We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

  • Cookie
    _GRECAPTCHA
  • Duration
    180 days
  • Description
    This cookie is used by the Google reCAPTCHA service to protect the site from spam and abuse, distinguishing between real users and bots. It performs a risk analysis by collecting information on browsing behavior and device details, such as mouse movements, keystrokes, and technical data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

News

Apple encryption: security at the core

Apple encryption offers one of the most advanced systems for personal data protection, but full security requires enabling Advanced Data Protection and keeping devices up to date.

Cryptographic key pair

28 April 2025

Table of contents

  • End-to-end encryption in iMessage: protecting messages
  • FaceTime: secure calls and video chats
  • iCloud and Advanced Data Protection: maximum security for your data
  • Criticism of Apple’s encryption

Apple has adopted a rigorous approach to data security, integrating encryption across its primary services. End-to-end encryption ensures that only the sender and recipient can read messages or access protected content. Even if someone intercepts the data, they cannot decrypt it without the correct key.

Apple’s systems use unique encryption keys generated directly on user devices, preventing access by third parties, including Apple itself.

This approach has been praised for its privacy protection but also criticized by law enforcement agencies that see it as an obstacle to investigations.

End-to-end encryption in iMessage: protecting messages

How end-to-end encryption works in iMessage

iMessage uses end-to-end encryption based on AES-256 and an asymmetric key system to ensure that only the sender and recipient can read messages. This system relies on a pair of cryptographic keys:

  • A public key, shared with other users to encrypt outgoing messages;
  • A private key, stored exclusively on the recipient’s device, used to decrypt received messages.

When a message is sent via iMessage, the sender’s device encrypts it using the recipient’s public key. Only the recipient, with their private key, can decrypt the content.

This ensures that not even Apple can access messages, as it does not store users’ private keys.

Example of encryption Using AES-256

To better understand how encryption works in iMessage, here’s a practical example of how a message can be encrypted using AES-256 in Python:

from Crypto.Cipher import AES 

import os 

import base64 

# Generate a random AES-256 key 

def generate_key(): 

    return os.urandom(32)  # 256-bit key 


# Encrypt the message with AES-256 

def encrypt_message(message, key): 

    cipher = AES.new(key, AES.MODE_GCM)  # AES in Galois/Counter Mode 

    nonce = cipher.nonce  # Generate a random nonce 

    ciphertext, tag = cipher.encrypt_and_digest(message.encode('utf-8')) 

    return base64.b64encode(nonce + tag + ciphertext).decode('utf-8') 


# Decrypt the encrypted message 

def decrypt_message(encrypted_message, key): 

    encrypted_data = base64.b64decode(encrypted_message) 

    nonce = encrypted_data[:16] 

    tag = encrypted_data[16:32] 

    ciphertext = encrypted_data[32:] 

     
    cipher = AES.new(key, AES.MODE_GCM, nonce=nonce) 

    decrypted_message = cipher.decrypt_and_verify(ciphertext, tag) 

    return decrypted_message.decode('utf-8') 
 

# Example usage 

key = generate_key() 

message = "This is a secure message on iMessage." 

encrypted_message = encrypt_message(message, key) 

decrypted_message = decrypt_message(encrypted_message, key) 


print("Original message:", message) 

print("Encrypted message:", encrypted_message) 

print("Decrypted message:", decrypted_message)

How does the code work?

  1. Key generation
    The script generates a random AES-256 key (32 bytes).
  1. Message encryption:
  • Uses AES-GCM (Galois/Counter Mode) for encryption and integrity protection;
  • A nonce (random number) ensures that each encryption operation produces a unique output;
  1. Decryption:
  • The recipient uses the same AES key to retrieve the original message;
  • The system verifies the message’s integrity using an authentication tag.

This method is similar to what iMessage employs, though Apple also integrates a public-private key system for added security in device communication.

Asymmetric encryption and multi-device synchronization

One unique feature of iMessage is its ability to sync messages across multiple Apple devices while maintaining end-to-end encryption. To achieve this, Apple uses an asymmetric cryptography system based on RSA and Curve25519 to manage key distribution.

Each device linked to an Apple ID has:

  • A public key registered on Apple’s servers;
  • A private key stored only on the device.

When a user sends a message to a recipient with multiple linked devices (e.g., iPhone, iPad, Mac), the message is encrypted multiple times using the public keys of each device so that only those devices can decrypt it.

