Apple Really Doesn’t Like Beeper Mini
(Update: Monday, December 11) Beeper Mini did what no one thought possible: they found a way to trick Apple into thinking your Android phone is actually an iPhone, allowing the device to send and receive encrypted iMessages, blue bubbles, and all that. And for this Apple punished them – and quite quickly, I might add.
On Friday, the company blocked the app from accessing the original workaround to Apple’s security systems. The next day , Apple confirmed its actions to The Verge , saying in a statement that it had taken steps to protect the safety of users from the Beeper “exploit”. According to Apple, the Beeper Mini solution poses the risk of “metadata disclosure, spam, spam, and phishing attacks.” In response, Beeper canceled the registration of user phone numbers in the service and began working on a solution to the problem.
As of today, they have managed to fix the app, but just that: you can’t use your phone number to connect to the service, and now you have to connect using your Apple ID. While you’ll still be able to get blue bubbles on your Android and there’s no problem with the Nothing Chats-style server farm (read below to find out more), it’s not ideal from a security perspective. However, they have reduced the monthly subscription fee to $1.99, so that is one of the benefits of the drama. It looks like Senator Elizabeth Warren is also on their side:
You can read my original thoughts on the Beeper Mini below. Perhaps some of this will remain relevant if the Beeper Mini can somehow overcome these problems. However, their position at present is, shall we say, precarious.
The original article is as follows:
When Beeper first released its iMessage-on-Android solution back in August, I was quite skeptical . While the dream of being able to turn those terrible green bubbles into blue was more than appealing, the way Beeper and other companies did it wasn’t safe enough.
The main problem was how these messages were transferred from Android to iPhone. To have your messages appear as iMessages on your friends’ iOS devices, you’ll need to sign in to your Apple ID on the Mac mini on Beeper’s server farm. Although Beeper didn’t have access to your messages, all it takes is one bad hack to steal your Apple ID token, leaving your Apple account available to anyone who wants to steal it.
Nothing attempted something similar last month by teaming up with Sunbird to bring iMessage to Android through its Nothing Chats app. Same process, same security issues. In fact, Nothing Chats was almost immediately removed from the Play Store after researchers discovered that the app was storing credentials in plain text. Hackers can literally read your messages along with the code if they gain access to the servers. That’s it for end-to-end encryption.
Amid all the drama, the promise of sending iMessages from Android devices seemed deceptive. So when Beeper announced that they had a new approach to the problem that fixed all previous security issues, I had my doubts. I still have my doubts, but I have to say: it looks promising.
Beeper Mini
On Tuesday, Beeper announced “Beeper Mini,” a new approach to sending and receiving iMessages on Android devices. However, unlike the original Beeper app, Beeper Mini does not use a Mac relay to transmit iMessages through Apple’s servers. Instead, the app connects and sends messages directly to Apple’s servers, mimicking the same iPhone-Apple interaction for iMessage to work.
This is quite a feat. Beeper acquired the work of a jjtech researcher who reverse-engineered Apple’s iMessage protocol and partnered with them to create Mini. With it, Beeper Mini can take a message you send from your Android, send it to Apple, and then forward the message to its destination. This works because Apple “thinks” your Android is an iPhone. Using a valid Apple serial number, Beeper registers your phone number with Apple’s servers, so the iMessage protocol treats you as a “blue bubble.” From now on, Apple will treat you as part of its own identity and will happily accept your encrypted messages and transmit them anywhere.
Encryption is not affected here either: your private keys (the technology needed to encrypt and decrypt your messages) remain on your device and are never shared with Beeper or Apple. When you click “Send”, Beeper Mini will encrypt your message. It will not be decrypted until it reaches the proper recipient, just like real iMessage between iPhones.
