Show HN: Beeper Mini – iMessage client for Android (beeper.com)
Unlike every other attempt to build an iMessage app for Android (including our first gen app), Beeper Mini does not use a Mac server relay in the cloud. The app connects directly to Apple servers to send and receive end-to-end encrypted messages. Encryption keys never leave your device. No Apple ID is required. Beeper does not have access to your Apple account.
With Beeper Mini, your Android phone number is registered on iMessage. You show up as a ‘blue bubble’ when iPhone friends text you, and can join real iMessage group chats. All chat features like typing status, read receipts, full resolution images/video, emoji reactions, voice notes, editing/unsending, stickers etc are supported.
This is all unprecedented, so I imagine you may have a lot of questions. We’ve written a detailed technical blog post about how Beeper Mini works: https://blog.beeper.com/p/how-beeper-mini-works. A team member has published an open source Python iMessage protocol PoC on Github: https://github.com/JJTech0130/pypush. You can try it yourself on any Mac/Windows/Linux computer and see how iMessage works. My cofounder and I are also here to answer questions in the comments.
Our long term vision is to build a universal chat app (https://blog.beeper.com/p/were-building-the-best-chat-app-on). Over the next few months, we will be adding support for SMS/RCS, WhatsApp, Signal and 12 other chat networks into Beeper Mini. At that point, we’ll drop the `Mini` postfix. We’re also rebuilding our Beeper Desktop and iOS apps to support our new ‘client-side bridge’ architecture that preserves full end-to-end encryption. We’re also renaming our first gen apps to ‘Beeper Cloud’ to more clearly differentiate them from Beeper Mini.
Side note: many people always ask ‘what do you think Apple is going to do about this?’ To be honest, I am shocked that everyone is so shocked by the sheer existence of a 3rd party iMessage client. The internet has always had 3rd party clients! It’s almost like people have forgotten that iChat (the app that iMessage grew out of) was itself a multi-protocol chat app! It supported AIM, Jabber and Google talk. Here’s a blast from the past: https://i.imgur.com/k6rmOgq.png.
901 comments
[ 0.37 ms ] story [ 351 ms ] thread1. How stable is it; would it be trivial for Apple to patch this?
2. If it's as simple as reverse engineering the protocols, how has it taken this long?
[1] https://github.com/JJTech0130
With that in mind, I’d say that most messaging apps don’t go far enough to make that distinction clear. Any app handling SMS or any other unencrypted messages should have ever-present, readily visible warnings when conversations aren’t encrypted.
This shit matters now that people aren't able to receive proper reproductive care and education and other grey areas where Apple is setting its users and itself up for terrible and unjust outcomes that depend on everyone but Apple having flawed/imperfect information and Apple pretending 'Saul Goodman...
Are you referred to Advanced Data Protection being opt-in?
If I'm using ADP then these concerns are moot, right?
That's because iMessage is a first and foremost a marketing tool that Apple compels users to rely on.
Because I have bad news for you. If iMessage is simple that means literally the opposite of what you think it means.
I wouldn't put it past Apple and other reverse-engineering routes might have to be taken but I don't think this is as easy of a "Apple will instantly shut this down" scenario as many others seem to.
My suspicion though is that there will now be a rush of apps doing imessage on android or windows etc, and probably also spam on iMessage will go up which might stoke the fire a bit.
I guess we'll see what happens!
But yes, I was expecting it to be based on some kind of hardware root of trust certificate system that comes from deep within the hardware and secure enclaves!
I wonder how well this architecture (including privacy preservation) would work for LinkedIn messaging?
Specifically the BPN service since that seems to come from a data center IP and more likely for Apple / others to have a choke point.
[0] https://blog.beeper.com/p/721485af-aad0-4962-b418-eea9bc1e8f...
If it does manage to do a good job imitating what an actual iPhone would do though - is there any way Apple even could shut it down without breaking iMessage on old iPhones or forcing people to update?
> Migicovsky had a few different answers. The broadest one, regarding the tech behind the app, is that reverse-engineering for interoperability is legal—a fair use exemption to the Digital Millennium Copyright Act's restrictions against circumventing encryption or other protections. The app also goes out of its way to avoid trademarks like iMessage, referring instead to "blue bubbles" and the like, and the rest might be considered nominative fair use.
https://arstechnica.com/gadgets/2023/12/beeper-mini-on-andro...
What is maybe more relevant is the EU talking about forcing federation. If Apple lets this live it may give them more bargaining power in those discussions. If they shut it down thatay throw jet fuel on the fire.
The only avenue that is untested is based on Terms of Service.