Below is a simplified implementation of asymmetric encryption using RSA in Python:

from Crypto.PublicKey import RSA 

from Crypto.Cipher import PKCS1_OAEP 

import base64 

# Generate public and private keys 

def generate_rsa_keys(): 

    key = RSA.generate(2048) 

    private_key = key.export_key() 

    public_key = key.publickey().export_key() 

    return private_key, public_key 

# Encrypt with the public key 

def encrypt_with_public_key(message, public_key): 

    rsa_key = RSA.import_key(public_key) 

    cipher = PKCS1_OAEP.new(rsa_key) 

    encrypted_message = cipher.encrypt(message.encode('utf-8')) 

    return base64.b64encode(encrypted_message).decode('utf-8') 
 

# Decrypt with the private key 

def decrypt_with_private_key(encrypted_message, private_key): 

    encrypted_data = base64.b64decode(encrypted_message) 

    rsa_key = RSA.import_key(private_key) 

    cipher = PKCS1_OAEP.new(rsa_key) 

    decrypted_message = cipher.decrypt(encrypted_data) 

    return decrypted_message.decode('utf-8') 

# Example usage 

private_key, public_key = generate_rsa_keys() 

message = "This is an encrypted message with RSA." 

encrypted_message = encrypt_with_public_key(message, public_key) 

decrypted_message = decrypt_with_private_key(encrypted_message, private_key) 

print("Original message:", message) 

print("Encrypted message:", encrypted_message) 

print("Decrypted message:", decrypted_message)

How does it work?

  • Key pair generation
    The script generates an RSA-2048 key pair.
  • Message encryption
    The message is encrypted using the recipient’s public key.
  • Decryption
    Only the recipient, using their private key, can decrypt the message.

iCloud Backup and Advanced Data Protection

By default, iMessage messages are stored in iCloud to allow restoration on new devices. However, if iCloud backup is not protected by Advanced Data Protection, Apple could theoretically access it in case of legal requests.
When Advanced Data Protection is enabled, end-to-end encryption extends to iCloud backups, making them accessible only to the user. This means that if the recovery key is lost, the data cannot be restored.

FaceTime: secure calls and video chats

How does encryption work in FaceTime?

FaceTime calls use end-to-end encryption to protect the transmitted audio and video content from eavesdropping. Unlike iMessage, which relies on AES-256, FaceTime implements a combination of:

  • AES-GCM (Galois/Counter Mode) for encrypting the real-time audio/video stream.
  • Curve25519 for cryptographic key exchange between devices.
  • DTLS-SRTP (Datagram Transport Layer Security – Secure Real-time Transport Protocol) to secure the transmission of real-time data packets.

This security system ensures that only the sender and receiver can decrypt the communication, blocking any third party—including Apple—from accessing the call contents.

Peer-to-peer transmission and FaceTime encryption

A distinctive aspect of FaceTime is that calls do not go through central servers but are transmitted directly between devices, using a peer-to-peer connection whenever possible.

This dramatically reduces the possibility of eavesdropping by third parties because:

  • Audio and video data are never stored on Apple’s servers;
  • The entire data stream is encrypted end-to-end, ensuring privacy;
  • Even in group calls, Apple only manages signaling (establishing the connection) without being able to access the conversation data.

Example: encrypting an audio/video stream using AES-GCM

To better understand FaceTime encryption, here’s a Python implementation that simulates encrypting and decrypting an audio/video stream using AES-GCM:

from Crypto.Cipher import AES 

import os 

import base64 

# Generate a random AES-256 key for the FaceTime session 

def generate_key(): 

    return os.urandom(32)  # 256-bit key 


# Encrypt an audio/video stream using AES-GCM 

def encrypt_audio_video(data, key): 

    cipher = AES.new(key, AES.MODE_GCM) 

    nonce = cipher.nonce  # Generate a random nonce 

    ciphertext, tag = cipher.encrypt_and_digest(data) 

    return base64.b64encode(nonce + tag + ciphertext).decode('utf-8') 


# Decrypt the received audio/video stream 

def decrypt_audio_video(encrypted_data, key): 

    encrypted_data = base64.b64decode(encrypted_data) 

    nonce = encrypted_data[:16] 

    tag = encrypted_data[16:32] 

    ciphertext = encrypted_data[32:] 

    cipher = AES.new(key, AES.MODE_GCM, nonce=nonce) 

    decrypted_data = cipher.decrypt_and_verify(ciphertext, tag) 

    return decrypted_data 

# Simulating a secure FaceTime transmission 

key = generate_key() 

audio_video_data = b"Live FaceTime audio/video stream." 

encrypted_data = encrypt_audio_video(audio_video_data, key) 

decrypted_data = decrypt_audio_video(encrypted_data, key) 

print("Original data:", audio_video_data) 

print("Encrypted data:", encrypted_data) 

print("Decrypted data:", decrypted_data)

How does this code work?

