Apple has provided its perspective on the matter, a few days after the Beeper team proudly revealed a means for customers to send blue-bubble iMessages straight from their Android handsets without the need for strange relay servers, and around a day after it became apparent Apple had taken action to shut that down.
The company’s position in this matter is rather predictable: it claims to be merely attempting to uphold users’ rights and safeguard the security and privacy of their iMessages. Apple senior PR manager Nadine Haija said in a statement, “We took steps to protect our users by blocking techniques that exploit fake credentials to gain access to iMessage.”
The entire statement is as follows:
At Apple, we incorporate cutting-edge privacy and security technologies into our products and services to give people control over their data and protect sensitive personal information. In an effort to safeguard our users, we disabled methods that use fictitious credentials to access iMessage. These methods exposed users to serious security and privacy threats, such as the possibility of metadata leakage and the facilitation of spam, phishing, and unsolicited messaging. In the future, we’ll keep making upgrades to safeguard our users.
This claim makes several inferences. First off, Beeper Mini—which connects to iMessage via Apple’s push notification service using a specially designed service—was shut down by Apple. All iMessage messages pass through this protocol, which Beeper successfully intercepts and sends to your iPhone. To accomplish this, Beeper had to persuade Apple’s servers that, despite the obvious fact that it wasn’t, it was pinging the notification protocols from an actual Apple device. These are the “fake credentials” that Apple refers to. Snazzy Labs’ Quinn Nelson produced an excellent video explaining how it’s all done.
According to Beeper’s documentation, no one other than you can see the contents of your messages; the company’s process ensures that your privacy and encryption are not compromised. However, Apple claims it is unsafe for users and the persons they speak with because it is unable to confirm that.
However, there’s a far larger picture at play here as well. CEO Tim Cook advised a questioner at the Code Conference who wanted a better way to message their mother who uses an Android phone, “buy your mom an iPhone.” Apple has made it clear time and time again that it does not want to bring iMessage to Android. In the past, company executives have discussed Android versions but concluded it would cannibalize iPhone sales. We don’t yet know exactly how Apple will implement the cross-platform RCS messaging protocol, but you can guarantee that the company will continue to work to improve the experience for native iMessage customers. Apple has said that it will do so.
The timing of Apple’s remark is intriguing. Since Beeper has only been in operation for a few years, security-wise, its earlier attempts to intercept iMessage were actually significantly more troublesome. Your conversations became significantly more exposed because Beeper and apps like Sunbird (who recently collaborated with Nothing on another method to provide iMessage to Android) were only passing your iMessage traffic through a Mac Mini located in a server rack. However, Beeper Mini was directly abusing the iMessage protocol, which made Apple’s security measures more stringent.
Beeper has been slaving away to get Beeper Mini back up and running ever since Apple disconnected it. According to the firm, Beeper Mini was still not working on Saturday, but iMessage was back in action in the original Beeper Cloud app. “If Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS?” asked the app’s founder, Eric Migicovsky, on Friday. He expressed his confusion about Apple’s decision to block his app.
Migicovsky now claims that despite hearing Apple’s announcement, his position hasn’t altered. In order for Apple to be certain of Beeper’s security procedures, he adds he would be pleased to release Beeper’s code for a security assessment. Next, he self-stops. But I disagree with that whole idea! Since the starting point is that the only way for iPhone and Android users to communicate is through unencrypted texts.
Beeper argues that anything other than SMS would be an improvement because it is intrinsically insecure. Migicovsky pauses to consider my suggestion that perhaps Apple is worried that users of iPhones are sending their purportedly exclusive blue-bubble communications through a company called Beeper that they are unaware of. “That’s fair,” he responds, and suggests a fix: perhaps a pager emoji could be included at the beginning of each message sent using Beeper to let recipients know what’s what. He claims that if that solves the issue, it may be finished in a few hours.
In response to my question about whether Migicovsky is ready to fight Apple’s security team going forward, he claims that Beeper Cloud’s continued functionality is an indication that Apple is unable or unwilling to keep it out of the system indefinitely. (He also mentions that the Beeper team still has some ideas for the Beeper Mini.) Beyond that, he believes Apple will eventually be persuaded to cooperate by the court of public opinion. He declares, “What we’ve built is good for the world.” “Almost everyone can agree that it should exist.”
This point, at least, appears likely to be ignored within Apple. Since it has been closely monitoring and safeguarding iMessage for years, the corporation is unlikely to relinquish control of it at this time. And even if Beeper manages to get Beeper Mini operating once more, it will always be stuck in a never-ending game of cat and mouse as it tries to outsmart Apple’s security measures. No matter how much you may want to send iMessages from an Android phone, Apple has made it obvious that it intends to win that game.
