Apple improves iMessage security with a new BlastDoor system

Apple has added a new sandboxing security system named “BlastDoor” in iOS 14 and iPadOS 14 to improve Messages app’s security. The new system will reportedly prevent attacks that are carried out using the Messages app on iPhones and iPads. The information has not been officially shared by the company but a Google’s Project Zero security researcher named Samuel Groß detailed the new security features.

The new BlastDoor security system, according to Groß, is a tightly sandboxed service. It is reportedly now responsible for parsing out all the suspicious data in the Messages app on iPhones and iPads. The BlastDoor system does not execute code within the operating system apparently but separately within the Messages app. 

iMessage on iOS 14

This blog post discussed three improvements in ‌iOS 14‌ affecting iMessage security: the BlastDoor service, resliding of the shared cache, and exponential throttling. Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole.

It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security. Furthermore, these changes also highlight the value of offensive security work: not just single bugs were fixed, but instead structural improvements were made based on insights gained from exploit development work.

Samuel Groß

By keeping the execution of code related to BlastDoor’s security system separately, Apple is able to prevent any malicious code from entering the operating system (iOS or iPadOS).  All the scanning is done within a secure environment and it stops any malicious code from interacting with an iPhone or an iPad by containing it, if any is found.

As can be seen, the majority of the processing of complex, untrusted data has been moved into the new BlastDoor service. Furthermore, this design with its 7+ involved services allows fine-grained sandboxing rules to be applied, for example, only the IMTransferAgent and apsd processes are required to perform network operations. As such, all services in this pipeline are now properly sandboxed (with the BlastDoor service arguably being sandboxed the strongest).

Samuel Groß