Beeper has entered the age-old game of cat and mouse with Apple. Just as Palm once did with their Palm Pre, which would pretend to be an iPod to sync with iTunes, Beeper Mini will continue to help you pretend your Android device is an Apple device to connect with iMessage. However, it’s lost the most important feature of all: the ability to use your own phone number.
Beeper Mini now requires an Apple ID to work. The company hasn’t updated its documentation, but the method is similar to the method they used previously. They claim the “security and privacy of Beeper Mini is unchanged,” and they’re still using iMessage’s end-to-end encryption.
Beeper says that, with Mini, transparency is their number one priority for earning consumer trust. However, they haven’t stated how this new version of Beeper Mini avoids Apple’s blockade where the previous version failed. They also haven’t stated why phone numbers don’t work, but an Apple ID does. Finally, they haven’t stated if this change requires that they hold on to or use your Apple ID credentials in any way. They do point to their privacy policy when these questions come up, but, without transparency, their number-one method for obtaining trust, or an open-source app, their second method for maintaining trust, or a subscription, their third method for obtaining trust, one has to wonder if they’re still deserving of trust.
Can we still trust Beeper with our data? Beeper hopes you do.
Beeper Mini’s Back!
The good news is that you can now use Beeper Mini again. The service is now free, which may raise some alarms, but Beeper says they did this because they didn’t feel right charging for the app until it’s more stable. Will Beeper Mini stay afloat if it’s not making money? Beeper hopes to charge again soon. Until then, their app may not have a source of revenue outside those who choose to donate to the cause by keeping their subscriptions active.
“We’ve made Beeper free to use. Things have been a bit chaotic, and we’re not comfortable subjecting paying users to this. As soon as things stabilize (we hope they will), we’ll look at turning on subscriptions again. If you want to keep supporting us, feel free to leave the subscription on 🙂”
– Beeper via the Beeper Blog
Beeper initially released the Beeper Mini update via an APK users would have to download, but has now rolled it out to users via Google Play less than a day later. That’s a short beta testing period for such a large rollout. Hopefully the app works so similarly to the original that it didn’t require as much testing.
Beeper Response to Apple’s Statement
“We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.”
– Excerpt from Apple’s Statement
Apple didn’t say anything untrue. They had no control over Beeper Mini’s privacy policies. They had no way to ensure that the Beeper Mini client was not stealing user data or messages. This is because Beeper Mini has not been audited by Apple, a third party, or anyone else, as Beeper will not share their source code for the app. They detailed how the exploit works, which means anyone—including a nefarious actor not affiliated with Beeper in any way—could have used the same method to begin stealing iMessage data and spamming users. Apple had to take action.
Despite that, Beeper has called Apple’s comment “FUD” (Fear, Uncertainty, and Doubt), calling it “1984-esque doublespeak.” The claim that “Beeper Mini made communication between Android and iPhone users more secure. That is a fact.” And, it might be a fact! But no one, including Apple, could verify it. Furthermore, the defensive and aggressive nature of the response erodes faith in Beeper’s maturity even further. Apple was right to close this loophole, for the reasons they listed. Apple’s appropriate options include working with third party developers to certify their apps, making their own version of iMessage for Android, or, like they’re currently doing, make a version of iMessage that works with RCS messages, and encrypt those messages as well.
More Secure?
“If Apple doubts the security and privacy of our app, we’re willing to share the entire Beeper Mini codebase with a mutually agreed upon 3rd party security research firm.”
“If Apple insists, we would consider adding a pager emoji 📟️ to metadata on all messages sent via Beeper Mini. This would make it easy for Messages App to filter out any messages from Beeper Mini users.”– Beeper cofounders Eric Migicovsky and Brad Murray
One comment Beeper Mini continually makes is that iPhone users are more secure when Beeper Mini works. In a sense, they’re right too. If Beeper Mini is working, more messages can be sent through iMessage instead of SMS. iMessage is end-to-end encrypted, SMS is not. However, this is only true if Beeper Mini’s security can be trusted. Apple couldn’t just take Beeper at their word. They’d need to do a thorough review of the application code, which Beeper has not made public. Beeper Mini works by spoofing an iPhone 7, pretending your Android device is an old iPhone, and registering your Apple ID with that old iPhone to trick iMessage into sending emails to your device. Users will even get a message from Apple stating that an iPhone 7 named “Beeper Mini” had signed in to their account. This is not an actual iPhone 7, but the Beeper Mini app posing as an iPhone 7, at least, that’s what Beeper says. That’s a lot of clever tricks, and it all rests on the back of one iPhone, something iMessage should be safe doing, but wasn’t designed for.
The fact is, if we all encrypt all of our messages, we’d be more secure. You can do that with Signal, which I’d recommend you use. Signal is completely open-source, so you can download the app yourself, compile it, test it, and ensure its safety. Beeper Mini is not, and Apple, as well as many users, are uncomfortable with their insistence that we just trust them. After all, they’re not open source, they’re not being transparent about how the service broke or how they fixed it three days later, and they’re not allowing audits yet, though they have said they’d be open to them if Apple requested one.
It’s likely they’re telling the truth, users are safer when Beeper Mini works on Android. But can we be sure?
Losing Users Along the Way?
I’ll admit, I haven’t reinstalled Beeper Mini. The truth is, I’d prefer to see more documentation or source code on the app itself. I’d at least like a third party review of the app. I wish they could get that. It would be excellent if Apple would allow Beeper Mini to work with certification and labeled messages. Perhaps Apple could even remove the restrictions on the devices that can sign up for iMessage to allow approved Android apps to work with their network. However, iMessage is an iPhone selling point. They’re not going to give it up. They do agree with Beeper about the necessary security of end-to-end encryption, which is why they’re adopting RCS and working with the GSMA to ensure encryption is built into the RCS protocol.
Many users will wonder why they now need an Apple ID, how this works, how it changed from the first version, and why the first method could register numbers but this version can’t. I have some guesses based on an understanding of the original method for breaking into iMesssage, but I’d prefer to see information from Beeper. My working theory is that they’re using a single iPhone 7 serial number to register numbers, and Apple is blocking it from registering any phone numbers, but Apple ID still works. If that’s the case, Beeper Mini could get a number of old iPhones and register numbers through a variety of them, but would eventually get caught using this as well. It wouldn’t be cost effective if those phones are banned from iMessage after Beeper bought them. This also doesn’t fully explain why Apple hasn’t blocked this device from signing up with an Apple ID though. Why would Apple only disallow new number signups and not new Apple IDs from the same phone?
Users will also have to send messages from their email address, not their phone number. This isn’t the seamless solution users want to see. It means anyone who sends them an iMessage or adds them to a group chat will have to use their email address instead of their phone number. It’ll certainly be an annoyance.
Beeper Mini is from a company that has been doing iMessage on Android, first through relay servers and now through falsified verification, for years now. The founder came from Pebble, the first mainstream smartwatch (and a favorite of mine). I’m rooting for them, and even downloaded and subscribed to Beeper Mini on day one. But, now that the game of cat and mouse with Apple has begun, I worry “fixes” could be rushed out the door without the proper verification for security, and I’d prefer to see open sourcing and third party testing. Perhaps Beeper Mini will add this in the future as they further stabilize their service. I look forward to that. Until then, I still think all smartphone users would be better off just downloading the most secure form of blue bubbles: Signal.
Sources:
- Kris Holt, Engadget
- Eric Migicovsky and Brad Murray, Beeper Blog
- Andrew Myrick, Android Central
- Michael Simon, Macworld
- Cris Welch, The Verge