I did a OSS WhatsApp reverse engineering project and got a C&D from 800 billion dollar Meta's lawyers all based on violation of their Terms of Service.
As far as I'm aware, there's no precedent for interop against ToS.
(That and desktop support is a must for me)
They are looking to get banned and completely damage the Matrix/Mautrix bridge ecosystem.
They are already a gatekeeper with core services that are required to be interoperable. Even if iMessage specifically hasn't yet been declared a core service, Apple is in the crosshairs and behavior like banning competitors will be harmful to their legal position at a very sensitive time for them.
Yes, it's possible that the EU will rule that iMessage needs to fall under these rules, too, but citing a major competitor (who's even more under the gun for the same stuff themselves) making the argument that Apple should be restricted is, shall we say, not super persuasive on its own.
Are they, though? Google allows alternative app stores on Android, they already implement an interoperable, open standard in their primary texting app (RCS), they allow alternative browsers on the Play store itself, and they don't block interoperability with other platforms the way Apple does.
That's not to say they're not under the gun, but what they're under the gun for is different, like bribing Epic and others to not move to their own app store or make a self-updating app downloadable from their website.
They're both monopolistic asshole companies, don't get me wrong, but they're using fairly different strategies.
Yes, but Apple has announced they will do the same thing. That is not the same thing as interop with the actual iMessage protocol. Similarly, Google Messages does not allow interop with its encryption and newly announced sticker/effects, which remain proprietary to the Google Messages app.
The argument stands. It would be a bad idea for Apple to ban competition from iMessage, even with an attempt at plausible deniability, while they are fighting European regulators about interoperability on multiple fronts.
They aren't running a client by Apple. A glance at other posts seems they are using Apple code, but that would just be a matter of reverse engineering if the code required the secure enclave.
I can't think of a way that a server would be able to prove a device is Apple or not if you were to replicate the protocol completely. Only if there was some established public/private key would this be possible. And then the private key on the device would be in a secure enclave that you could feed it data to sign to prove the device is an authorized device.
Importantly, this matters even for those older devices that were created without secure enclaves. iMessage still used this PKI architecture back before every new mac/iphone/ipad had a SE.
The EU doesn’t rule the world. They haven’t forced iMessage open yet, and Apple is clearly trying to avoid it with their announced RCS support.
I don’t think things are as far along as you do.
The CFAA says that "having knowingly accessed a computer without authorization or exceeding authorized access [is a federal crime]".
The courts held that 3Taps scraping the Craigslist website was accessing a computer and exceeding authorized access because it should have been obvious to 3taps that craigslist did not authorize them to scrape their website (namely from some IP blocks and a C&D letter), so it stands to reason that talking to the iMessage API from a non-apple device is a federal crime. Apple has only authorized apple-devices to talk to their API, it should be incredibly obvious to all of us that this is not being done with apple's authorization, hence crime.
In case it's not clear, I think the CFAA is a rather poorly thought out law since "authorized access" seems like it could be as vague as a ToS violation, which means it escalates things that seem more like civil matters into federal crimes.
Europe is not that homogenous, WhatsApp isn't even the most popular messaging app in much of Central/Eastern Europe and Scandinavia (in addition to that iOS has a similar/higher market share in Norway/Sweden/Denmark than it does in the US).
> of the history of carriers charging thru the nose for SMS back in the day.
Again, this wasn't the case in every European country (where I am text messages were already free or very cheap in the early 2010s so WhatsApp didn't really take off that much and FB Messenger is still quite a bit more popular to this day because it worked on PCs/browsers and most stuck to it when smartphones were becoming popular ).
same applies to Britain and Switzerland.
> in both places
> so maybe it even varies within.
Definitely Europe is not as homogenous as that. I do also live in Europe, people do use iMessage (or just text messages in general) where I am (to a much smaller extent than the FB messenger for instance which is much bigger than WhatsApp here).
And any meaningful number of people changing their phone number every few months is certainly not my experience whatsoever. Pretty much everyone I know have had the same number of years or over a decade or even longer.
I'm from Normandy to be hyper precise, and there, we don't have much iPhones or use iMessage. I certainly never heard of isolation due to lack of iMessage: we use sms or whatsapp.
In Hong Kong, it's common, maybe only among immigrants like me, to change number often, it just is, everyone I know does it, we just migrate with whatsapp. We do it to reduce the spam explosion over time as we give our numbers to more and more people, or to switch to cheaper 5G plans over time or stuff like that. I certainly hate now keeping a phone number too long, it just feels unsafe.
https://selfsolve.apple.com/deregister-imessage/
Edit: it's working now, took 15 mins to work itself out.
