Does Apple do this with iMessage? I don't think they can, even.

They could. Correct me if I'm wrong but users don't see which public keys have been used to encrypt the message's symmetric key. Theoretically Apple could easily and invisibly include themselves as a recipient.

You're exactly right and I'm not sure why this is being downvoted. Apple can add additional keys to iMessage messages and thus view them in transit - they say this themselves in their own security white paper[0].

[0]: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

> Apple can add additional keys to iMessage messages and thus view them in transit - they say this themselves in their own security white paper

I just read the section on iMessage (from around page 49) and I can’t see where this is written. Can you point to the part where they say this?

Page 51:

> The private keys for both key pairs are saved in the device’s Keychain and the public keys are sent to Apple’s directory service (IDS), where they are associated with the user’s phone number or email address, along with the device’s APNs address.

I'm no security engineer but wouldn't that require Apple to have access to the private key, whereas the whitepaper says they only have access to the public key?

They can't mess up with the private key (at least this is what they say, and we can't verify that as their software is closed source). But they're free to manipulate the public key which is used during the encryption phase.

For Apple as a company, not having access to iMessages is the safest thing to do, and I believe them when they say they can't access them in the current setup and are not willing to change that. It's because this would change their status from hardware/software vendor to telecommunications provider, with all related problems and costs - and they don't need any of these, so the best option is just to shield themselves from any user-to-user communication.

I don't think so but I'm not a security expert either so I might have this wrong.

If you send a group message, Apple provides your messaging client with all of the recipients' public keys that are used to encrypt the symmetric key that actually protects the message. They could slip their key into that list and I don't think you would be able to easily tell if they did that.

If you send a message to a single person, then that's just a group of one.

The interesting question to me is if Apple can be compelled to write code to do this if they haven't already done so (and I don't think they have). I wouldn't think they could be forced, but like Microsoft did with Skype, they might do it anyway.

Apple can associate their own public key with the users phone number, then they will be able to read messages sent to that user.

This just in: Gmail scans every user's incoming emails in a controversial project they're calling a 'spam filter'.