3

I am subject to legal proceedings where fake iMessages (not SMS) are being introduced by the opposing party and proclaiming to have come from me. I read about spoofing SMS messages. Is it possible for iMessages to be spoofed? If not through spoof, what other ways can someone make a screenshot of iMessages with a fake phone number in the "contact" region?

3 Answers3

2

Other than blatant photo editing (online tools exist for this!), it's possible to modify the message database to create seemingly native messages. All data is stored in an SQLite database and while the format is pretty complex (so as to support advanced features such as attachments, interactive apps, etc). This would mean that a sufficiently advanced person could modify their local database and insert messages from a person that never happened. They could literally present their phone to the judge and jury and unless an advanced security analyst were brought in no one would be the wiser.

As far as I know there are no known (or publicly known) exploits which allow iMessage to be spoofed before it is received on the end user device. This would be a major, ultra valuable vulnerability.

Here's what a row in the database looks like. There is more info to the left but the good stuff is pictured (click for the full size): enter image description here

Allison
  • 4,005
  • 2
  • 15
  • 19
  • Thanks. I think I should correct my question. iMessages sent messages show up as blue. SMS sent messages show up as green. All received messages (whether SMS or iMessages) show up as Gray. My question should actually be, would it be possible to spoof messages such that it looks like an iMessage (i.e., blue text message boxes)? Or does spoof only provide the green text message boxes? –  Oct 27 '17 at 03:08
  • Yes, as I said, any message (SMS or iMessage) can be inserted into the local database and it'll look like whatever you set it up as. There is a column in the database called service which is either iMessage or SMS. You simply add a new row and fill it out and bam. – Allison Oct 27 '17 at 03:10
  • Is this inside the chat.db file? –  Oct 27 '17 at 03:21
  • Yes, you can open it with any SQLite editor. See my edit for an example row. – Allison Oct 27 '17 at 03:24
  • I'm going to take a look. Is this for macs only? I can find the chat.db file for my macbook, but I can't seem to find it for my iPhone when I plug it in to my mac. –  Oct 27 '17 at 03:31
  • It'll be in the backup binary data. There are tools but too much to get into now. What do you hope to achieve. Is this "asking for a friend" territory. Be very careful, perjury will end you. – Allison Oct 27 '17 at 03:33
  • No, this is for myself. Trying to be as vague as possible as I do not want to provide identifying info. Essentially, I am the party who is defending myself. The other party made allegations, and provided screenshots of iMessages to support his story. All the screenshots show my #. We requested that he subject his phone to a forensics analysis or at the very least, show to the judge that these messages exist on his phone. He declined both and stated "My phone only stores messages for 90 days, so they aren't on my phone anymore" - how convenient. Continued... –  Oct 27 '17 at 03:40
  • So I'm set out to determine all the many ways text messages, screenshots can be forged. My lawyer isn't well versed with IT stuff. We have a digital forensics expert on our side, but all he can do is provide testimony on how messages can be forged, manipulated, etc... and I feel like I know more than this guy. All of the screenshots by the opposing party were admitted into evidence and they're going to be shown to a jury. –  Oct 27 '17 at 03:41
  • Just a follow-up question. I checked with a friend who works at Apple. It seems the messages app is not built from the chat.db file. So even if someone modified the chat.db file, it seems this would not be physically displayed to reflect the changes in the chat.db file? The issue I am having with my opponent is his screenshots, so even if he modified the chat.db, I don't think this would make it's way there into a screenshot? –  Nov 01 '17 at 17:13
  • Your friend is wrong it seems. I made a project which turns iMessage into a web API. It is entirely based upon the chat.db. The chat.db is the only place where this data is stored (this may change eventually with high sierra). If you copy a chat.db to a new computer you can bring your entire message history. I've done this. Where at Apple does your friend work? – Allison Nov 01 '17 at 17:16
  • He works in the security division, so he's probably not the best Apple person to talk to on this. And I may have misheard him. He said something about that the messages app is built from what is stored in the Archive folder in ~/Library/Messages/. And that the chat.db file is a history of all messages, but if you go into chat.db and change something, it does not make its way into the messages app itself. I also just downloaded SQLite and opened chat.db. I modified my most recent received message, and then reopened the messages app, and did not see a change. But I probably did it wrong. –  Nov 01 '17 at 17:24
  • did you do this on a mac? –  Nov 01 '17 at 17:36
  • I also tried to copy my chat.db to a new account on the SAME account and can't seem to bring up my message history. When you mentioned the chat.db file a couple of days ago, it actually brought me to another issue that I was trying to solve, where I wanted to import all my mac messages to my iPhone. –  Nov 01 '17 at 17:59
1

