Apple has been touting iMessage as "end-to-end encrypted" for many years. "The first widely available messaging app to provide end-to-end encryption by default". Users understandably trust Apple to get this right, and believe that their messages are secure even from Apple. However, that trust is misplaced. Most beliefs users hold about iMessage end-to-end encryption are false.

Belief 1: My iMessages cannot be read by Apple under any circumstances.

The truth is that in the default configuration Apple can read all of the messages you send and receive. This is not theoretical because they do, in fact, read people's messages and share them with third parties in response to requests. This is not due to bugs in the iMessage prototol or implementation. It is working as intended and documented (but not advertised) by Apple.

This Apple support page describes exactly what is encrypted and how. What you need to know before reading this page is that "In transit & on server" encryption is definitively not end-to-end encryption. Apple can and does read information that is encrypted "In transit & on server".

Apple can decrypt and read your messages stored in your Messages iCloud backup. This is documented in this table in the "iCloud Backup" row, under "Standard data protection", where the "Encryption" column reads "In transit & on server".

Belief 2: My iMessages cannot be read by Apple if I enable "Messages in iCloud".

"Look", you might say, "the line in that table for 'Messages in iCloud' says 'End-to-end'. So that means my messages can't be read by Apple, right?"

Unfortunately for you, there is a footnote on that line. Follow it to read in part: "When iCloud Backup is enabled, your backup includes a copy of the Messages in iCloud encryption key". Now go back to the "iCloud Backup" line and note again that it reads "In transit & on server". Yes, this really does mean that Apple can read your Messages in iCloud encryption key from your iCloud backup, and then decrypt your messages. So much for "end-to-end encryption"!

Belief 3: My iMessages cannot be read by Apple if I disable iCloud backup.

"Hey, but if I disable iCloud backup, then finally my messages are secure, right?" Well, two things about that.

1. Firstly, this is terrible! Apple's restrictive policies for iOS and the App Store prohibit any third party cloud backup solution for iOS. Apple is the only game in town, and if you don't like how their cloud backup works then there's no cloud backup for you! It's a pretty big feature to give up.

2. Even if you do disable iCloud backup, Apple can still read any message you send to a recipient who has iCloud backups enabled, and any message they send to you. Which is practically everyone, since that is the default and intended configuration of iPhones. So in practice, almost all of your messages are still sitting on Apple's servers in a form that Apple can read at any time without your knowledge or consent.

Belief 4: My iMessages cannot be read by Apple if I opt in to "Advanced Data Protection"

I am glad that Apple offers the "Advanced Data Protection" feature. I think Apple's implementation could be improved by doing what Google did: securing the recovery method using your phone's screen unlock code. This enabled Google to turn on end-to-end encryption by default for everyone with no opt-in required and little risk of data loss.

Because Apple didn't do that, this has the same problem as the previous solution: Apple can still read any message you exchange with practically anyone, since they are overwhelmingly likely to have iCloud backups enabled and overwhelmingly unlikely to have proactively enabled the non-default "Advanced Data Protection" feature.

Common Objections

My iMessages cannot be read by Apple if I enable the optional "Advanced Data Protection" feature and also convince every other person in the world to do the same before we exchange our first message!

Good luck with that!

The iMessage service itself is end-to-end encrypted

Some argue that it is technically correct to call iMessage "end-to-end encrypted" because the iMessage servers themselves don't read the messages, it's the iCloud backup servers that do. This is a silly distinction that doesn't matter in practice. It's all Apple software and all Apple servers. Apple has full control, and the integration between different services is one of Apple's selling points. And if you still want to call iMessage end-to-end encrypted even despite all this, the fact remains that Apple can read your messages.

Google is just as bad

Not in this case. As noted above, Android's equivalent cloud backup service has been end-to-end encrypted by default for many years. Meaning that you don't need to convince the whole world to turn on an optional feature before your own messages can be fully protected. Android is in fact better on this one.

Any other messaging app has the same backup loophole

This is false. Some do, but some don't. We already covered Google's Messages. Signal does not use unencrypted backups by default, and they recently started offering an end-to-end encrypted backup feature. Telegram messages are not end-to-end encrypted by default, but if you do enable end-to-end encryption then backups are disabled. WhatsApp is more similar to iMessage in that backups are not protected by default, however it is a bit different because the backups are stored by Apple or Google instead of WhatsApp itself, so Meta itself can't read the backups.

Conclusion

I really believe it to be false advertising for Apple to claim "end-to-end encryption" for iMessage when the vast majority of messages are accessible to Apple to read at any time. Most iMessage users probably hold some or all of the four incorrect beliefs listed above. Users put a lot of trust in Apple, and they should be able to believe in the most straightforward interpretation of Apple's statements.

Apple's stated reason for not enabling end-to-end encryption on iCloud backups by default is that it would cause data loss when users lose their devices. But Google's implementation avoids this problem. There has been some speculation that the real reason for Apple's reluctance here is pressure from law enforcement, specifically the FBI. Apple stood up to the FBI in public when they declined to comply with a request to decrypt an iPhone. But in private, they may have caved on the default backup encryption issue.