Pebble: https://en.m.wikipedia.org/wiki/Pebble_(watch)
https://www.kickstarter.com/projects/getpebble/pebble-time-a...
https://www.kickstarter.com/projects/getpebble/pebble-e-pape...
(At least I think that's what the word salad of parent is referring to.)
https://en.wikipedia.org/wiki/Theory_of_constraints
I also enjoyed The Goal and found it helpful for my manufacturing business, although I'm having trouble understanding how it connects to this blog post.
The next thought it the utilization for abuse such as spam. E2E is wonderful but it also means that the normal cryptoscammer / phishing checks can't apply. There are mentions of rate limits and that surely comes into play, but given the simple proof of concept it would be easy to scale out.
Personally if it's a business / marketing advantage unless their hand is forced for business reasons they should never change it.
iMessage is Apple's value-add and has its own app ecosystem, apparently/allegedly true E2E.
Yep, that is Apple's intent, according to Apple emails leaked from various court cases.For iPhone users, they'll still be some non-blue bubble people who lack the E2E[1] and tight iMessage app integrations that are popular among iPhone users these days. At least until governments possibly intervene.
1. E2E insofar as not carrier-accessible (unlike RCS), which is a bit of a hot button issue in the US, post-Snowden/PRISM. If carriers have access to RCS payloads or even metadata, they will most definitely harvest it for marketing purposes, as well as ship it off to the US government.
WhatsApp/Signal have been available for a long time for anyone that has wanted group chats with modern capabilities.
The barrier to entry to installing WhatsApp or Signal is near zero, just a minute of one’s time. And given that most everyone is using Meta’s other apps anyway, the privacy costs are moot. In fact, all of the people I asked have WhatsApp already, but mostly to remain in legacy group chats with older family.
If Apple started a new color "purple," that indicates sent via iPhone 15 Max well then that would be a further marketing boost for the multiple millions of ppl who care about social class & flaunt it. Apple overall is a luxury brand another one of their marketing strategies.
A “channel” that shows all participants the entire history seems more like a private forum thread than a “chat”, and should probably be distinguished separately.
If you're the type of person having conversations about people that you wouldn't want them to hear, maybe you shouldn't be having them?
> Over time, we will be adding all networks that Beeper supports into Beeper Mini, including SMS/RCS, WhatsApp, Messenger, Signal, Telegram, Instagram, Twitter, Slack, Discord, Google Chat and Linkedin. We'll also bring Beeper Mini to desktop and iOS.
I'm interested, even if it's paid. I'd love to have most of those apps gone and use a cleaner one.
[0] https://en.wikipedia.org/wiki/Trillian_(software)
[1] https://en.wikipedia.org/wiki/Trillian_(character)
now I'm reliving the chaos of the late-00s/early-10s instant messaging apocalypse when AOL sunsetted AIM. Clients like Trillian were absolutely necessary before AIM shut down. Everybuddy was a good linux-friendly client. When I still spent time on IRC, I really really liked Bitlbee [1] with ERC [2]. Gaim was one of the first open-source projects I ever contributed to.
(I'm not saying that there's a connection there, but rather that all the chat protocols started getting used less around the same time for the same reason, which was smartphones becoming commonplace in late-00s.)
[0] https://en.wikipedia.org/wiki/Ayttm
[1] https://www.bitlbee.org/
[2] https://www.gnu.org/software/emacs/erc.html
(Please correct me if I'm wrong; the architecture of their product is pretty confusing.)
Edit: I mean a code for Beeper Mini on Android - not desktop
Well yeah it was already used and you came 3 hours after the fact.
where are you located?
It's actually weird and silly when they send me text messages and somehow I end up in the same conversation multiple times - like once 1:1, once in a group chat with myself included twice or more (as a number, as an email, as a second number). It's a bizarre experience and usually iPhone user can't see anything wrong :D
Thus, for many socio-economic groups, iPhone is definitely king in the US, and for them iMessage is just the default way to message people because when it was introduced it was the default way to use SMS on iPhone. A restaurant in Texas famous for their funny signs put this out, https://twitter.com/ElArroyo_ATX/status/1693316647677825160 , and tons of people (myself included) could immediately relate.
Isn't that exactly what WhatsApp (and to a lesser extent) Telegram are?
Unfortunately, signing in with Google is the only option.
https://help.beeper.com/en_US/beeper-mini/beeper-mini-how-to...