Beeper is proud of this achievement and deserves close attention from security researchers. To that end, they encourage everyone to try the technology for themselves: You can try out an experimental, open-source version of Python on your computer that does exactly what Beeper Mini does. You can see this in action in Snazzy Lab’s step-by-step guide to the service . It’s amazing to see that anyone can essentially run iMessage in Python, even though Apple has kept the technology in its walled garden since its inception.
Once you get started, you will find that many iMessage features work as expected. Of course, you can send and receive messages, edit and unsend messages, join group chats seamlessly, and send high-resolution media to other iPhones. Certain features like location sharing, FaceTime integration, effects, and iMessage games aren’t available, but I think most people using the app won’t care. They’ll just be happy not to “ruin the group chat.”
Are there any security issues?
I have to give Beeper credit: this is promising. Neither Beeper nor Apple have access to your messages, all the encryption happens on the device, and you don’t have to log into someone else’s Mac on a distant server farm. This is a huge update.
However, the service has some features that are worth paying attention to. Since Android doesn’t support Apple’s Push Notification (APN) service, Beeper Mini technically can’t notify you of new messages without your active use. To get around this problem, Beeper created something called Beeper Push Notification (BPN), which contacts Apple’s servers on your behalf to see if you have new messages. While this is starting to raise alarm bells, Beeper says BPN is a secure service: Apple allows Beeper to look for new messages without having to have the encryption keys needed to read them.
This means that all BPNs can do is see if you have new messages to decrypt. He can’t read them. If it detects new messages, it disconnects from the APN and alerts the Beeper Mini app. Now that the app is activated, it can receive new messages as if you opened it yourself, and voila – Android sends you a push notification about new iMessages. Beeper knows that this feature may raise eyebrows among some security-sensitive people, so they offer the option to disable it if you can manually open Beeper Mini every time you want to check for new messages.
Another consideration arises if you want to send and receive messages on an Apple device, such as an iPad or Mac. Your phone number is only required if you use phones, but to connect other Apple devices to your entertainment, you’ll need to sign in with your Apple ID. This is a little tricky because I like that Beeper Mini doesn’t require you to sign in to your Apple ID to initially work. However, this is the only way to connect your Beeper Mini phone number to your iPad and/or Mac, so if you want to connect all devices together, you’ll need to connect your Apple ID. I’m not sure I’d recommend it though.
In general, I’m still a little wary of connecting a service like iMessage through a third-party one. Not that Apple is perfect by any means, but they do run a tight ship. If you cross the boundaries of this situation, you risk running into security problems. However, right from the start, the new Beeper app is much more secure than before. Beeper has made its technology open source, so security researchers can pick it apart looking for vulnerabilities.
For me, I’ll probably wait for their initial results before committing to this service myself. But I’m impressed. This is, for lack of a better word, really cool.
Additionally, there is an argument that Beeper Mini makes text messaging between iPhone and Android more secure. SMS is a highly insecure messaging protocol, and Beeper Mini offers you end-to-end encryption. They have a lot to do now.
Can the Beeper Mini handle it?
Beeper Mini also faces some potential problems: Apple won’t like it because it relies on reverse engineering the iMessage code. (Props to you, jjtech.) Whether they’ll do anything about it remains to be seen. Apple also has plans to make text messaging between iPhone and Android devices smoother, with RCS support coming late next year , which puts the Beeper Mini in a strange position. Sure, it’s great to have an iMessage solution for Android in 2023, but what happens if green bubbles aren’t so bad in 2024? If people can text between phones at the same level as iMessage, no matter what phone you have, will people still want to pay to have their bubbles turn blue?
The green bubble stigma is bad enough in the US today that the answer might be yes. But as it becomes much less of a burden to be an Android user in an iPhone group chat, that stigma may disappear, and with it the need for something like the Beeper Mini.
But in its current form, Apple does not yet support RCS. So right now, this could be your best choice for secure and convenient messaging between your Android device and your friends on iPhone.
Beeper Mini costs $1.99 per month after a 7-day free trial. You can download it from the Play Store today.