Saw that coming. Just like Google did with the SEO heist a person bragged about a couple weeks ago, if you make big tech companies look foolish they are going to react quickly.
This is still baffling. The tweets make it sound like they're competing against google and stole traffic from google, but their landing page makes it look like they're some sort of business modeling SaaS? Why would they be competing against google?
They are competing against another business (not google), and through AI generation of content (based information gathered from the competitors site map) they were able to capture web traffic from Google that would previously have gone to their competitor.
The issue isn't just low effort affilate spam pages piss fighting with each other. It's that they were trying to sell the technique as a product to people who make actual content so that they could steer viewership of their other high-quality-content competitors towards AI generated garbage.
Basically a weapon to taint your competitors brands by redirecting their viewers away from their content to ad saturated AI garbage.
And the tweet fundamentally misunderstands how ahref works. If google killed the site in question, ahref would have no idea given they have their own crawl.
Apple isn't blocking competitive messaging apps from their platform. They are simply blocking unauthorized access to their services. EU won't look at Slack for blocking your irc client, and EU won't look at this.
If you can’t come up with at least a specious argument as to why your [insert thing] should be locked down, you should expect EU Antitrust at your door in the near future.
The EU set up the rules of the game, and it turns out iMessage falls outside the rules (to the EU’s dismay).
Even if it would fall within the rules, EU regulations work on a policy level, not a technical one. In other words, they can force Apple to change their policy and facilitate interoperability, but there’s no legal mechanism to force Apple to allow unauthorized use of their service.
The best you can do, if you're so inclined, is hope that the EU will change the rules of the game, but that would be such a transparent attempt at targeting a specific company (a big no-no in the legal reality within the EU) that the European courts will strike it down before they finish their breakfast.
Well, to be fair, wasn't this always going to be the end state? I wouldn't be surprised if the choice of subscription plan was mostly because it makes "total value-time received" a really easy calculation. It worked for 2 months, you're not getting your 4$ back.
Surprised it only lasted this long though, I'm sure they weren't betting on that. I still wouldn't expect a refund for the 1,50$ of 3 weeks this payment cycle that you didn't use.
Reproduction isn’t really a human making a human. Where making means using your cognitive power to apply focus to a creative task. It is more akin to natural
biological processes. Do humans make poo, or hair?
I suspect you are asking why Apple will not allow Beeper Mini to send and receive iMessages. The answer is probably Apple does not want non-customers to use iMessage or iMessage’s infrastructure. iMessage costs money to run and Apple is not interested in letting people who do not use its products use iMessage.
You mean the company who controls the protocol, and the clients, and the servers for a given service somehow found a way to stop a third-party from utilizing that service without permission?
I am shocked at this outcome, and shall write my senator.
And IIRC it used some old OSX binaries to do so? Just terminating the access might be a lucky outcome if that's the case, considring the money involved.
> Beeper Mini uses another workaround for the device UUID/serial/etc. requirement.
Have you got a source on that? As far as I know, there's no workaround possible because the authentication blob is based on the UDID/serial. Put differently: without UDID/serial, there's no way of authenticating with the message servers.
Beeper keeps referring to pypush when it comes to details in their write-up[0], and pypush, in turn, clearly states[1] the need for information like serial and UDID when dealing with the albert server and IDS registration request.
As a “workaround,” they simply stuff fake serials, etc., and cross their fingers that it gets through Apple’s scoring mechanism.
How is this a demonstration of "antitrust"? Apple does not unfairly prevent competition for messaging apps, as evidenced by a plethora of competition for messaging apps, plenty of which are far more popular on iPhone outside of the US.
Apple faces the heat of this competition - it frequently adds features to iMessage to make it equal or better than it's competition. Voice notes through iMessage was a direct reaction to popularity of that feature in other platforms.
Additionally, didn't they just announce that RCS would be a first class citizen in '24?
Feel free to use the open standard but don't be iMessage.
I'm a long time beeper user. It's been nice to sign up with my email, and at least be in a few of the iPhone only chats.
When I saw Eric's post the other day, my first thought was 'what an arrogant dumbass.' My guess was that they though they have an anti trust case, and my guess is that apple may have thought the same, and so they enabled 'iMessage' access to RCS.
This was so predictable, especially after the RCS announcement, that I messaged my group threads and said they'd be borked by the end of the week, please switch back to signal.
So, I think I'll ride that train until RCS is a thing and be done with beeper. I honestly think they just shot themselves in the foot.
I think it is odd that they chose to make a product out of a hack. Seems like a lot to invest on the bet a few Apple security people wouldn't patch this up.
Not discouraging the endeavour but now they are on the hook for all of these customers who bought on this promise. Feels like it should have started as a free product to see how Apple would handle it.
Any time one is tempted to post a sarcastic comment, it's good to re-read Poe's law[0] first. It does in fact always apply when posting on the internet.
That's very likely. They don't actually say anywhere what that status page is for. I do feel like they could be and should be collecting stats on whether or not messages are sending properly or not in app, especially since this ways always the most likely scenario eventually.
Beeper Mini talks directly to Apple servers from your device.
Beeper the company also has Beeper (Cloud) which bridges a whole lot of chat apps via Matrix to their other client app, including iMessage via a Mac relay.
Beeper (not mini) is already a company - it's an app that aggregates the various other networks friends and family insist on using. WhatsApp, FB Messenger, Telegram, Instagram, etc.
Been using it a while now, pretty good.
This was a proof of concept to expand that app, it's not the entire company
What's the pricing model? I would think that many people would not be potential customers because the vast majority of their networks are on a single platform (whatsapp or messages), or because they don't really care if messages live in 2 different places. I could imagine paying a one-time fee for something like this, but I assume the ongoing upkeep required would not work with such a model.
I would agree if they hadn't completely redone their website to remove every reference to Beeper Cloud. They really made it look like a deprecated product, not a good alternative that won't get blocked.
Oh wow aye, admittedly I've had no reason to go to their main site recently (and in hindsight should have before responding). They really went all in on marketing this eh
There's always a possibility of me being wrong! It does look like a bit of a pivot doesn't it.. Good point, well made.
I think I'll go double check I can still log in to my chat apps directly just in case haha
I mean, even if they go all in with Beeper Mini, they plan on adding all the services supported in Beeper Cloud in it.
Even without iMessages, a fully local application like this would be a great product. The fact that it relied on their servers put me off of using Beeper cloud
> Our long term vision is to build a universal chat app (https://blog.beeper.com/p/were-building-the-best-chat-app-on). Over the next few months, we will be adding support for SMS/RCS, WhatsApp, Signal and 12 other chat networks into Beeper Mini. At that point, we’ll drop the `Mini` postfix. We’re also rebuilding our Beeper Desktop and iOS apps to support our new ‘client-side bridge’ architecture that preserves full end-to-end encryption. We’re also renaming our first gen apps to ‘Beeper Cloud’ to more clearly differentiate them from Beeper Mini.
