A few days after the Beeper team proudly announced a way for users to send blue bubble iMessages directly from their Android devices without any weird relay servers, and about 24 hours after it became clear that Apple had taken steps to close that, Apple has shared its opinion on the subject.
The company's stance here is pretty predictable: It says it's simply trying to do the right thing for users and protect the privacy and security of their iMessages. “We are taking steps to protect our users by blocking techniques that exploit fake credentials to gain access to iMessage,” Apple senior public relations manager Nadine Haija said in a statement.
Here is the full statement:
At Apple, we build our products and services with industry-leading security and privacy technologies designed to give users control over their data and keep personal information secure. We take steps to protect our users by blocking techniques that exploit fake credentials to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users.
This statement suggests a few things. First, Apple actually shut down Beeper Mini, which uses a custom service to connect to iMessage through Apple's own push notification service: all iMessage messages travel over this protocol, which Beeper effectively intercepts and delivers to your device. To do so, Beeper had to convince Apple's servers that he was pinging notification protocols from a genuine Apple device, when this was obviously not the case. (These are the “fake credentials” Apple is talking about. Quinn Nelson at Snazzy Labs made a good video about how it all works.)
Beeper says its process works without compromising your encryption or privacy; The company's documentation says that no one but you can read the content of your messages. But Apple can't verify that and says it poses risks to users and the people they chat with.
“These techniques posed significant risks to the security and privacy of users”
However, there is obviously a much bigger picture here too. Apple has repeatedly made it clear that it doesn't want to bring iMessage to Android: “buy your mom an iPhone,” CEO Tim Cook told a questioner at the Code Conference who wanted a better way to message his Android-using mother. , and the company executives have debated versions of Android in the past, but decided it would cannibalize iPhone sales. Apple has recently said it will adopt the cross-platform RCS messaging protocol, but we don't know exactly what that will look like yet, and you can bet Apple will continue looking to improve the lives of native iMessage users.
Apple's statement comes at an interesting time. Beeper has been around for a couple of years and its previous efforts to intercept iMessage were actually much more problematic security-wise. Beeper and apps like Sunbird (which recently worked with Nothing on another way to bring iMessage to Android) were simply running your iMessage traffic through a Mac Mini in a server rack somewhere, leaving your messages much more vulnerable. But Beeper Mini was directly exploiting the iMessage protocol, which clearly led Apple to tighten its security measures.
Since Apple cut the Beeper Mini, Beeper has been working feverishly to get it working again. On Saturday, the company said iMessage was working again. in the original Beeper Cloud app, but Beeper Mini still didn't work. Founder Eric Migicovsky said Friday that he simply didn't understand why Apple would block his app: “If Apple really cares about the privacy and security of its own iPhone users, why would they discontinue a service that allows its own users to send messages now?”. Encrypted messages to Android users, instead of using unsecure SMS?
Migicovsky now says his stance hasn't changed, even after hearing Apple's statement. He says that he would be happy to share Beeper's code with Apple for a security review, so that he could be assured of Beeper's security practices. He then stops. “But I reject that whole premise! Because the position we start from is that iPhone users cannot talk to Android users except through unencrypted messages.”
Beeper's argument is that SMS is so fundamentally insecure that virtually anything else would be an improvement. When I say that maybe Apple's concern is that iPhone users will suddenly send their supposedly Apple-exclusive blue bubble messages through a company (Beeper) they don't know, Migicovsky thinks about it for a second. “That's fair,” he says, and offers a solution: Maybe every message sent through Beeper should be preceded by a pager emoji, so people know what's what. If that solves the problem, he says, it could be done in a few hours.
When I ask Migicovsky if he's prepared to fight Apple's security team in the immediate future, he says that the fact that Beeper Cloud is still running is a sign that Apple can't or won't keep it out forever. (He also says that the Beeper team has some ideas left for Beeper Mini.) Beyond that, he hopes the court of public opinion will convince Apple to behave anyway. “What we have built is good for the world,” he says. “It's something that almost everyone agrees should exist.”
Within Apple, at least this argument seems to fall on deaf ears. The company has kept iMessage tightly controlled and carefully protected for years, and it's not likely to loosen the reins now. And if Beeper does manage to get Beeper Mini working again, it will be destined for an endless game of cat and mouse trying to stay one step ahead of Apple's security. And Apple has made it clear that it intends to win that game, no matter how much you want to send iMessages from an Android phone.
Update December 9, 8:30 pm: Added a comment from Beeper's Eric Migicovsky.
