(Update: Monday, December 11) The Beeper Mini has done something no one thought was possible: They’ve found a way to trick Apple into thinking your Android phone is actually an iPhone, allowing the device to send and receive encrypted iMessages, blue bubbles and all. And for that reason, Apple punished them, and very quickly, I might add.
The company blocked the app from accessing the original workaround for Apple’s security systems on Friday. The next day, Apple confirmed its actions to The Verge, telling the outlet in a statement that it had taken steps to protect user security from Beeper’s “exploit.” According to Apple, the Beeper Mini solution carries risks of “exposure to metadata, spam, and phishing attacks.” In response, Beeper de-registered users’ phone numbers from the service and worked to resolve the issue.
As of today, they’ve been able to patch the app, but just that: You can’t use your phone number to connect to the service, and you now have to connect to your Apple ID. Although you’ll still be able to get blue bubbles on your Android device, and there are no “none” server farm issues in Chats (read below to learn more), this isn’t ideal from a security perspective. However, they have reduced the subscription fee of $1.99 per month, so that is one of the benefits of Drama. Senator Elizabeth Warren also appears to be on their side:
The tweet may have been deleted
You can read my original thoughts on the Beeper Mini below. Maybe some of this will still be relevant if the Beeper Mini can somehow pass these challenges. However, their situation is currently, let’s say, fragile.
The original article follows:
When Beeper first launched its iMessage-on-Android solution in August, I was very skeptical. While the dream of being able to turn those creepy green bubbles blue was more than just an attractive dream, the method that Beeper and other companies went about achieving this was not safe enough.
The main issue was regarding how to transfer these messages from Android to iPhone. In order for your messages to appear as iMessages on your friends’ iOS devices, you need to sign in to your Apple ID on your Mac mini on the Beeper server farm. Even though Beeper didn’t have access to your messages, it would only take one bad hack to steal your Apple ID code, exposing your Apple account to anyone who wanted to steal it.
Nothing tried something similar last month, teaming up with Sunbird to bring iMessage to Android via the Nothing Chats app. Same process, same security concerns. In fact, Nothing Chats was almost immediately pulled from the Play Store, as researchers discovered that the app was storing credentials in plain text. Hackers can literally read your messages along with the code if they gain access to the servers. So much for end-to-end encryption.
With all this drama going on, the promise of sending iMessages from Android devices seemed misleading. So when Beeper announced it had taken a new approach to this problem, one that eliminated all previous security concerns, I had my doubts. I still have my doubts, but I have to say: This looks promising.
Pepper mini
Beeper on Tuesday announced “Beeper Mini,” its new way to send and receive iMessages on Android devices. However, unlike the original Beeper app, the Beeper Mini doesn’t rely on a Mac relay to pass iMessages through Apple’s servers. Instead, the app connects and sends messages to Apple’s servers directly, simulating the same interaction the iPhone has with Apple to power iMessage.
This is quite an accomplishment. Beeper bought the findings of a researcher working for jjtech, who reverse-engineered how Apple’s iMessage protocol works, and partnered with them to create the Mini. With it, the Beeper Mini can receive the message you send from your Android device, push it to Apple, and then forward the message to its destination. It works because Apple “thinks” your Android device is an iPhone. Using a valid Apple serial number, Beeper registers your phone number with Apple’s servers, so the iMessage protocol sees you as a “blue bubble.” From then on, Apple views you as part of itself, and will happily take your encrypted messages and take them wherever you want to go.
Encryption isn’t affected here either: your private keys (the technology needed to encrypt and decrypt your messages) remain on your device, and are never transferred to Beeper or Apple. When you hit “Send,” the Beeper Mini encrypts your message. It won’t be decrypted until it reaches the right recipient, just like real iMessage does between iPhones.
Beeper is proud of this achievement and invites security researchers to scrutinize it. To this point, they encourage anyone to try the technology for themselves: you can try out an open source Python proof of concept on your computer that does exactly what the Beeper Mini does. You can see this in action in Snazzy Lab’s instructions for servicing. It’s strange to see that anyone can basically run iMessage in Python, while Apple has kept the technology within its walled garden since its inception.
