One of the most important apps on any phone, regardless of model or operating system, is the messaging app. The chances are most people use a collection of texting apps to keep in touch with friends and family. These apps have grown to be highly sophisticated over the years, offering a collection of advanced features to improve the chat experience. Whether it’s iMessage on an iPhone, Google Messages on Android, or WhatsApp, Signal, Telegram, and many others on both platforms, these apps offer essentially the same features. Many protect chats with end-to-end encryption, and most of them support rich texting features, file-sharing, emojis, voice messaging, voice calling, and integration with many other apps.
But because texting is so popular on smartphones, it’s also a great gateway for hackers who come up with all sorts of malicious attacks that can spread via chat apps. And Apple has been quietly tackling that very problem, a new report shows. The company added an amazing new feature to iMessage in iOS 14 and iPadOS 14, the kind that we’ll never notice. It’s called BlasstDoor, an apt name for what the feature is supposed to do.
When Tony Stark asks his AI Friday to activate the “Armed Door” protocol in Endgame, a shield of armor envelops the Avengers headquarters. That’s because they’re about to attempt something never done before, which could lead to a huge wave of destruction. There’s no guarantee that the armor will actually hold back a potential blast, but Stark is trying it nonetheless. Marvel fans will surely remember the scene, while others won’t know what any of this means.
The gist with BlastDoor is similar. Everything coming in via iMessage goes through a secure location meant to contain threats that hackers might include in messages. Highly sophisticated information bombs can allow hackers to attack unsuspecting iPhone users, but BlastDoor will now stop all of that. The new security feature is amazing, and it’s something other operating systems and chat apps will undoubtedly copy. After all, hackers target all devices and programs, not just Apple’s.
As to why Apple never mentioned anything about BlastDoor during WWDC 2020 when the first final version of iOS 14 shipped, that’s understandable. This is Apple’s new move in an ongoing security battle with attackers. There’s no point showing your hand when it comes to BlastDoor. It’s not a feature that device owners will actively use or that iOS developers needed to be aware of. It’s all supposed to work passively in the background, keeping everybody safe. If security experts like the people working over at Google Zero Lab discover it, that’s something else — and hackers could also find it once they realize their weaponized messages aren’t delivering the desired effect.
First picked up by ZDNet, the BlastDoor feature was indeed discovered by a Googler from Project Zero.
Last year, a report showed that hackers targeted journalists via iMessage code that enabled spying without the recipient having to do anything. But the issue was fixed in iOS 14, so Google researcher Samuel Groß set out to discover how Apple mitigated the problem. That’s how he found BlastDoor, a feature that works behind the scenes with iMessage content. It’s a “sandbox” type of functionality, similar to other sandboxes in iOS. BlastDoor will unpack and process the content of all incoming messages in an isolated environment so that a malicious payload cannot attack the operating system. In other words, every attachment and all code coming through iMessage, whether it’s the actual text, links, or files, will be sanitized inside that closed environment.
If you still haven’t upgraded to iOS 14, BlastDoor is an excellent reason to do it, especially if you’re the kind of iPhone user who might be someone’s target.
“Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” the Googler wrote. “It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security. Furthermore, these changes also highlight the value of offensive security work: not just single bugs were fixed, but instead structural improvements were made based on insights gained from exploit development work.”