Are you ready for iOS 16?

If any of you are like me, you've been glued to your screen watching Apple's fall event detailing the release of the new iPhone 14 and the significant changes coming with the release of iOS 16. As certified Apple developers, we have been pouring over these technical updates since the first beta release in early June and we wanted to get a quick note out regarding the most notable changes and what we all need to be aware of when collecting and analyzing this unique data type.

There are major changes being introduced that impact text messages on devices exchanging iMessages between iOS 16 devices. With about one week away from the official release of iOS 16, these are the top three most notable changes:

1)?????Deleted text messages, whether individual bubbles or entire threads, are now kept on the device for 30 days from the time of the deletion. This behavior mirrors how deleted photos on Apple devices are handled where basically there is a “recycle bin” concept, much like your desktop computer or email account. Apple disclaims deletions may take up to 40 days which is only applicable when iCloud Messages are enabled, which is when text messages are also being stored in the cloud on Apple's iCloud servers.

Deleted messages can be seen in a new area in the Messages app on the device, which also means more tables and fields to examine in the SMS.db (the database containing text message records). Here is an example of the new Recently Deleted text message window:

When a single message is deleted, the record (or row in the database) is purged from the messages table and moved to the recoverable_messages_part table. As you can see below, this table contains very minimal information about the message and the contents of the message are now stored in a "Blob" data field. Parsing this objective-c serialized information is not very straightforward!

Now, when an entire thread is deleted, all records from the thread are kept in the messages table, but the corresponding chat_id and message_id are inserted in another new table chat_recoverable_message_join where the count down from 30 days begins before they are queued for deletion. This essentially breaks the relationship between the chat table (where the concept of a thread is built) and the message table (where the bubble level data is stored).

2)?????The second most notable change is the ability for users to be able to edit their sent messages within 15 minutes of sending a text, and edits can be made up to 5 times! This will most certainly toss a wrench into existing tools that are unable to properly parse the ‘attributeBody’ blob field found in the message table. This field has existed for years and primarily retains reactions, mentions, replies and now edits. ?Both parties of the conversation can see all edits too!

In the SMS.db however, the record in the messages table is modified and the body, or “text”, content is removed. Every edit is inserted in the attributeBody blob field which creates significant challenges for typical SQLite parses.

3)?????The final most notable update is the ability to unsend messages within 2 minutes of sending, and only can the sender do this. This action also causes the body, or "text", content to be removed from record in the database, which is similar to an edited message (because it was technically edited), however the contents of the body is not recoverable and the attributeBody field described above is null.

This is what the sender sees after unsending a message:

This is what the receiver sees after unsending a message:

There have been a lot of changes planned with iOS 16 and the imminent release should have examiners and analysts preparing to supplement their tools and techniques in order to find this information. No longer can we postpone or delay mobile device collections when deleted messages are available for up to 30 days on the device. The clock is ticking!

If you have iOS 16 related questions, please reach out!