This write up adds so much more to that respect. It would have been easy to botch this, it would have been easy to do a worse implementation that would have caused problems for users whether they cared or not, but Beeper seemingly took the time to get right.
Congrats to Eric and the team on the launch!
> Everything changed in August when a security researcher reverse engineered the iMessage protocol.
> At a high level, here’s our product plan for the near future (in very rough order, and very subject to change): > Add support for SMS, WhatsApp and Signal into Beeper Mini, using the same end-to-end encrypted client-side connection architecture. No cloud servers in the middle.
so they are changing their whole business model to rely on illegal proceedings, breaking the ToS of every service they want to provide an alternative for.
I'm pretty sure Apple isn't fond of random people using their servers and their proprietary protocol on a client they haven't created. Signal is the same, they C&D every fork that becomes popular, the only official clients are the CLI and the ones they release (Signal is open source though). WhatsApp is also similar.
It's interesting and disappointing to see that they are hoping to create a business model on top of that, and it will probably backfire and hurt Matrix users as well, because these chat companies will become stricter and completely forbid third-party clients.
We haven't had a single problem like the one you're describing. Not to say it will never happen.
It seems similar to the parallel of iOS builds where its been possible to do so with virtualized MacOS on non-Mac hardware for a long time but its a violation of the TOS of MacOS to do so. Apple does spend effort ensuring that companies running cloud builds do so on Mac hardware; they don't care that the true end user is running Windows and achieving an iOS build as long as there was Mac hardware doing the actual building.
So this reply is along the lines of "we did something for 3 years that allow and they never stopped us" which isn't very strong evidence they won't stop you now that you're doing something they don't allow.
They may not do anything here thanks to the current EU climate though, I only mean that the fact they did nothing about Beeper Cloud is not evidence one way or the other.
This is asking to draw unwanted attention towards yourself.
https://gist.github.com/smashah/667d4d5cf31670ee87547450861a...
The game being played here is poker. If they call beeper's bluff then they risk setting a whole industry wide precedent that interop supercedes ToS (that's the only angle).
As it stands, ToS based C&D for interop is untested afaik.
We as a community need to discuss ToS-trolling and fight against it.
https://github.com/signalapp/Signal-Android/issues/9966
https://github.com/libresignal/libresignal/issues/37
unless the EU rushes out their legislation that interop is not grounds for terminating someone's account, I'm sorry, but they can do whatever they want to with their app.
Would you feel happy if someone used your home network to seed torrents? Using your bandwidth to seed them?
I can kick said person off my network. It shouldn't be grounds for me to go and start legal proceedings against the developers of uTorrent.
Now you're replacing that with Apple's own infrastructure.
They won't like this and I really hope an eventual C&D from Apple, Meta and Signal won't affect the development of the Mautrix bridges.
Is there an officially supported CLI for Signal? Please tell me it's true, that would mean so much for small scale automation!
17 U.S. Code § 1201 - Circumvention of copyright protection systems
Just because a legal binding document seems stupid it doesn't mean you can break them.
I find most laws stupidly worded, it doesn't mean I should disrespect them.
1) Are they going all-in on being an antagonist to Apple?
2) Will the users be willing to stick around during any outages/downtime/failures due to the cat-and-mouse game? (That I agree will follow and continue.)
Will it be a cat-and-mouse game? Maybe. Will users stay? Probably. In many cases, Beeper users already WERE iMessage users. Beeper users ARE Discord users. They are users of the upstream service and explicitly want a unified and interoperable chat system, for one reason or another. Maybe it's more practicality than ideals, but it's all the same in the end.
That said, it's not like Beeper is new, and it doesn't seem like antagonism is a primary driver of operational issues yet, so it's not clear it's about to start any time soon, either. Perhaps one of the most annoying tech company strategies is to try to establish a horrid status quo before regulators and law enforcement have time to catch up with you, making it much harder to actually do anything about. I see Beeper as one of a small number of companies that are basically on the opposite end; if they gain a large enough mass of users, it's going to be harder and harder to antagonize Beeper without antagonizing their own userbase, especially when you consider that the value of IM networks is largely in the connections between users. So, the clock is ticking.
If Beeper was free, sure, they wouldn't bother that much.
But Beeper relies on this business model. Apple and co wont let this slip.
This always rubbed me the wrong way and made it seem like it's an NSA operation
I don't know why this comment always pops up on HN every time Signal is mentioned.
Signal builds on Android have been reproducible on Signal for nearly eight years - basically the entire time Signal has existed as an app under that name.
On iOS? No, because Apple doesn't allow reproducible builds on the App Store, period. But you can't blame Signal for that.