The iMessage system is Apple’s proprietary text system, which works only among iOS devices. It uses a series of servers owned by Apple that receive and forward messages. Those messages are sent via Apple’s PUSH notification service, which keeps an IP connection open all the time to check for new notifications and display messages. Each iPhone, iPod or other iOS device serves as a PUSH client, and they communicate with Apple’s servers over SSL. The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system.
One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users’ messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could. Users’ AppleID passwords also are sent in clear text to the Apple servers.