I used to think like this before I saw companies like Instagram and Tiktok thrive in the app store, which they absolutely cannot control. It is often worth a shot.
Relying on the App Store to distribute your app is more than a little different than building an extension to iMessages. Apple and Google want you to use their app stores in this way. Apple does not want you to bridge iMessages to other platforms.
It’s impossible to avoid relying on other people’s platforms. (Unless you want approximately zero customers, I guess) I wish these monopolistic corps didn’t have such an iron grip, but I’m not demanding creators single handedly remove every dependency on them. There is no ethical consumption (or production) in late stage capitalism.
> Reached for comment, Beeper CEO Eric Migicovsky did not deny that Apple has successfully blocked Beeper Mini. “If it’s Apple, then I think the biggest question is... if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS? With their announcement of RCS support, it’s clear that Apple knows they have a gaping hole here. Beeper Mini is here today and works great. Why force iPhone users back to sending unencrypted SMS when they chat with friends on Android?”
Does it come down to The Law of Leaky Abstractions?
Which means that if Apple wants to change something eventually, then they will possibly break downstream abstractions and then people will complain and the downstream abstraction will say "Well Apple changed their API, it is their fault". Letting someone do it from square one would be enabling that future scenario, as it isn't "if" it changes, it is "when".
If it was an open source API that would be different, but Apple's is closed source, that is Apple's philosophy at the core. It is a closed API yah? Not even an open spec right?
Good? RCS isn't universal. Am I gonna be sending and receiving Google, Verizon, TMobile, or Samsung messages? It's not universally encrypted either. No way am I turning it on.
The only texts I get are unwanted spam or some confirmation codes and no it is not worth it to use RCS with the amount of unsent messages it keeps having problems with, maybe for some "possible encryption". It is trash all the way around.
Vendors are going to have to actually work on improving the standard (and Apple has committed to working within GSMA on an appropriate multi-vendor E2EE mechanism)
In the absence of interoperable standards through GSMA, there will likely still be quite a bit of broken behavior, e.g. when it's not a Google RCS Server and all Google clients.
They don't have to, as they haven't for over a decade. It will suck and I doubt anyone will use it unless they're forced to (for 2fa). This is too little too late, if not iMessage, they'd use Snapchat, Facebook messenger, or IG before switching over to texting.
There is zero benefit for apple to make it good and no commercial reason for these vendors to make it good for multi vendors.
I agree. There are already third party E2E messaging apps that work across platforms. Anyone who decided to build a business on unauthorized use of another company's servers was just setting themselves up for disappointment. I have a hard time understanding how anyone thought Apple would not cut this off.
The EU should, like they did years ago with PC operating systems, mandate a default browser selection screen. And a default messenger selection screen. And a default app store selection screen.
Not that we'd get it in the US but it would help reduce Apple/Google market capture efforts.
Incorrect meme, almost no one is on whatsapp in Hungary for example. We use Messenger, Viber mainly and other social media apps that have a chat feature.
So basically you are making my own argument: we use tons of different apps. What would be the selection screen useful for?
Going further: if we download different messengers, it stands to reason we can download different browsers, therefore if safari is the most used it's because it's the one we choose.
Common case of people seeing that something is common in Western Europe and Latin America and then claiming “the U.S. is the only country that doesn’t do X”. Happens all the time.
That's probably why Apple will get away with keeping iMessage closed (unless the US government pushes them), probably not enough European use to count as a gatekeeper.
You say that like it's a bad thing ("get away"). iMessage has nowhere near a majority and Apple doesn't put in any restrictions against alternative messaging software (…not that they're perfect, and haven't in other areas…).
I don't believe in closed protocols or crappy interoperability. There are several approaches that could improve things, like adopting Google's encryption improvements to RCS so that mixed iPhone/Android conversations are secure ("but that's not in the standard!", well, then, get it or something similar in the standard); they don't have to let others into iMessage necessarily. Apple claims to care strongly about their users' privacy and correctly attacks Google for caring a whole lot less. Encrypted, full-featured messaging would benefit their own users.
'Nobody' in the EU uses iMessage, even on iPhones. Everyone here already uses Whatsapp. This demonstrates a lack of a monopoly and how competition can flourish.
Honestly - and EU-regulation that Apple faces over iMessage would just be collateral damage from EU targeting Whatsapp.
There's no monopoly. Messengers hardly have any lock-in and there's plenty of competition available. Entire continents will switch messengers essentially overnight once the current market leader becomes too enshittified and there's something better. Remember how AOL, ICQ, MSN, Skype, etc. died?
WhatsApp is the current leader because it's no-nonsense and works everywhere. The moment Facebook fucks that up even a little bit, people will have moved on to the next thing.
I can use multiple messengers in parallel without issue, as I did each time in those transitional periods.
The last messages on a dying messenger are always instructions on how to move on to the next thing. In skype, my status and most recent messages are just informing people of my discord handle. I accept that I may not be the norm, because generally I don't reach out to people and don't initiate contact, meaning that the onus is on them to use the appropriate channel to reach me.
Maybe it's worse for people who voluntarily stay in contact with many others using different messengers, but I don't see the problem with just having multiple messaging apps, especially since modern phones just consolidate all messaging services's contacts into your contacts app (at least on Android). You don't even need to remember who is reachable where.
>Maybe it's worse for people who voluntarily stay in contact with many others using different messengers
This is the problem I was expressing. If I want to contact Joe I have to use Signal, if I want to contact Sarah it is WhatsApp. Sam is SMS. Its hard to remember who is using which app.
> but I don't see the problem with just having multiple messaging apps, especially since modern phones just consolidate all messaging services's contacts into your contacts app (at least on Android). You don't even need to remember who is reachable where.
That is easy enough if you use the contacts app. I usually go straight to the app I want. Regardless, it doesn't solve the core problem because people use multiple apps. How am I supposed to remember which app they prefer? I could message them on their non-prefered app, but I don't like doing that if I can avoid it.
What do you think why suckerberg didn't done that until now? Facebook knows exactly that they need to be extremely cautiones to don't lose all their users to threema, signal or telegram.
Thats the reason why until now they only added non intrusive monetizing ideas than company accounts and so on. And when you ask me, they found a way to make whatsapp better. I can now order sushi via whatsapp. Here in Germany I know no other messenger that makes this possile.
These assertions need those quotes around 'nobody' because I work with a bunch of apple device owners across Europe and they certainly do use Apple messages.
