via Beeper
Beeper Mini worked publicly for about as long as it’s been shut down now. The service tricked Apple’s servers into allowing users to register their phone numbers with iMessage, even if they’re using an Android phone. From there, their Beeper Mini client could communicate with Apple’s servers in the same way an iPhone could. However, about two days after Beeper Mini came online, it abruptly stopped working. Now, two days later, it’s still offline. Beeper says they’re working to bring Beeper Mini back, but Apple plans to ensure it never works consistently.
Apple will work to keep iMessage an iOS-exclusive like the platform depends on it because, frankly, it does.
Beeper Mini is a Security Problem
According to Apple, Beeper’s methods “posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.” It’s hard to hear, but Apple’s right.
Apple can’t verify the security of the Beeper Mini client. The most any of us could do is run it through a proxy and collect any network calls to Beeper’s servers. However, if they included encrypted information, we wouldn’t know exactly what they were transferring back to their service. Beeper could collect data, and we wouldn’t know.
Beeper didn’t make their app open-source. If they had, regular developers with too much time on their hands, like myself, could look through their code for any security issues. Still, even if they did, Apple would want to do a more thorough investigation into their logging and data collection practices. If Apple was willing to certify third party clients, they’d want a better assurance than Beeper was willing to give users with Beeper Mini.
Not that Apple wants third-party iMessage clients.
How’s This Insecure?
While messages sent or received are encrypted, beeper could collect metadata. It’s not unheard of. Meta collects contact information, location, and untold other metadata on users of WhatsApp. Those messages are end-to-end encrypted, but that doesn’t guarantee privacy if the client, the actual app you’re using, isn’t safe. While Beeper is quick to share how everything works, including the exploit itself, they don’t want to share their client code for Beeper Mini. We have their promise to trust them in their privacy policy, and that’s it.
We can choose to trust Beeper, and Beeper Mini does seem safe to use. But we can’t guarantee it. Apple would need a guarantee before they exposed their users to a third party.
Beeper Mini did show that, if Apple wanted, they could profit from iMessage on Android. An official client could likely charge more than $2/month too. That would be a subscription service outside of the iOS ecosyst6em, a whole new subset of customers who wouldn’t otherwise be Apple customers. However, iMessage sells iPhones, and Apple may not want a subscription messaging service more than iMessage as an exclusive.
The Best Privacy and Security is Encryption
“if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS?”
– Eric Migicovsky, Beeper CEO
“We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage.”
– Nadine Haija, Apple Senior PR Manager
These aren’t contradictory messages. Apple is working to make most text-based communication on the iPhone encrypted. They’re adopting the RCS standard next year and working to add encryption to the official RCS standard. While everyone using iMessage would be more secure, Apple can’t trust that Beeper Mini isn’t doing anything with their app. Apple’s worried that an incursion into their network could be dangerous.
Let’s say Beeper Mini is secure. It certainly seems to be, but let’s give it the benefit of the doubt and assume that it is 100% secure, no worse than Apple’s implementation of iMessage. If Apple didn’t close this gap, someone else could use the same method Beeper Mini used to crack open iMessage. Then they could create iMessage spam bots. They could release an app that does violate your security, by copying messages after they’re decrypted on your device. If Beeper could get in, anyone could get in, and that breaks the security of the entire system.
“We stand behind what we’ve built. Beeper Mini is keeps your messages private, and boosts security compared to unencrypted SMS. For anyone who claims otherwise, we’d be happy to give our entire source code to mutually agreed upon third party to evaluate the security of our app.”
– Beeper statement via Twitter
The only way iMessage can be secure on Android is if Apple makes it or if they grant special permission to a developer like Beeper. The latter would require a tough security review, and Beeper hasn’t made their client available to test. They say they would be willing to share their source code with a third party, but won’t make their client open-sourced for the larger developer community to test.
iMessage Will be an iPhone Exclusive, Likely Forever
I’d say never, but it’s highly unlikely that we’ll ever see an Apple-sanctioned third party iMessage app. It’s far more likely we could get an iMessage app for Android directly from Apple. Even more likely is that Apple just adds RCS, pushes for an RCS encryption standard, and keeps their golden goose an iPhone-exclusive.
Without iMessage, many teens wouldn’t become lifelong iPhone users. Apple has a minority share of devices overseas, with only half the market in the U.S. and a fraction of Android’s market share elsewhere in the world. Without iMessage, the iPhone could lose popularity and we could be stuck with Google having a near-complete monopoly.
It’s probably a good thing that iMessage is exclusive to iOS devices.
However, if you want even better privacy and the group chat features you’re used to, give Signal a try. It’s quite possibly more secure than iMessaage and won’t require exploits from third parties to work cross-platform. Signal already works everywhere.
Sources:
- David Pierce, The Verge
- Abner Li, 9to5Google