Beeper Is Not a Secure Solution for IMessaging on Android
You may have heard the Internet hype about Beeper , the all-in-one solution that brings all your messaging apps together in one place. You no longer need to juggle a huge number of apps just to keep in touch with friends, family, and work, the company says: With Beeper, you can keep those chats in one place and even send messages to your Android friends.
This last point would be especially revolutionary. Sure, it would be great to send a message to all my friends from just one app, but is there an easy way to iMessage on Android? Gold. You can take the Galaxy Z Flip , something completely different from the standard iPhone we all know, but never popping up like a green bubble for anyone on the platform. Incredible.
But here’s the thing: the beeper absolutely works, and it can be your reality, but at the cost of your safety. In my opinion, it’s just not worth it.
How a beeper works
Despite the complexity of the task, the Beeper is a remarkably simple machine . It consists of two parts: first, it is a client application available for Mac, Windows, Linux, Chrome OS, iOS, and Android. This is the program you use to bring together various chat apps in one place. The other part is the service itself, which Beeper maintains on the server.
This service is based on Matrix , an open source decentralized messaging standard. Like other decentralized systems, Matrix allows you to freely send messages to other people no matter what platforms you use. Both of you can use the Matrix or create a “bridge” to connect your Matrix standard to the platform of their choice. It used to take some know-how to do this , but Beeper makes it as easy as setting up any other chat app.
When you set up a new chat service with Beeper, it creates one of these bridges to connect your client to that application. The job of a bridge is to pass messages back and forth, and each chat platform has its own bridge. Here, in a nutshell, are the basic principles of how Beeper works.
Beeper cannot securely handle end-to-end encryption with most chat apps
Of course, things get more complicated when you add encryption to the picture. Encryption varies from platform to platform, but there are some services such as iMessage, Signal, and WhatsApp that are fully encrypted with end-to-end encryption (E2EE). Beeper itself is E2EE between other Beeper and Matrix users: any message you send to anyone using the Beeper or Matrix client is protected anyway. Good news!
However, this is where the good news ends. Since most of your friends won’t be using Beeper, you will need to send your message from Beeper directly to the platform of their choice. Let’s focus on iMessage for this example, as many people are likely to be interested in Beeper for using Apple’s messaging protocol on Android, but much of what is needed here also applies to WhatsApp and Signal.
To set up and run iMessage on Beeper, you need to give Beeper access to your Apple account . This in itself poses a huge security risk, and your Apple devices will alert you right away: When you connect Beeper to iMessage, you’ll get a security alert that someone else is trying to log into your Apple account. This is one of the Mac Beeper computers that you will need to give permission if you want to link your iMessages to your Beeper client. To some, this may seem like a worthwhile deal, but here I draw the line.
But that’s not the end of security issues. When you send a message from Beeper to an iMessage contact, the message is encrypted on your device, sent to the Beeper web service, decrypted and re-encrypted , and then sent to your friend. Essentially, Beeper must first “open” your iMessage in order to send it. This is required for this service to work because platforms such as iMessage, WhatsApp, and Signal have proprietary encryption protocols that do not interoperate with other platforms such as Beeper or Matrix. However, this is a huge security flaw as it violates the E2EE on which these services are built.
When you send an iMessage to a friend on your iPhone, the message is protected from everyone but the two of you. The only way to decrypt and read this message is if you have access to one of the connected devices. To all interceptors, everything from a funny meme to your social security number looks like a jumble of unintelligible math. This is E2EE in action.
By decrypting the message on the Beeper servers, Beeper employees will be able to read your messages. But even if they vow never to view users’ messages, it doesn’t matter because if Beeper is ever hacked, attackers will have access to all incoming and outgoing iMessages. (And I promise you they will read them.) Of course, after the message is processed and re-encrypted, no one can read it except the intended parties, but this weak link in the middle defeats the purpose of all “final”. “to end”.
Imagine that a tiger lives in your living room. You are in your bedroom, where there is no tiger, and you need to get into the bathroom, which also does not have a tiger. Just because the two rooms are tiger-proof doesn’t mean it’s safe to cross the tiger room to get there . Of course, there is a tiger keeper who swears he will keep this thing on a chain. But if someone breaks in and quietly releases the tiger, that tiger will have access to your unencrypted iMessages .
The beeper isn’t that bad with encryption
History is best for data stored on Beeper servers, which are all encrypted. This includes your post histories. The beeper cannot read this data because it is E2EE. The only way to access it is to use the recovery code you receive when you create your account. This allows you to securely access your data on other devices, and also means that Beeper cannot help you recover this data if you lose this key.
There is also hope for the future: Beeper mentions that new EU legislation will force companies like Apple and Meta to create end-to-end encrypted interoperable APIs. In short, this change could allow a service like Beeper to persist E2EE across their bridges, which will protect your iMessages in transit. However, in its current form, the service is simply not secure: it takes secure messaging protocols and makes them available to anyone who wants to watch. You might think it’s worth the risk to have iMessage available on Android, but for those who value their privacy and security, Beeper isn’t the way to go – at least not yet.