Secure messaging apps working to comply with Apple's iOS 13 privacy changes

Posted:
in iOS edited September 5
Changes in iOS 13 to improve privacy may be affecting more apps than first thought, with developers of secure messaging "scrambling" to keep the encrypted communications services functional before Apple cuts off access to a specific API.

Wire, an encrypted messaging app said to be working to fix features affected by Apple's policy changes
Wire, an encrypted messaging app said to be working to fix features affected by Apple's policy changes


Apple's announcement during WWDC 2019 about how apps function in the background has led to a number of app developers having to alter how their apps function, including cutting down the amount of background processing could be performed. In early August, it was believed Facebook Messenger, WhatsApp and other VoIP services had to issue changes to their apps to work around the new restriction.

According to a report from The Information, privacy changes are affecting far more apps than just Messenger and WhatsApp, with encrypted messaging apps also having to fix issues that would make functions within the apps fail to work on the introduction of iOS 13. Services including Signal, Wickr, Threema, and Wire are identified as working on updates to their apps relating to the issue.

The problem stems from Apple's decision to force developers away from using the PushKit API. Originally meant for use with apps to allow VoIP calls to connect to a device, developers soon repurposed the background process to enable other elements to function, such as allowing encrypted messages to be decrypted in the background rather than having the user wait after receiving a notification.

While there are good reasons to use a background process such as this, the ability to have an app running in the background also opens up the possibility of other issues, such as apps collecting location data or other types of monitoring, as well as draining the iPhone's battery.

Despite the semi-urgent need to switch away from PushKit, developers don't need to have the changes implemented in their apps in time for iOS 13's release. Developers have until April 2020 to make their apps compliant with the new requirements, which for VoIP apps involves relying on a new "VoIP push notification" system.

However, if they wish to take advantage of elements of iOS 13 in the apps, the developers have to abide by the PushKit changes at the same time.

Apple advised to the report it was working with developers to ease their concerns. "We've heard feedback on the API changes introduced in iOS 13 to further protect user privacy and are working closely with iOS developers to help them implement their feature requests," an Apple spokesperson advised.

Tom Leavy, VP of engineering at Wickr, suggested the change wasn't "the end of the world, but it is a significant engineering effort and an unexpected one."

The introduction of PushKit in 2018 helped provide developers with a better way to provide notifications for encrypted messaging apps, with a higher reliability than with standard notifications.

With the push away from PushKit, encrypted messaging app developers are now looking for new ways within iOS to enable similar functionality as offered by the disappearing tool, but the options are not that great. "It's definitely way inferior to what we have today," advised Wire cofounder Alan Duric.

Comments

  • Reply 1 of 2
    MplsPMplsP Posts: 1,669member
    Does anyone else find it ironic that secure messaging apps are having troubles adapting to changes designed to improve privacy? (Yeah, I know that there’s more to the story than that, but I still found it a bit funny.)

    Several of my wife’s relatives use WhatsApp, and she can practically see the battery level dropping on her phone she she uses it. It’s probably facebook doing all that data mining in the background...
    cornchipwatto_cobra
  • Reply 2 of 2
    MplsP said:
    Does anyone else find it ironic that secure messaging apps are having troubles adapting to changes designed to improve privacy? (Yeah, I know that there’s more to the story than that, but I still found it a bit funny.)

    Several of my wife’s relatives use WhatsApp, and she can practically see the battery level dropping on her phone she she uses it. It’s probably facebook doing all that data mining in the background...

    It's different things for sure - I was using Signal and Wire before and as an app developer I was wondering how they're decrypting push notifications! It's almost magic. Imagine an encrypted message is coming in - then the phone would show a preview "encrypted message has arrived" - but it could not decrypt that message until the app in question actually runs and decrypts it, and delivers the result. Apple doesn't know what's in the message, so the push notification couldn't show a preview.

    But what they all ended up doing is use that API to (1) silently receive the push notification (2) fire up their decryption engine, decrypt the message with the mentioned PushKit functionality and (3) issue a new, local, push notification with a decrypted message preview which then you, the user, would see.

    So there was a lot of sophisticated magic happening to make it appear to "just work" with all end to end encrypted messaging systems. WA, Signal, Wire, etc. (not messenger or skype because that's not encrypted anyway)

    But the same system - an app starting up and doing whatever it wants to do based on a push notification - could be abused for doing other things, tracking location data, etc. And my guess would be that WhatsApp, and basically all Facebook or Google owned apps would do that, and so abuse the system. The privacy thing doesn't bother me so much - I don't think there's any privacy left anyway - but it is very annoying that these apps will do things that have no benefit to me, but use my battery and drain my phone for no reason.

    Overall happy Apple is cracking down, but I wish they'd invent something specifically for decrypting end to end encrypted messages. Apple's own iMessage can do it, they should create a specific API that can't be abused. Of course, that's not simple...

    cornchipwatto_cobra
Sign In or Register to comment.