Freedom of the Press Foundation
Show Navigation

Post-quantum iMessage

Martin Shelton
Dr. Martin Shelton

Principal Researcher

Blue lattice behind three ornate keys
Electronic Frontier Foundation (CC BY 2.0)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Both in the U.S. and abroad, governments are capturing encrypted connections that pass over the public internet and saving them for later use. Such “harvest now, decrypt later” attacks are no longer the thing of science fiction, thanks to post-quantum computers that could meaningfully shorten the amount of time required to unscramble encryption, allowing attackers to read previously private messages. 

Such attacks could be more viable within years or decades, so a growing number of organizations are preparing for them with post-quantum encryption. In its recent iOS and iPadOS 17.4 updates, Apple has joined Signal and other online services in offering post-quantum encryption to resist these attacks. Learn more here.

What you can do

  • Download your updates! New security features like this underscore the importance of keeping your devices up to date. Check out our guide on the story inside your software updates.
  • Note that iMessage is only encrypted between iMessage users, meaning if you are having a “green bubble” conversation with someone on Android, it’s likely using SMS, which is much less secure. And if you or your conversational partner have iMessage backups enabled using iCloud, Apple may have a copy of your messages, with or without these new security features. If these are concerns for you, you and your pals should try out Signal. Read our beginner-friendly guide to Signal.

Updates from my team

  • To conclude our spree of guide updates to include Signal’s new username features, we have made some changes to our guide on “Security considerations for confidential tip pages.” Check it out.
  • A couple of teammates and I will be at NICAR in Baltimore this week. If you’re around March 7-10, come say hi and get a few FPF stickers!

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Donate to support press freedom

Your support is more important than ever.
Donate now

Read more about Digital Security Digest

Header image with a graphic of Signal's "speech bubble" logo, with a pattern of silhouettes of phones in the background.

Crossfire over messaging security

Johns Hopkins cryptography professor Matthew Green explains that “the cryptography behind Signal (also used in WhatsApp and several other messengers) is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard.” By comparison, Telegram does not provide end-to-end encryption protection by default and only offers it as an option in one-on-one “Secret Chat” mode.

57fe4d8e-3f52-ea6d-d840-5e8dd6dca412

Google Docs locks out writer

While it’s powerful and convenient, Google Docs might not be right for all documents, including those that you consider sensitive, private, or that you can’t risk losing. Read more about newsroom privacy and security considerations when using Google Workspace.

Google details app violations

According to its security blog, Google prevented 2.28 million — yes, million — Android apps from being published on its Play Store in 2023. The company says it also removed 333,000 accounts for attempting to deliver malware through the Play Store, as well as for “repeated severe policy violations.” These numbers have grown substantially since 2022, when the company disclosed it prevented 1.43 million apps from being published on the Play Store.

More posts