Connect with us

Hi, what are you looking for?


Data Protection

Apple Improves iMessage Security With Contact Key Verification

New capability detects attacks on iMessage servers and allows users to verify a conversation partner’s identity.

Apple on Friday introduced contact key verification, a new capability meant to improve the security of its iMessage service.

To ensure the privacy of conversations, iMessage offers end-to-end encryption, so that only the sender and receiver can read a message, and relies on sets of encryption keys, where public keys are stored on a key directory service, while private keys rest on the device and never leave it.

Key directory services, like Apple’s identity directory service, represent a single point of failure, where a powerful adversary may be able to compromise the service to intercept or monitor encrypted messages.

To address the shortcoming, iMessage contact key verification, Apple explains, relies on key transparency, a mechanism that uses a verifiable log-backed map data structure to deliver cryptographic proofs of inclusion, ensuring user privacy and allowing audits.

“iMessage contact key verification advances the state of the art of key transparency deployments by having user devices themselves verify consistency proofs and ensure consistency of the KT system across all user devices for an account,” Apple says.

This mechanism, the tech giant notes, is meant to protect against both key directory and transparency service compromises, allowing changes to the log-backed map while making device keys immediately verifiable.

iMessage contact key verification, Apple explains, uses an account-level elliptic curve digital signature algorithm (ECDSA) signing key that is generated on the device, stored in iCloud keychain, and available to the user on their trusted devices only.

“Each device uses the synchronized account key to sign its iMessage public keys. The account keys and signatures are included in the IDS service database along with the existing data,” Apple notes.

Advertisement. Scroll to continue reading.

When the user enables iMessage contact key verification, their devices verify that the key transparency map includes the data presented by the identity directory service, and notifies the user if a validation error occurs.

Users’ devices will periodically query the service for account information, verify the response against the key transparency mechanism, and flag inconsistencies.

“[The user’s] devices will additionally compare the KT data for identifiers, device records, and opt-in state against records stored in an end-to-end encrypted CloudKit container. This database is maintained by [the user’s] devices and is not readable or modifiable by Apple,” the tech giant explains.

Additionally, iMessage contact key verification allows users to perform manual contact verification code comparisons using the Vaudenay SAS protocol. Upon successful verification, the hash of the peer’s account key is saved to an end-to-end encrypted CloudKit container and linked to the peer’s card.

“Because the contact card is linked, all conversations with the peer’s identifiers — phone number and email address — are marked as verified. Group chats with peers that have been independently verified one-to-one are also automatically marked as verified,” Apple explains.

iMessage contact key verification is now available in the developer previews of iOS 17.2, macOS 14.2, and watchOS 10.2.

Related: Stealth Techniques Used in ‘Operation Triangulation’ iOS Attack Dissected

Related: Apple Patches Actively Exploited iOS, macOS Zero-Days

Related: NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022: Citizen Lab

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.