lots of apps to choose from, most of which offer E2EE regardless of whether the people you message have Androids or iPhones. That said, each app has its own advantages and disadvantages.
iMessage vs. Other Messaging Apps
Has iMessage Ever Been Compromised?
iMessage has been compromised. Even though Apple products have pretty good built-in security, many iPhone users have fallen victim to hackers and had their personal information (including iMessage conversations) leaked by hackers. The avenues for attack include zero-day, zero-click attacks (meaning the attack can be executed without users taking any action whatsoever), malicious texts, and social engineering. Here are a couple of the most recent attacks iMessage has faced.
- Operation Triangulation. In 2023, Kaspersky Labs issued a warning that an ongoing campaign was targeting Apple devices. The zero-click, zero-day iMessage vulnerability allowed hackers to automatically execute malicious code to give themselves administrative access and install spyware on victims’ devices. They combined multiple known Apple vulnerabilities into one executable that victims didn’t even need to click on to start working.
- FORCEDENTRY. This zero-day, zero-click exploit targeted Apple iOS, macOS, and watchOS devices back in 2021. Hackers used problems with image and GIF rendering coding to lay threats inside of GIFs that could be downloaded by viewing them. The hackers known as the NSO Group used this exploit to infect Apple devices with the Pegasus spyware. Once the threat was discovered, it was labeled CVE-2021-30860 and promptly patched out by Apple.
Frequently Asked Questions
What does iMessage encryption do?
iMessage encrypts your outgoing messages so that they’re unreadable by anyone but you and the recipient (assuming you only text with other iPhone users). What this means is that if a hacker intercepts your messages, they would only see lines of unreadable gibberish. The only way to translate the messages is by using an encryption key. While there are unique risks to using iMessage, the encryption itself is pretty good.
Do I need a VPN if I’m using iMessage?
iMessage has pretty good built-in security measures, but remember that these only apply to the iMessage app. If you want to protect private data relating to your web browsing and use of other iPhone apps, you’ll want a reliable VPN.
A VPN encrypts your entire network’s outgoing information, while iMessage’s encryption only works for the messages you send and receive. This means other data, like internet searches, third-party apps, and online activity are completely exposed without a VPN. Note that a VPN will not encrypt texts sent to Android users through the iMessage app. For that, the only solution is to use a third-party messaging app.
Is iMessage safer than Messenger?
iMessage is generally more secure than Messenger thanks to its better privacy policy and built-in security features. Simply put, Facebook collects a lot of data and doesn’t use E2EE by default. You’ve probably heard this a thousand times, but there are good reasons why tech writers like myself criticize Facebook for its data collection policies.
The only way to use Messenger without Facebook harvesting your data is to install a good VPN. ExpressVPN, for example, encrypts texts from both Messenger to ensure that nobody can spy on what you’re saying. It also has an excellent no-logs policy, meaning the company itself doesn’t collect your data.
What type of data does Apple collect from iMessage?
iMessage doesn’t collect the actual content of iMessage conversations, but it does harvest metadata. This can include the time the message was sent and received and contact information. Aside from metadata, the messages themselves are protected using encryption that Apple doesn’t have a key for, so they can’t be read.
But once you upload your messages to your iCloud backup, things change. The messages are still encrypted, but Apple keeps a copy of the encryption key. This means Apple can choose to read your data whenever it wants. The simplest solution to maximize your iMessage privacy is to avoid iCloud backups and use iTunes encrypted backups instead.