At scale yes, signal, telegram and whatsapp are perhaps more significant than the apple ecology and the ratio of android to apple outside the USA and canada probably shows why.
“Installs” are muddied by the fact that everyone with a Facebook account has a Messenger capability, and every Apple user has an iMessage app downloaded.
“Messages received” is distorted by group chat dynamics and commercial messages.
“Messages sent” is distorted by the unequal value of relationships.
For example, I generally communicate with FB marketplace sellers & acquaintances from high school on Messenger, but use WhatsApp for talking with overseas family members.
More generally, there are social dynamics which make messenger apps radically different from one another. Even when the feature sets of the applications are very similar.
I'm aware almost no one uses iMessage in Europe. Most would choose WhatsApp in Europe. And if we had the choice most would choose iMessage in the US.
But it gives normal users a choice if they want it. Maybe it would get some to think oh maybe I should try Signal. That's how some people found out about Firefox - unimaginable I know.
But Whatsapp's popularity on iOS already shows that "normal" (whatever that means) users already have a choice. The market is not being constrained by Apple.
That's a pretty sweeping generalisation on it's own. You personally interacting via iMessage with people in the EU has absolutely no bearing on this. When people say that 'no-one' uses iMessage, they are really saying saying that it's a very small percentage. It's like saying 'no-one uses Yahoo! mail' - relative to GMail and Outlook.com, it's use is vanisingly small these days, but I guaruntee that there is a not-insignificant number of mail originating from Yahoo domains.
Let's think higher than that. Let's just get rid of megacorporations: let's mandate that any company with more than amount of X employees should be broken down into smaller divisions, with a separate board and CEO, and make it that no one can be on more than one board at the same time.
Make X low enough, 250, and all of this would go away: no more corporatism, no more monopolies, no more special groups interests paying for government lobbying, no more abuse of power from a handful of companies...
Sure, it might seem appealing to do this now, but had this existed 20 years ago the convenience and pros of the Apple ecosystem wouldn't exist. You don't get the hardware+software experience that Apple provides. You'd get stuff like handoff (such as the handoff to Homepod functionality where you tap your phone to the top of it) maybe 10 years later when enough people finally get together to make a standard for it. Apple Silicon and the Rosetta translation layer never happens.
I never understood what the point of comments like this is. You know what you’re describing is never going to happen. So is it just philosophical musing about what the ideal society would look like?
Now I have a company that cannot compete at the scale some chinese company can. OK so we close the border to imports from companies that are larger than our rules. When has that ever worked out?
I use Safari as my daily driver on Mac because it syncs nicely with my iPhone and iPad (I don't see any point using a browser besides Safari on iOS/ipadOS), and is better on battery life. I also regularly use Chrome on Mac for things like front-end development.
I’m the opposite. The only reason I ever use chrome on my iPad to s because I need to use my password manager (since I use chrome for everything on my desktops). Even my non techie wife uses chrome on her MBP (and I didn’t set it up for her).
I know a few people who use safari on Mac. Either because they just don’t care enough to install another browser, or because they prefer the more “native Mac” look and feel.
I don’t use Mac, nor care what browser people use on it. I use safari on iOS because I too don’t care enough to install another browser.
It’s absolutely baffling that you could read my post as saying safari sucks or that people who use it are idiots.
Let me try to be more clear… there are two reasons someone uses Safari on macOS, in my experience:
1. They like it better. Usually, the reason they like it better is because it feels more “native Mac”. This term is in quotes because it’s not a technical term and my understanding of what it actually means is vague, but I by no means dispute that it’s real.
> Either because they just don’t care enough to install another browser
The way this is written implies to me you think they should install something else, but obviously they just don’t care.
Whenever there are discussions about Safari on hacker news they tend to be a lot of people who seem to have the opinion it should die and that anyone with a brain uses chrome.
Between your word choice and that seemingly common sentiment here that’s what I thought you were saying. I’m sorry if I misunderstood.
Why do you care about other peoples' opinion on a fricking browser? Did you write it to feel insulted?
I'm trying to understand the reason for the white knight HN commenters NPC reactions coming with their "stop insulting my favorite trillion dollar corporation".
I really like safari and have used it ever since the day it was released. It’s my favorite browser.
There’s a very common sentiment on HN and other technical places that safari is a serious problem that needs to be removed from the web so that things can be “better”.
That’s why I’m insulted. Not because someone is insulting Apple, do that all you want if they deserve it. Because I’m tired of people implying that the browser I like is shit because it’s not chrome and its only used because people have no choice or can’t figure out how to switch.
So you're feeling insulted because someone insulted your favorite browser made by a multi trillion dollar corporation? You need to get a life mate and stop shilling for mega corporations.
People are entitles to their own opinion regarding products. If they think it's shit, it's their opinion same how you're entitled to your own different opinion, no need to be Apple's unpaid white knight and froth at the mouth at everyone calling their stuff shit.
I do use safari on macOS, and edge on windows. What am I missing? I only use chrome when debugging web stuff because I’m more used to their web console and tooling, but I don’t see a need to use it as my main browser.
The EU's DMA is supposed to basically do this: break up gatekeepers and closed platforms for user choice.
Not every app needs to be compatible with every other app, though. There is a user base cutoff (and even then there is some room for interpretation) of 45 million users (10% of the EU population)/10k business users.
Negotiations aren't done yet, but it seems iMessage isn't popular enough to meet this cutoff. Alternatives like WhatsApp definitely are, though; I'm pretty sure that's exactly why Facebook is working on cross-platform messaging for WhatsApp: https://www.theverge.com/2023/9/10/23866912/whatsapp-cross-p...
This law doesn't just effect chat app developers: it also applies to app stores and other methods of digital gatekeeping.
That being said, Apple argues the app store for its iPads aren't popular enough to cross the threshold (they split up the iOS app store and the iPadOS app store in their statistics), so the impact of these requirements will depend on what specific iDevice you use.
An open source client for iMessage is going to be used for fraud and spam. Before this, a device being blocked by Apple because it was used for fraud or spam would increase the cost of business for fraudsters and spammers. But now it's a matter of picking a new phone number.
Of course Apple would try hard to stop this.
> It just makes you appear as a "blue bubble" to people who are on iMessage.
Received messages on iPhones show up as neither blue nor green. They always have a gray background. The blue and green bubbles are the colors of the messages sent by the iPhone users on their own phones. Recipients, on other iPhones, will see messages with a gray background regardless of whether it was sent with iMessage or SMS/MMS.
I am not in the position to judge that.
But reducing spam on iMessage is beneficial for Apple customers, and as a customer, I want Apple to be able to do that.
