The former iMessage app now renamed simply Messages has been detected to store sensitive data about its users making it potentially insecure for privacy minded chats.
Apple’s Messages App Is No Longer So Private
Apple has famously stated several times that is Messages app is more secure than its competitors. However, according to the latest reports, this isn’t the case. The specialists from “The Intercept” received a document from the Florida Department of Law Enforcement’s Electronic Surveillance Support Team that gives further details about the mobile application. Messages stores meta data about every phone number a user attempts to contact through the program. The Police can access the information by filing an information request.
The exact mechanism is described in their report. As soon as a number is entered in the app, it pings Apple’s servers to check if the message can be sent by SMS or over the messaging service.
Apple records the queries in a database and also stores the date and time of the request along with the IP address. This combination can be used to determine the approximate location of the target user.
Apple has commented the collection by confirming the data collection. The company stores the logs only for 30 days. However it is possible for government agencies and the Police to gain multiple log files and create a record of all interactions of a given iPhone user.
The app doesn’t collect the contents of the messages, at least there are no reported incidents of such actions.
The company has provided the following statement to The Intercept:
When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place.