Days after Beeper’s team proudly announced a way for users to send Bluebubble iMessages directly from their Android devices without using a strange relay server, it’s revealed that Apple has taken steps to shut it down. Approximately 24 hours later, Apple shared its view on the issue.
The company’s stance here is pretty predictable: it’s simply trying to do right by its users and protect the privacy and security of iMessage. “We’ve taken steps to protect our users by blocking the use of fake credentials to access iMessage,” Nadine Haija, Apple’s senior public relations manager, said in a statement.
The full statement is below:
At Apple, we build our products and services with industry-leading privacy and security technologies designed to give you control of your data and keep your personal information safe. We’ve taken steps to protect our users by blocking techniques that exploit fake credentials to access iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata leakage and the potential for unwanted messages, spam, and phishing attacks. We will continue to provide updates to protect our users.
This statement suggests several things. First, Apple actually shut down the Beeper Mini. Beeper Mini uses a custom-built service to connect to iMessage through Apple’s own push notification service. All iMessage messages are sent over this protocol, which Beeper effectively intercepts and delivers to your device. To do so, Beeper needed to trick Apple’s servers into thinking it was pinging notification protocols from a genuine Apple device, when it clearly wasn’t. (These are the “fake credentials” Apple is talking about. Quinn Nelson of Snazzy Labs made a good video About how everything works. )
Beeper says its process works without compromising encryption or privacy. Company documentation states that no one but you can read the contents of your messages. But Apple claims it can’t verify that and poses a risk to users and the people they chat with.
“These technologies posed significant risks to user security and privacy.”
However, there is clearly a bigger picture here as well. Apple has repeatedly made it clear that it has no intention of bringing iMessage to Android. “Buy your mom an iPhone,” CEO Tim Cook told a questioner at Code Conference who was looking for a better way to send messages to his mom, who uses Android. Company executives have discussed a version of Android in the past, but decided it would cannibalize iPhone sales. Apple recently announced that it will adopt its cross-platform RCS messaging protocol, but we don’t yet know exactly what that will look like. And there’s no doubt that Apple will continue to strive to make life better for native iMessage users.
Apple’s statement comes at an interesting time. Beeper has been around for several years, and previous efforts to intercept iMessages were actually much more problematic from a security perspective. Apps like Beeper and Sunbird (which recently worked with Nothing in a different way to bring iMessage to Android) were running their iMessage traffic through a Mac Mini that was somewhere in his rack. The message remained much more vulnerable. However, Beeper Mini directly exploits his iMessage protocol, and it is clear that this has prompted Apple to tighten its security measures.
Ever since Apple retired the Beeper Mini, Beeper has been working hard to get it back up and running.On Saturday, the company announced that iMessage is working again. In the original Beeper Cloud app, but Beeper Mini still wasn’t working. Founder Eric Migikowski said Friday that he never understood why Apple would block his app. “If Apple really cared about the privacy and security of its iPhone users, why would it discontinue a service that allows its users to send now?” Would you like to send a personalized message?”
Migikowski said his position has not changed after hearing Apple’s statement. He says he is willing to share Beeper code with Apple for his security review to ensure Beeper’s security practices. Then he stops himself. “But I deny that entire premise! Because the position we are starting from is that an iPhone user cannot converse with an Android user except through unencrypted messages. ”
Beeper’s argument is that SMS is fundamentally insecure, so we can essentially do something else to improve it. I would say what Apple is probably concerned about is that iPhone users are suddenly sending blue bubble messages that are supposedly exclusive to Apple through a company they don’t know about (Beeper). Migikowski thought about that for a moment. “That’s fair,” he says, and suggests a solution. Perhaps all messages sent via Beeper should be prefaced with a pager emoji so people know what it is. If that solves the problem, it could be done within hours, he says.
When I asked Migikowski if he was prepared to take on Apple’s security team in the near future, he said the fact that Beeper Cloud is still operational means that Apple can’t or won’t lock it out permanently. He says it’s a signal that he doesn’t mean it. (He also says that Beeper’s team still has some ideas for his Beeper Mini.) More than that, he believes that the court of public opinion will ultimately decide whether he wants Apple to do anything in good faith anyway. I hope it will persuade you to take action. “What we build is good for the world,” he says. “It’s something that almost everyone can agree should exist.”
At least within Apple, this argument is likely to fall on deaf ears. The company has kept iMessage under tight control and carefully secured for years, and it’s unlikely to loosen its grip now. And even if Beeper does get Beeper Mini working again, it’ll be a never-ending game of cat and mouse trying to stay one step ahead of Apple’s security. And Apple has made it clear that no matter how much you want to send his iMessage from your Android phone, it’s going to win that game.
Updated December 9th at 8:30pm: Added comment from Beeper’s Eric Migicovsky.