I’m in Asia, my phone number has been with me for almost a decade. I haven’t received spam in a blue bubble, only on SMS (green). Just want to give you a perspective in the other part of the world.
This are not just spam but most are sms phishing with links. We have poor, inadequate cyber laws, so we are glad Apple is doing its part sealing this off.
This is exactly why Signal closed their source code: if you allow access to your network, you're only accepting spam. For their users' security, it's essential that they must guard access to their network as much as possible.
I feel the need to get a bit pedantic here. I'm not trying to pick a fight; I truly hope it helps clear up a few things.
Signal is open source. It's a fair argument that they make it difficult to use servers other than theirs, and we can't be sure exactly what they run server-side, but their code is possible to fork and all that. Their licensing is clear. Even the choice of AGPL is significant here: they must provide the source for exactly what they run on their server.
Network access is orthogonal to source availability/openness. Closing source as a means to limit access is security through obscurity. Not to say that it wouldn't work, but we certainly wouldn't expect the Signal Foundation to take this approach.
The most significant measure Signal uses to manage access to their network has to do with the phone number requirement. That's an intentional choice on their part (arguably controversial, but I don't have an opinion about it).
I've never received a spam message from another Signal user... is this common for you (or anyone)? I think in all the years I've used Signal I've only received less than 5 spammy "message requests" that are quite obvious/easy to decline because I don't already have their phone number in my contacts. I've always had to first ask someone "hey, can we use Signal?" so I'm already expecting legitimate message requests when they arrive.
I was hoping the /s wasn't necessary, but just to be clear: my comment was entirely sarcastic. Signal has had its issues in terms of open source-ness (like that time they stopped publishing their code for quite some time) but the client and server are open source, and while they're not huge fans of alternative clients, they have designed their protocol so that it's practically impossible for them to refuse alternative clients, purely out of privacy considerations.
Now that Signal has usernames you can share, rather than phone numbers, I think the phone number decision is a lot less problematic.
Strangely enough, I did receive spam this week. Or at least I think I did, an account I didn't recognise with a profile picture of a woman I didn't recognise sent me "hi". This coincided with my first SMS spam of the year and spam on an email address I used for one specific company, so I guess they've been hacked and had their database dumped. Maybe I'm just lucky, but spam just isn't a problem for me.
This is what Snazzy Labs said about Beeper Mini... hilarious:
> This doesn't appear to be some easy thing Apple can just turn off.
> It will require a complete redesign of their entire authentication and delivery strategy for not just iMessage but Apple ID account access as a whole.
This is why people shouldn’t listen to tech YouTubers who don’t actually work in tech as engineers.
They’re tech fans, not experts but act like they know the domain space enough to make strong authoritative claims since that’s what gives them an audience.
I don’t know about you, but I’ve worked with plenty of “engineers” who can’t even properly read a stack trace. Not meaning to offend, most software developers are unable to reason about a system even as straightforward as a messaging client with accuracy, especially a closed source one.
True, but there’s a difference in seeing a random anonymous account parroting things and someone with a following pushing it.
Honestly many people here, myself too probably at points, tend to just repeat what they’ve heard elsewhere as fact. You can see it if you try and notice phrasing patterns repeating.
My real lesson is less that the internet is a shit show (it is though), and more that people like to take a very strong opinion as fact, over a more nuanced opinion that requires understanding of a topic.
Usually the correct course of action is to just... say nothing then ? Or at least take some caution. But hey, it makes for a less sensationalist headline. The thing is that trustworthiness is typically something you look for in a reviewer, clearly not something that can be found there.
Do sms/mms received from iMessage users on Android look anything in particular? Because a possible move for Google would be to reject them by default in some future version (hm hm, "security reasons"). End of "yes you're still in but you look like a cripple" and begin of "this app doesn't allow me to talk to that person, if I want to reach him I need to switch to something that supports Android".
SMS messaging is a feature of the mobile network, and they're sent directly from the device to the carrier SMSC without going through Apple's servers. You might be confusing iMessage with Messages. The former is a messaging platform, the latter is an app that can send messages either via iMessage or SMS (assuming a mobile device, or pairing with an iPhone).
SMS is handled by carriers, so google couldn't really block messages from iPhone users specifically. And that's not considering what an incredibly bad move it would be for them if they could somehow reject only iPhone texts.
Do the SMSes come straight from the other users' phones, or are they relayed via some Apple server?
> what an incredibly bad move it would be for them
I don't see it very different from Apple's choice to degrade arbitrarily the experience of messaging with android users. There are infinitely better alternatives to sms for private messaging, Google could say it's encouraging its users to move on them.
Apple is blocking 3rd party access to their own services. Google blocking access to messages delivered via an 3rd party isn't at all the same thing. And the optics of it would be incredibly bad for Google.
Anyway, look. If I had this issue (I don't since I live in Europe where everyone uses Whatsapp) that's what I would do: I would download an app that blocks SMSes from selected (known) numbers and auto-responds to them with a message like "SMSes from this number are blocked by the receiver - Please contact me on Whatsapp/ Telegram/ Signal".
As usual, Gruber was right on the money. Via Threads yesterday:
"My prediction is that Apple will make changes—fixing bugs and/or closing loopholes—that break Beeper Mini. It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.
It’s a very nice app, remarkably clever, and for now works like a charm, but if Apple wanted an iMessage client for Android they’d release an iMessage client for Android. Seems irresponsible for Beeper to charge a subscription for an unsupported service."
It looks to me like there is an advantageous business relationship between Beeper and their customers. As a general rule, Apple is free to change their programs and how they work. However, I think there’s a plausible argument for tortious interference here if the sole purpose was to prevent interoperability.
> The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means.
- From the National Association of Criminal Defense Lawyers
Other way around. If anything, it sounds to me like Beeper Mini was acting illegally by accessing Apple’s servers in a way they didn’t give permission for.
The CFAA is ripe for abuse. I’m not saying applying it here would be just or not, only that Apple likely wasn’t the one acting illegally.
Beeper mini includes a hosted service to receive APNS notifications (meant for Apple software)
So I would summarize it as the corporate entity connecting to an Apple API and using it in undocumented ways that they reverse engineered, intercepting messages meant only for Apple software, doing so without prior permission, for purpose to selling access to services which would normally be covered by an Apple EULA.
It is not quite like a smaller word processor wanting to be able to import Word documents - without tying into Apple's service, Beeper Mini has zero value.
I think that’s certainly an argument that Apple would make. However, it seems that this app was simply sending requests and receiving responses that there was no code injection or compromise of Apple servers, or of credentials, or anything of that sort.