Once it’s up and running, you’ll find that many iMessage features work as they should. Of course, you can send and receive messages, edit and unsend messages, join group chats without a problem, and send high-resolution media to other iPhones. Some specific features, like location sharing, FaceTime integration, and iMessage effects and games, aren’t available, but I imagine most people using this app won’t care. They’ll just be happy not to “ruin the group chat.”
Are there security concerns?
I have to hand it to Pepper: This is promising. No Beeper or Apple can access your messages, all encryption is done on-device, and you don’t need to log into a strange Mac on a remote server farm. This is a huge upgrade.
However, there are some quirks of the service that are worth paying attention to. Since Android doesn’t support Apple Push Notification (APN), the Beeper Mini can’t technically notify you of new messages without you actively using it. To get around this problem, Beeper created something it calls Beeper Push Notification (BPN), which talks to Apple’s servers on your behalf to see if you have new messages. While this starts to ring some alarm bells, according to Beeper, BPN is a secure service: Apple allows Beeper to scan for new messages without having to obtain the encryption keys needed to read them.
Credit: Whistle
This means that all BPNs can do is see if you have new messages to decrypt. And he can’t read it. If it detects new messages, it disconnects from the APN and alerts the Beeper Mini app. Now that the app is active, it can pull up new messages as if you had opened it yourself, and Android will quickly send you a push notification of new iMessages. Beeper knows that this feature might raise some eyebrows among security-sensitive people, so they offer the option to disable it, as long as you agree to manually open Beeper Mini every time you want to check for new messages.
There is another advantage if you want to send and receive messages on an Apple device like iPad or Mac. Your phone number is only required if you’re committed to phones, but in order to be able to enjoy other Apple devices, you’ll need to sign in to your Apple ID. This is a bit of a hassle, because I like how the Beeper Mini doesn’t require an Apple ID sign in to work to begin with. However, this is the only way to connect your Beeper Mini to your iPad and/or Mac, so if you want to link all the devices together, you’ll need to connect your Apple ID. I’m not sure I’d recommend it, though.
Overall, I’m still a bit wary of connecting a service like iMessage through a third party. Not that Apple is perfect by any means, but they run a tight ship. When you mess with the boundaries of this situation, you risk running into security problems. However, from the beginning, the new Beeper was an app a lot Safer than before. Beeper has made its technology open source, so security researchers can tear it apart for vulnerabilities.
As for me, I may wait for the initial results before I move to this service myself. But I’m impressed. This is, for lack of a better word, really cool.
Plus, there’s an argument that the Beeper Mini makes it more Secure to text between iPhone and Android. SMS is a highly insecure messaging protocol, and Beeper Mini offers you end-to-end encryption. They have a lot going for them right now.
Will Pepper Minnie be able to make it happen?
The Beeper Mini also faces some potential challenges: Apple will no You like it because it’s based on reverse-engineered iMessage code. (Props to you, JTech.) It remains to be seen if they will do anything about it. Apple has plans to make texting between iPhone and Android devices more seamless, too: RCS support is coming late next year, which puts the Beeper Mini in an odd place. Sure, it’s great to have an iMessage solution on Android in 2023, but what happens when the “green bubbles” aren’t so bad in 2024? If people could enjoy an iMessage-quality texting experience between phones, no matter which phone you had, would people still be willing to pay to turn their bubbles blue?
The stigma associated with the green bubble is bad enough in the United States today that the answer may be yes. But as being an Android user in a group chat on an iPhone becomes much less of a barrier, that stigma may be fading, and with it the need for something like the Beeper Mini.
But at the moment, Apple does not support RCS yet. So, for now, this might be your best bet for secure and convenient messaging between your Android device and your iPhone friends.
Beeper Mini costs $1.99 per month, after a 7-day free trial. You can download it from the Play Store today.
Apple’s decision to discontinue the iMessage on Android Beeper Mini app has sent shockwaves through the tech community. The move comes as a surprise to many, especially given the growing popularity of the iMessage platform on Android devices. With this announcement, users are left wondering what the future holds for their messaging experience and how this decision will impact the wider landscape of messaging apps.