what other ways can someone make a screenshot of iMessages with a fake phone number in the "contact" region?

  • A screenshot is no proof at all. As opposed to a photo, you can easily produce a pixel-perfect forgery of a screenshot, e.g. by putting two screenshot halves together, one with your phone number and one with the forged messages.

  • The chat log files on their machine are no proof either. Manipulating them is trivial as well. A quick search turned up that iMessages chat logs are stored in a chat.db file in the library, using the non-proprietary SQLite format. So, a moderately skilled user can just open the database, change some entries (such as messages or timestamps) and load it back into iMessages. There is no mechanism by Apple that prevents tampering with the logs.

One entity that could maybe prove if these messages were sent is Apple. If they keep independent message logs on their own servers, these could serve as evidence. But it's unclear if such logs exist and if they would be available to you. Apple claims they do end-to-end encryption, so there is no way for them to verify the message contents either way (although they might know if any messages were sent at all through metadata).

Arminius
  • 44,770
  • 14
  • 145
  • 139
  • dang it, you had 28 seconds on me. – Allison Oct 27 '17 at 02:01
  • @Sirens Heh, and we're even in the low-traffic hours. :) – Arminius Oct 27 '17 at 02:06
  • I am the OP. And I also just realized that it doesn't even require going as far as editing the screenshot to show a certain phone number. I just tested it on my phone and you can literally save a phone number as a different phone number. I.e., you can save +1 (111) 111-1111 as +1 (222) 222-2222 and the screenshot would look exactly as if the message came from the latter #. –  Oct 27 '17 at 03:10
  • Also, I went through Apple's privacy and legal policy. They claim that iMessages are end-to-end encrypted and they do not store timestamp information, content information, and really, anything of value. –  Oct 27 '17 at 03:12
  • @Iamanon Great to know! (Although I wonder if the iMessages logs are part of an automatic cloud backup and in this case would still effectively be accessible to Apple.) – Arminius Oct 27 '17 at 03:49
  • @Iamanon Also, E2EE doesn't include meta data. So they might technically still know if they delivered any messages. – Arminius Oct 27 '17 at 03:52
  • @Arminius hmmm interesting. I read this "Apple emphasized that because iMessages are encrypted, the company is not able to give police access to the content of conversations. Nor do the message logs "prove that any communication actually took place." All of this seems consistent with Apple’s legal process guide, which notes that information about your contacts is among the data it may turn over to investigators when served with a court order or subpoena." –  Oct 27 '17 at 04:07
  • @Iamanon They can't prove that they don't store meta data, though, as their servers have to forward the messages at some point. Admittedly, that's irrelevant in your case. – Arminius Oct 27 '17 at 04:14
  • @Arminius Yeah I don't know. We served a subpoena on Apple to provide us with timestamp information and content and other identifying info (e.g., IP addresses between senders) of the communication that was alleged to have occurred. They provided nothing and stated essentially copy and pasted their privacy policy where they state they don't store such information. –  Oct 27 '17 at 04:18
0

With the introduction of stickers you can cover text and make it look like someone said something they didn't. Check out this TechCrunch article about a prank app that does just that.

countrhack
  • 466
  • 3
  • 7