It's also entirely possible that no law has been violated by anyone at all. What Beeper Mini did is probably not illegal. What Apple did in response is probably not illegal.
Not particularly relevant due to lawsuits involving game cheating, where the circumstances are very similar.
Beeper is lucky they weren't sued under the DMCA anti-circumvention clause, as they clearly were bypassing the technological measures Apple uses to prevent genuine devices from connecting to iMessage & Apple services.
I wonder if any of the encryption stuff Apple uses would give them an argument, like convincing their system to generate keys.
I think you’re likely right though. If they had such a claim I think their lawyers would have been on it instantly.
That’s why I mentioned the CFAA. Accessing servers without someone’s permission is the exact kind of thing people have gotten very stiff punishments for under the CFAA in the past. It’s basically the main reason I know the law exists, stories about peoples ridiculous punishments for relatively benign things.
Sure it’s useful for real things. I bet you can prosecute ransom under it. Or hacking to break into a rival company.
But it’s also great for when someone embarrasses a politician with stuff that they published on their own website and “something has to be done”.
That’s fair, but compare it to SMS. What if Apple blocked SMS messages sent via cellular carriers, which are also using their services (software on phones, etc.) Then suppose it wasn’t malicious SMS or spam, but legitimate messages sent using a competitor’s product (e.g. from all Samsung phones).
Maybe (or maybe not) plausible, but I think it's irrelevant, because there's no way a small company like Beeper could beat Apple's lawyers at this game. It will end up bankrupting Beeper long before it would even matter.
This is unfortunate, but not untrue. Even just going through discovery on this issue would be quite expensive — and would be critical to proving Beeper's case.
There's a bunch of reasons why this is unlikely to be tortious interference, but one of the obvious ones is the contractual Terms & Conditions that apply between Apple and its users; I doubt Beeper is liable here, but if interference was a thing, my bet (not a lawyer!) is that the liability would point the other direction.
My read of GP's comment was that the claim of tortious interference would be by Beeper against Apple (for interfering with Beeper's relationship with Beeper's customers).
Apple is not preventing anyone from downloading beeper, or giving beeper money, or running beeper software. They are exercising control over their own servers.
I agree. The obsession with "blue bubbles" is something I only hear about from tech writers. No one I communicate with in the real world has ever mentioned it. Supposedly teenagers care about this, but that seems like a poor basis for anti-trust action.
At the same time, I miss the era of rich third party client ecosystems for things like AIM or MSN messenger. Blocking interoperability is a bummer for innovation.
Android vs iPhone is definitely a thing people in their 20s and 30s even use to judge others. I have polled quite a few family/friends, and it is near unanimous that it is a dealbreaker in dating, mostly because they assume there is a higher likelihood they will not mesh with the type of person the non iPhone user is.
>but that seems like a poor basis for anti-trust action.
Apple would claim that you pay for the iMessage service as part of the purchase price of hardware and software. From this perspective it's not blocking interoperability, it's blocking theft.
Whether that argument holds is for governments and courts to decide, ultimately.
My understanding of tortious interference is that it is broader than actually preventing others from using a service. Even just saying things to dissuade them from doing business with a company can qualify.
Yes. And I'm saying, were this a live issue (I don't think it is), the graver liability might be for Beeper interfering with Apple's contracts with its users.
In what way would Beeper's action cause Apple's customers to breach a contract with Apple? I would think most of the people who would purchase a service like this would be Android users, not iPhone users. Some of them might own Macs, but what would be the contract that the user would be breaching that would result in damage to Apple?
So your thinking is that these end-users have signed some sort of agreement with Apple, and that agreement says they won't use any unauthorized services to connect to Apple servers, or some such thing?
There’s certainly a contract there, but it’s not obvious how a customers compliance the terms and obligations create a profit for Apple. I think most outside observers would generally assume that Apple‘s profits come from the payments the customers make to Apple, when purchasing devices or making subscriptions. After all, the only people subject to, and breaching the terms of service are Apple customers who did pay for their phones, etc..
Not sure why this is getting downvoted – IAAL and this is definitely something worth considering. This particular type of law varies from state to state, and can be quite broad. I've talked with other lawyers about it in the past, and my understanding is that it's frequently asserted when companies make counterclaims in business litigation.
That doesn't mean it's a sure winner, just that it's a live question until more info is known. I imagine Apple would say they need to tighten up any parts of their system that could allow for spoofing or other security issues, and that was their 'legitimate' reason to make these changes.
I’m not a lawyer, but I do know how computers work. I’d bet the farm on the very safe assumption that any protocol change that blocks a third-party client at the very least can plausibly be claimed to be in service of security, and most likely be a legitimate claim in reality. It is probably being downvoted because it’s incredibly far-fetched.
I agree that this would be their argument. But as other commenters mention, this area could be a minefield for Apple due to their dominance in various markets. It's possible they wouldn't want to get sucked into a lawsuit about this, even if they thought they could win, since they might end up making statements that would have a larger detrimental effects in other cases/potential cases.
I think most or all states recognize that the defendant’s actions must not be justified or privileged. It’s hard to imagine how Beeper would meet that element on these facts.
How are you going to make a case for tortious interference when the would be interferee is profiting by using the interferer’s resources without payment?
From beepers website, there’s no use of apples servers when iMessages are sent from a beeper user to a beeper user. Rather, they only pass through Apple when sent to an iPhone user and in that case it’s the iPhone user that’s utilizing apples resources. And in that case there’s an Apple device owner, who is paid for the right to use iMessage servers.
I heard/saw quite a few people saying Apple either couldn't or wouldn't cut them off—and that even if they did, it would take a while. They were ridiculous takes, yes, but apparently made in earnest.
There were a lot! Usually taking the form of: 1. They’ll have to do a major update to iMessage, 2. But what about Hackintosh?, or 3. EU regulators will stop it
>It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.
I don't follow this logic at all. Shouldn't supporting thirdparty clients be desirable if security is a primary feature in the interest of transparency? Especially if the reference client is proprietary and undocumented.
This would be the case if it were a protocol designed to be opened up for use by 3rd party clients. As it stands, this was a clever hack which would undermine the integrity of the system if left in place. Within a few weeks we’d see 100 3rd party iMessage clients, and it would be luck of the draw if the one someone downloads is secure or not.
The system wasn't designed with those 3rd party clients, and security around them, in mind. Beeper Mini is spoofing/reusing device IDs, pretending to be some random person's Mac, for example. True support for 3rd party clients wouldn't not require this kind of thing.
From what I understand Beeper Mini is interfacing with iMessage on-device, what's to stop another clients from using a server and intercepting messages? While I don't have time to look it up again, I think there was also something on how Beeper Mini is handling the push notifications when the app isn't open. While that may not leak a lot of information, and there is also the news of Apple/Google sharing push info with some governments, that's something that can at least raise some eyebrows when it comes to how private it is.
