by Dan Moren
How iMessage security works
Our good friend Rich Mogull talked to Apple’s engineering and security teams and came away with an excellent overview of how Apple has designed the security of iMessage. There’s a particular emphasis on how Apple handles when new devices are added to an existing account:
It turns out you can’t add devices to an iCloud account without triggering an alert because that analysis happens on your device, and doesn’t rely (totally) on a push notification from the server. Apple put the security logic in each device, even though the system still needs a central authority. Basically, they designed the system to not trust them.
Fascinating look into a system with really solid security that’s more or less invisible to the end user. The end result: it’s really hard for anybody—criminals or the government— to basically log a “phantom” device into your iMessage account and get copies of your messages.