  1. Key generation
    A random AES-256 key is generated for encrypting the audio/video stream.
  1. Encryption:
  • Uses AES-GCM, a secure mode that also provides authentication;
  • A random nonce ensures that every encryption operation produces a unique output.
  1. Decryption:
  • The recipient uses the same AES key to decrypt the audio/video data;
  • The authentication tag ensures that the message has not been altered.

Group FaceTime calls

FaceTime also supports group calls with up to 32 participants, and its encryption system is designed to maintain security in these scenarios.

  • Each participant’s device generates a unique encryption key for every other participant.
  • Public keys are exchanged among devices, allowing for secure communication.
  • Each participant encrypts their audio/video stream separately before sending it to others.

Esempio
Python demonstrating Curve25519 key exchange between two FaceTime participants:

from cryptography.hazmat.primitives.asymmetric import x25519 

# Generate private and public key pairs for FaceTime participants 

def generate_key_pair(): 

    private_key = x25519.X25519PrivateKey.generate() 

    public_key = private_key.public_key() 

    return private_key, public_key 

# Simulating secure key exchange between two FaceTime users 

private_key_alice, public_key_alice = generate_key_pair() 

private_key_bob, public_key_bob = generate_key_pair() 

# Creating a shared secret for encrypted FaceTime communication 

shared_secret_alice = private_key_alice.exchange(public_key_bob) 

shared_secret_bob = private_key_bob.exchange(public_key_alice) 

print("Alice's shared secret:", shared_secret_alice) 

print("Bob's shared secret:", shared_secret_bob) 

print("Do the shared secrets match?", shared_secret_alice == shared_secret_bob)

How does this work?

  • Each participant generates a key pair (public and private keys);
  • Public keys are exchanged among participants;
  • Each device computes a shared secret using the other participant’s public key and its own private key;
  • AES-GCM is then used to encrypt the actual audio/video stream using the derived shared key.

FaceTime metadata and privacy considerations

Even though Apple cannot access the content of FaceTime calls, certain metadata is still collected, including:

  • The phone number or Apple ID of participants;
  • The duration of the call;
  • IP addresses, which could reveal approximate locations.

Apple states that this metadata is used for diagnostic and service improvement purposes and is not stored long-termor used for user tracking.

iCloud and Advanced Data Protection: maximum security for your data

Apple introduced Advanced Data Protection to extend end-to-end encryption to more categories of data stored in iCloud. This system prevents even Apple from accessing stored files, enhancing security for:

  • iCloud backups
  • Photos and videos
  • Notes and reminders
  • iCloud Keychain
  • Stored messages

Without Advanced Data Protection, some iCloud data may be accessible to Apple in response to legal requests. However, enabling this feature ensures that only the user can decrypt their files.

Criticism of Apple’s encryption

Despite its effectiveness, Apple’s end-to-end encryption has been the subject of controversy. Law enforcement agencies argue that encryption hinders access to crucial evidence in criminal investigations.

Apple, on the other hand, maintains that user privacy is a fundamental right and should not be compromised by government backdoors.

Conclusion

Apple’s encryption system is among the most advanced for protecting personal data. With end-to-end encryption in iMessage, FaceTime, and iCloud, users can communicate and store information securely.

However, to ensure maximum protection, enabling Advanced Data Protection and keeping devices updated is essential.

Questions and answers

  1. What is end-to-end encryption?
    End-to-end encryption ensures that only the sender and recipient can access the transmitted data, preventing third-party access.
  2. Can Apple access my iMessage conversations?
    No, iMessage messages are protected by end-to-end encryption, meaning only the sender and recipient can read them.
  3. Are FaceTime calls really secure?
    Yes, FaceTime calls are encrypted with end-to-end encryption, making interception virtually impossible.
  4. Does iCloud protect all my data with end-to-end encryption?
    Only if Advanced Data Protection is enabled, extending encryption to backups, photos, notes, and other sensitive data.
  5. Can I disable iMessage or FaceTime encryption?
    No, encryption is built into the system and cannot be turned off by users.
  6. Could Apple create a backdoor for law enforcement?
    Apple has consistently opposed backdoors, stating that they would compromise security for all users.
  7. How can I check if iCloud encryption is enabled?
    You can check your iCloud settings to see if Advanced Data Protection is activated.
  8. Are iMessage notifications encrypted?
    No, message previews in notifications can be visible unless disabled in settings.
  9. What happens if I lose my encrypted device?
    Your data remains protected, but having a secure backup is crucial to prevent permanent loss.
  10. Are other messaging services as secure as iMessage?
    Apps like Signal and WhatsApp offer end-to-end encryption, but with different key management models.
4
To top