> The system wasn't designed with those 3rd party clients, and security around them, in mind.
It sure as heck better have been designed with that in mind, because it sends SMS messages to uncontrolled 3rd party clients that could be stealing your information or spying on push notifications every single time you message an Android user.
I genuinely don't understand this argument. Do people think that SMS messages don't generate push notifications? Does Apple have a 1st-party SMS messenger available on Android that I'm not aware of? You're already communicating with 3rd-party clients that could be spying on you, and you're already receiving messages from those clients in the iMessage app. The biggest difference is that your messages with those clients today are fully unencrypted, so spying on them doesn't even require compromising an app.
It's weird for people to be so concerned about push notifications as if that's a decrease in security when the alternative system they're proposing is for iOS messages to be sent to Android devices fully unencrypted. Apple/Google can share all of that information with the government as well; if they're not being asked to it's only because the government can get it even more easily directly from the telcos.
There is no iMessage app. There is a Messages app that implements two systems: iMessage and SMS/MMS. iMessage is the system whose security model is being discussed here, and the security model of SMS/MMS is mostly irrelevant to it.
This is splitting straws; the overwhelming majority of Apple users don't make this distinction (if they even realize there is a distinction to make). For all practical purposes they use one app that lets them talk to their friends and some of the bubbles are green and some are blue. How many of those Apple users even realize that the green bubbles are unencrypted rather than just being a designation for Android contacts?
It also changes nothing about my comment, because you can call SMS a different system all you want, but your conversations with Android users are still being sent unencrypted and any malicious payloads you get from SMS phones are still being loaded into the same Messages app. If you're worried that a 3rd-party client on Android is going to let a company spy on conversations you're having with Android users, then I still have real bad news for you about how Apple sends messages to Android users.
Draw the lines however you want between Messages and iMessages, but the security implications of Apple's setup are exactly the same. When you write a message to an Android contact, Apple sends that message unencrypted to a 3rd-party client that could by spying on you, leaking your data, or sending malicious payloads to your iOS Messages app. It still makes no sense whatsoever to be this concerned about the security of the push notifications for your messages to Android users when the alternative being proposed is to throw security entirely out of the window for those conversations. It is still a clear security improvement for conversations between Apple and Android users to be E2EE rather than to be sent over SMS, because the risks being raised about 3rd-party messaging clients are already present within those conversations today.
If the existence of a working unsanctioned client undermines the integrity of a system as prominent and security- and privacy-focused as iMessage proclaims to be, then that system has big problems.
Certainly this is not the first time some entity in the world has reverse-engineered iMessage; it's just the first time that it was publicized.
This is also notable, because the technology that Beeper Mini is based on was public and available to potential attackers before Beeper Mini launched. Beeper didn't invent this, they contracted the developer and based the project off of their open Github repository.
Apple did leave the hole open; they left it open until it threatened their customer lock-in. Only at that point did they decide that it was a security risk.
Third party clients offer many more cases for average users to lose their security, because you can’t prevent malicious actors from releasing “SuperMessengerSecure” that just mirrors everything off to a server somewhere.
No. This is an entirely self-centred view. The only people that equate this sort of transparency with genuine security are computer nerds. These tend to be the sorts of people that don’t sit very highly on my internal list of “people who stand to benefit the most from increased privacy measures”. For…literally every other member of society, this sort of implementation detail doesn’t mean anything^. They hear some (from their perspective) very abstract words like ‘open’, and all that means is that they’re trusting some league of computer nerds to tell them that something is ‘secure’. This is somehow meant to be more convincing than Apple, who, to most people, is at the very least another mob of computer nerds, but in reality also happen to have a pretty good track record of making phones that seem to work alright for people.
Beyond optics, let’s just look at attack surface. The implication that the sort of security holes that “openness” would fix are anywhere near the top of the list is…where’s that xkcd about cryptography and crowbars? It’s very clearly in the realm of nerdy cosplay. You know what is* a much more realistic threat? Some stupid third-party client on the Play store that exfiltrates all messages sent and received. Apple has absolutely no control over that. No protocol security accounts for that.
> You know what is a much more realistic threat? Some stupid third-party client on the Play store that exfiltrates all messages sent and received.
One way to avoid that outcome would be to have a first-party client on the Play store.
Instead, Apple drops all message security entirely from cross-platform communications for iOS users, allowing anyone to read those messages whether or not they have a crowbar. This is security 101: users do dangerous crap when the secure options don't have affordances for their use-cases. Users are lazy. If an official 1st-party secure client exists that meets their needs, they won't install a 3rd-party client. Users resort to dangerous and unsupported options when the safe, obvious options either don't work or aren't available.
And thankfully, we now know that it would be entirely possible for Apple to fix that problem and to move its own users off of SMS for communication with Android contacts, and we know that because a 16 year-old high-schooler was able to build that support with zero documentation. Presumably Apple is capable of doing the work of a 16 year-old. We now know that it would in fact be entirely possible for Apple using a 1st-party controlled, proprietary client with a proprietary protocol, to encrypt virtually every message that Apple users send to every one of their contacts, rather than what Apple does today where it encrypts... some of them.
None of this requires Apple to Open Source anything or to document or make available any of their protocols. The only reason Apple is in this position right now of needing to deal with 3rd-party clients is because of a lack of support from their 1st-party client.
> Instead, Apple drops all message security entirely from cross-platform communications for iOS users, allowing anyone to read those messages whether or not they have a crowbar.
I think that's my biggest gripe with the situation. Or my second-biggest. My biggest gripe is that the only notification that your messages are now not end-to-end encrypted is the green bubble. They don't tell you anywhere that the green bubble (also) means that.
No need for transparency here. Just know that no one has broken the encryption is all you need. Also you likely will not know if beeper sends a copy of your messages to their servers to sell, but who would you trust more won’t sell your info, beeper or Apple?
The first half definitely made me think sarcasm, then the second half... I mean I know some people actually believe this... Then I noticed you said "encryption" instead of "protocol". Breaking an encryption standard is obviously very hard, breaking a protocol is obviously not nearly so hard.
On the other hand, taking this stance would be insane given the post we're talking about. A company that actively circumvented apples security measures. So you must be being sarcastic. You just have to be.
Remember, on the internet it's kinda hard to tell. Make sure to throw in a /s unless you really REALLY sell it.
I wasn’t being sarcastic, I mean you do know there exist closed source for a reason whatever that is. For Apple to open their protocol would mean your messages sent to 3rd party clients, which means they could sell your messages for ad targeting or worse.
