There was, in the oldness of time, demand for Apple to open up its iMessage service a little. Then, out of the blue, over-zealous company Nothing justified Cupertino’s privacy and security arguments against doing so in mere hours — even as Apple announced plans to open up a little more.
Winner takes it all
What that hefty opening paragraph means is that:
- Apple continues to face pressure from regulators who want it to open up its services, including iMessage, to interoperate with similar services provided by others.
- Apple does not agree, and as expected is appealing against regulatory decisions to open up its services. The company, along with several big names in tech, filed appeals against the EU’s recently approved Digital Markets Act (DMA).
- While the terms of the act demand the companies concerned follow its dictates, the appeals may yet force changes in the DMA restrictions.
- When it comes to iMessage, Apple is arguing that its service is not a “gatekeeper” and that opening it up would undermine the privacy and security of users.
- And in what could be a defensive move, the company has confirmed it will bow to pressure and open iMessage up to Google’s RCS messaging service starting in 2024.
- A small Android-based hardware manufacturer called Nothing recently chose to roll out a hacked attempt to make iMessage interoperate on Android devices.
- That hack turned out to be half-baked, as it was quickly found to undermine privacy and security. The most egregious error turned out to be that, despite claiming it supported end-to-end encryption, the service exposed user data in plain text. This was a huge, dangerous mistake.
- Damage was done, however, as it appears tens of thousands of people had shared their Apple ID with the service, leaving their digital lives at risk.
- The botched introduction provides a strong justification for Apple’s arguments concerning the need to protect user privacy and security, even against the tyranny of choice.
But choice is good, right? Not always.
Take a chance on me
During the busy iMessage weekend, Ivan Krstić, Apple’s head of security engineering and architecture, went on record to explain more about the company’s stance on privacy and security across its platforms. He was particularly scathing about the EU’s decision to force Apple to open up for app sideloading under the DMA. Krstić thinks the decision will end up degrading user choice and leave people exposed to threats.
He also suspects some key software titles will end up being exclusively sold outside of Apple’s stores, which will force users to purchase titles from alternative distributors who may or may not offer the same degree of security, privacy, and payment protection Apple provides.
“In that case, those users don’t have a choice to get that software from a distribution mechanism that they trust. And so, in fact, it is simply not the case that users will retain the choice they have today to get all of their software from the App Store,” he said.
It means users will be forced to make purchases elsewhere, exposing themselves to additional risk in what we all now know to be an extremely dangerous security environment in which high-value government surveillance attacks appear to have become routine. It really is open to question how reducing overall platform security can benefit anyone, though perhaps some people feel that’s a small price to pay for a blue bubble in a chat.
Gimme, gimme
Shortly after, or perhaps because, of Nothing’s doing, Apple moved toward adoption of the Google-championed RCS (Rich Communication Services) standard for iMessage. That means when messaging people using devices that support RCS, you will also get things like read receipts, higher quality images and typing indicators. Google has been pressing Apple to support RCS for years.
In a statement, Apple said:
“Later next year, we will be adding support for RCS Universal Profile, the standard as currently published by the GSM Association*. We believe RCS Universal Profile will offer a better interoperability experience when compared to SMS or MMS. This will work alongside iMessage, which will continue to be the best and most secure messaging experience for Apple users.”
*Italics mine: Google has done a lot of work to build extensions that work with RCS, but Apple’s statement that it plans to support the GSM standard for RCS hints that Google’s extensions won’t be supported in Apple’s implementation.
Far away, standing near
You know, at the end of the day, Apple is fond of those blue, green, and gray bubbles in iMessage. I don’t think it has any intention of changing them. Instead, it will continue to explain what they mean.
And what they mean is that the best and most secure chats will always be those made between Apple devices as those enjoy guaranteed end-to-end encryption at an industry standard level.
Apple cannot really guarantee such security in chats between different platforms or applications. How could it tell whether the Android device an Apple user is communicating with is infected with a keylogger? Or if some hacked interlocutory service such as the one chosen by Nothing turns out to be inherently insecure?
The challenge really is that creating highly secure services that interoperate effectively can only really be achieved on a standards basis, and doing so requires a degree of industry cooperation that cannot easily be forced through legislation.
In the absence of a cohesive, joint attempt to build such standards, any attempt to enforce interoperability will only expose users to the need to send an SOS when things go wrong.
Money, money, money
While blunt instruments such as the DMA may force companies to move toward opening up, such as with RCS support or new App Store protocols, the constant, overwhelming tumult of regulation disincentivizes companies from solving any single problem well. Just as in every other part of life, a balance must be found between enforcement and encouragement. Striving for this balance is the name of the game.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2023 IDG Communications, Inc.
This story originally appeared on Computerworld