iMessage is Apple’s default messaging service for Apple devices. End-to-end encrypted between Apple users since 2011. Falls back to SMS (unencrypted) when one party is on a non-Apple device. Recently augmented with BlastDoor (a sandboxed parser introduced 2021 to defeat zero-click message-rendering exploits) and Contact Key Verification (introduced 2023 in iOS 17.2 to detect man-in-the-middle attacks against the iMessage key directory).
What it means in practice
The encryption story has historically been more nuanced than the marketing. iMessage content is end-to-end encrypted between Apple users with keys stored in the Secure Enclave; Apple cannot read messages in transit. The historical weakness was iCloud Backup: by default, iCloud Backup included a copy of the iMessage history encrypted with a key Apple held, meaning Apple could produce iMessage content under court order from the backup even though it could not read it from the live channel. Advanced Data Protection (December 2022) closed this hole for users who enable it: ADP applies end-to-end encryption to iCloud Backup, removing Apple’s ability to produce iMessage history. The 2025 UK Technical Capability Notice removed ADP availability for UK iCloud accounts, restoring the historical Apple-can-produce-from-backup posture for that population.
Where it shows up
Default messenger for: Apple users in Apple-heavy environments (the US has high iMessage penetration, less so in Europe and Asia where WhatsApp and Telegram dominate). Contact Key Verification is the structural improvement of 2023-2024: high-target users can enable a verification code that the recipient publishes via a separate channel, and iMessage will warn if the keys ever change unexpectedly (the symptom of a man-in-the-middle attack against Apple’s key directory). The threat that Contact Key Verification specifically defends against: a compelled or coerced Apple key-directory entry where Apple is forced to substitute an attacker-controlled key for a target’s key. The defense matters most for journalists working with sources, lawyers under privilege, and high-target individuals; for ordinary users the protection is unused but available.
What you can change today
Three settings. First, enable Advanced Data Protection (Settings, Apple ID, iCloud, Advanced Data Protection) so iCloud Backup of iMessage history is end-to-end encrypted and not Apple-producible. Second, enable Contact Key Verification (Settings, Apple ID, scroll to Contact Key Verification) and walk through the verification flow with priority contacts (the verification code is published via a separate channel each contact controls; you compare visually). Third, enable Lockdown Mode for high-target use (Settings, Privacy and Security, Lockdown Mode) which disables the message-attachment-rendering surfaces that most iMessage zero-click exploits have used historically.