When Apple sends messages via SMS, they are sending your messages to 3rd party clients who could sell your messages for ad targeting or worse. Apple already does this. They already send your messages to random clients who could be spying on you.
It's just that in addition to sending your messages to 3rd party clients that could be stealing the data, Apple goes the extra step to make it even more insecure and also sends your messages completely unencrypted, so that everybody along the path from your device to the 3rd-party client can join in and also read your messages and can also use them for ad targeting or worse.
I'll make the argument that this is strictly worse for security than tolerating an encrypted 3rd-party client (or better, releasing their own 1st-party client rather than relying on SMS).
But Apple doesn't have to use it. They could release a messaging app for Android that used their own encryption, and they could encourage Android users to switch. But they don't do that, because distinguishing between Android and iOS users is ultimately more important to Apple than securing the conversations that Apple users have.
If RCS is garbage (and it is) then it is extremely weird that Apple has committed to supporting RCS for cross-platform messages instead of encouraging adoption of what would be a superior form of encryption for those conversations.
What you have to ask is, if you are an Apple user, why isn't Apple trying to encrypt every message that you send? Why are they asking you to use a garbage protocol when you send messages to Android users?
> yeah can’t imagine why apple doesn’t use it
Really, this statement should be reversed, it's difficult to imagine why Apple is planning to use RCS. Why is Apple more willing to implement a garbage protocol than they are willing to release a messaging app for Android?
What's untenable is that the third party software is unsanctioned. You can make the argument that it would be a good or better system with third party clients, or that Apple should open the system up, but it is ridiculous that anyone would trust a client/integration that depended on some kind of hack (regardless of the nature of that hack--such as whether it's decrypting and proxying or getting into the ecosystem in a "secure" way)
They are planning RCS support. They've said nothing about how that will look in the app, it's not a given that will be in blue bubbles or fully feature complete with iMessage
Even better, and not surprising at all. I was kind of surprised that everyone just assumed RCS would get the blue bubble treatment when Apple made their announcement.
I didn't compromise the security of iMessage as a whole, it just exploited a way to get people into the system that was not planned.
Imagine there is a theme park that has normal ticket booths and some requirements there to get in. Then there comes a Beeper that finds a hole in the fence on the perimeter and sets up their ticket booths there. It's in theme park's best interest to close that hole and cut off the revenue stream of somebody pigging back on their theme park.
Except they charge a thousand dollars to enter and then let everyone else in for free but they have to wear a badge and the pictures they get from the roller coaster photo booth are 240p.
And no one is obligated to come to the Theme park. There's an entire world of people who never visit the theme park, mock the people who do, and couldn't care less about it. But some people want to be included as going to the park, when they don't. Some people are very judgy and don't want to talk to people who don't go to the park...
Easy to be right on the money here. This is the default MO. Regardless of if you are paying for it or are licensed or are doing it despite the tech giant whose toe you are tickling. Twitter API springs to mind.
His first sentence about privacy and security is nonsense, but his second sentence hits the nail on the head.
If the richest company in the world wanted their chat app to run on Android, it would by now.
It's strange Apple doesn't sell an iMessage Android app, but I'm sure they've had somebody do the math and found out that it's more money for Apple in the long run if they don't.
you’re talking to a forum that is probably 50% iPhone and has very good technical reasons to do so, this is insulting and it’s absurd that it’s so casually normalized to directly insult people in this fashion
How did you manage to take this as a personal insult? Some people buy an iPhone for the blue bubble, some have what they believe to be good technical reasons to buy one, some people like the aesthetics, some people buy one out of habit. Stating that each category exists is not an insult to those who fall outside it.
> How did you manage to take this as a personal insult?
years and years of "apple sheeple" variants tend to take their toll, you're just the latest in an endless parade of microaggressions even if you don't think your particular case was notable.
why is it so important for you to push on the idea apple users being thoughtless trend-followers? just don't do that, be better. you can do it. the next time you feel like posting that, simply take a deep breath and don't post it.
there is just no reason to go around posting that "[device that 50% of people own] users are all doing it for [trite/dismissive reason]" in the first place, let alone on a tech forum where everyone has very specific reasons for their tech purchases. and it's so completely normalized, android users do it so routinely and don't even think that what they are saying is offensive. it's literally the classic microaggression problem.
> on a tech forum where everyone has very specific reasons for their tech purchases
Thats a very funny statement. From my experience tech people in general are the ones falling for vanity, fashion, dogmas etc. most often while claiming some "practical" reasons
It's a socioeconomic indicator for high status, and it would be foolish to ignore that as part of Apple's strategy.
Android doesn't suffer from that kind of complaint because it's often perceived as the opposite: a socioeconomic indicator for low status. It's socially acceptable to mock people for choosing high socioeconomic indicators, but not low socioeconomic indicators.
"You only bought that because you're rich" has a very different ring than "you only bought that because you're poor".
That perception of low vs high indicators is somewhat wrong (high-end Android phones cost more than the latest iPhone, used iPhones are pretty affordable) but it is the perception.
the american consumer punches far above its weight. apple cares and goes to great lengths to wall imessage. See the article linked in this post for instance
Completely agreed about the nonsensical first claim. We have many third-party clients for other messaging platforms where privacy and security are a primary feature. It's completely tenable, especially for a player like Apple.
Or put another way: If the privacy and security of imessage is compromised by someone building another client, I'd argue that you never had either to begin with.
> Completely agreed about the nonsensical first claim. We have many third-party clients for other messaging platforms where privacy and security are a primary feature.
I can't think of an any with independent implementations.
For instance, have a few third party Signal clients, which work by using the official libSignal . These are not third party clients, but third party GUIs. Use of libSignal on the official Signal network is also not supported or recommended.
Likewise, all the third-party Telegram clients I know of are forks using Telegram source.
This makes sense, because neither of these are stable systems. A third party has to stay up-to-date with features and changes made to the official servers and clients.
Do you know of a security and privacy focused messaging platform which is both:
1. documented
2. has multiple independent implementations of the networking and security protocols?
I suppose it is determined by where you set the bar, even more so with privacy which still varies person-to-person and can sometimes take a qualitative feel.
Security wise, there is interesting work adopting MLS (and I believe key transparency) under Matrix, see https://arewemlsyet.com for example.
Look no further than blackberry... Their days were always numbered as the only reason to keep it is the messaging (and a bit the keyboard).
Another theme here is BBM (Bloomberg Messaging). People/Companies pay BB five figures per year just to get BBM. Why would they ever release a messaging app outside of the terminal. They will die before this happens.
