Has the code been checked?
However, iMessage and these other options aren't open to outside review or "code auditing," which would allow unaffiliated parties to examine the software both to confirm that there are no intentional back doors and to find and help repair any flaws that were missed. Many open-source projects not only provide the programming code freely, but also eagerly accept patches.
The lack of outside review cost Apple a point in a guide put out last year by the Electronic Frontier Foundation (EFF), its "Secure Messaging Scorecard." The EFF set seven measures by which it could evaluate the security (encryption choices) and integrity (the ability to avoid interception or exploitation).
iMessage and FaceTime both received 5 out of 7, one for not allowing outside code review and another for providing no method to validate the identity of someone with whom you're in contact. By contrast, Skype (owned by Microsoft) scored 1 out of 7 and Facebook's WhatsApp got just 2. By these measures, Apple is certainly providing better overall mechanisms to secure messaging, but it could do better.
WhatsApp is transitioning its internal messaging system to use TextSecure, an open-source messaging module that scored 7 out of 7 in the EFF's report. Android users already have access, and it will be rolled out to other platforms in the future, setting the bar higher for mass-market encryption.
Apple's assurances, taken at face value, are quite good, but because it controls all the pieces of its systems and allows no public outside inspection, there's no way on an ongoing basis to know quite how secure it is. After a claim in mid--2013 by security researchers that Apple could potentially intercept messages, the current chief technologist at the FTC Askhan Soltani wrote in the Washington Post, "So, is iMessage interception possible? Yes, of course. When you control the entire stack, anything is possible." (The stack here refers to the set of interconnected messaging and networking protocols and software that implements them.)
Apple is at the top of our list: it's a giant company with much to lose and so far has seemingly met the test of what it claims. Can we trust Apple with our messages and other data? Probably as much as any company, though they could do more to provide independent assurance of such. That's as much reassurance as I can offer.
Deciding whom to trust
To return to Duane's question: how do we trust other companies? A VPN firm of the scale of Cloak, which has three employees, has to rely on reputation and action, but also on implementation. Cloak developed its own wrapper around existing software that it keeps up to date. The underlying software is well vetted and has SSL/TLS at its core, and uses Apple's own mechanisms to install security certificates that validate connections.
Sign up for Computerworld eNewsletters.