> It's strange Apple doesn't sell an iMessage Android app
Apple doesn’t sell apps they sell hardware and services. There’s no incentive for them to provide a free iMessage app for android, and I doubt many people would pay for one.
> Seems irresponsible for Beeper to charge a subscription for an unsupported service.
Completely wrong. It's a job-seeking ad. “Look, I'm ruthless enough to fuck over users who buy this bogus subscription.” Which SV startup wouldn't pay millions for a crook of that caliber?
> It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.
What a stupid take on the situation. At most it's untenable to Apples short term financial interests. A well designed protocol and implementation would be even better at protecting user privacy and security especially from a privileged attacker like the service provider and anyone able to put covert pressure on them.
The only way in which vendor lock-in helps the the existing users is that spammers and scammers have to invest additional money to acquire Apple devices to create new accounts instead of just phone numbers and a labor to create accounts.
yes, you can indeed build a secure system on the basis of increasing the economic cost of attack beyond reasonable levels and by forcing attackers to repeatedly slash their stake to perform an attack
On the money, but unsurprising. Gruber is an Apple fan-boy through and through and it doesn't take much of a guess to posit the exact "prediction" he made. It was clear Apple was never going to put up with this, but it was likely accelerated by all of the media attention.
Apple is, however, nothing for "privacy and security" beyond what they need to do to be marginally better, and that's a stretch these days. If Gruber really believes what he wrote he's full-on living in Apple's orchard behind the walled garden that Tim Cook splendidly gatekeeps. But because Apple puts marketing dollars behind ads that say "privacy" and "security" it must be so!
This is why it's always funny to me when the trope of the hour is the mass privacy failures of Signal through use of phone numbers. And then the author turns around and types out an iMessage to a blue-bubble friend. I really hope we can move beyond the Apple reality distortion machine and move to truly user focused platforms that aren't designed to steal user data or make the board richer.
This is amazing. Truly a labor of love.
Kudos to you for accomplishing this, and then polishing it to perfection. Good on you to withhold it, as proved again today. I’m so glad that I finally left the Apple ecosystem.
Your article was the first I thought of when Beeper Mini was released. I knew it had already been done by you and never saw the light of day for a reason!
> "if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS?" - Eric Migicovsky
1. If Apple sees this as a gap, it is very obvious that they would address that themselves, rather than by allowing a hack to exploit loopholes in their architecture
2. Since Apple has no control over the Beeper mini client, they would not consider it safe, it could easily be spying on users without their knowledge.
> 2. Since Apple has no control over the Beeper mini client, they would not consider it safe, it could easily be spying on users without their knowledge.
Since I have no control over iMessage, I would not consider it safe. It could easily be spying on me without my knowledge.
The basic assumption here is trusting Apple, provided that numerous security researchers have access to the platform. If you don't trust Apple, don't buy their products.
"they would not consider it safe" is from Apple's perspective, which is the only thing that matters when Apple is the steward of legally and technically enforcing who can use their APIs.
Sure. They have every right to do what they're doing. I'm just mocking Apple because I think their implication that they're the only trustworthy entity is ridiculous. We have no reason to trust them any more than we do Beeper or any other company.
If Apple actually cared about security they'd implement an open protocol that is provably secure. Imagine if they supported something like Matrix. But that's clearly not their primary concern here. It's just a convenient excuse to maintain their walled garden.
As very recently made evident, Signal spends a significant amount of money maintaining their phone-number-bound infrastructure, with an entirely plausible, reasonable, user-focused reason for doing so. As a Signal user, and donator, I’m 100% okay with the trade-off they’ve made, and would hate to see it reversed just to appeal to some nerdy pipe-dream for how services should work.
> As very recently made evident, Signal spends a significant amount of money maintaining their phone-number-bound infrastructure, with an entirely plausible, reasonable, user-focused reason for doing so.
If there is some recent revelation that makes phone numbers all of a sudden a secure, portable and censorship-resistant identifier please link me that.
Until then I'd prefer to not have my private communication determined by telephone companies that often have not cared for either security, censorship or privacy. Regardless of signals e2e encryption having my access to the network determined by a telephone company is not the right way to go.
I'll continue to restate the thing that made me immediately quit Signal forever - I made an account, and 10 minutes later, it had alerted someone I hadn't talked to in years that I had an account, simply because they had my phone number at some point in the past, and they messaged me.
For a nominally privacy focused app, for them to literally alert people to my new Signal account I'd gotten to securely message someone violated all trust I had in them. What's to stop someone from just adding a Contact for every single valid phone number on their phone and then getting an alert for any time anyone makes a Signal account? I may as well just use Facebook then.
As pointed out below, "they" is Apple, but I would also assume that at least 99.9% (really) of users would trust Apple more than Beeper, i they had to choose.
If you don’t trust Apple, then obviously you don’t use it. If you do, then it shouldn't be possible for a 3rd party client to break that trust. Users only see iMessage vs no-iMessage and have no other way to identify the client to decide for themselves whether to trust it.
Because they’ve proven to be the most trustworthy and if you can’t trust the manufacturer of the device and OS you also can’t trust any app running on said hardware.
> A correctly implemented end-to-end encrypted protocol would be safe for all participating clients.
As long as the clients are closed source, this is a circular argument. The client itself is a vector. Not just for a good E2E implementation but for the 3rd party company to not outright steal everyone’s messages, create a backdoor, etc. You have to be willing to trust every client used in the thread.
This is tantamount to saying we should only trust open source software. If that’s your point, then you lost me. If not, then it’s obvious that some companies are more trustworthy than others. (P.S. the many active exploits found in core low level open source software after months or years because despite the source being open almost no one audits it because they’re cheap and/or assume someone else is doing it)
I don't actually think it's that unreasonable. Apple has broken people's trust many times and come out just fine in the end because they are a huge company with many products participating in many markets. A small company like Beeper is dependent on a small user base and a significant breach of trust could easily spell the end for them.
That said, I don't personally trust either of them. When it comes to matters of security, I prefer open protocols which can be proven to be secure over pinky swears from companies.
Trust is generally something you build and lose, rather than something you are given by default. That reputation can be a massive asset or liability.
The level of trust I currently give in Beeper is that identity verification happened such that someone could potentially be prosecuted for abuses after-the-fact.
They have not built up a reputation, and in the face of potential scams or privacy abuses their reputation may not be as valuable as the user information they can gain access to.
Small incidents can cause significant reputation harm to Apple, and those equate to billions of dollars lost in corporate value.
Even the recent notification monitoring announcement harms their reputation, where the government itself mandated non-transparency. (For this reason, I somewhat expect they are trying to design an oblivious notification system, where role separation prevents a single intermediary from knowing both where a notification is from and where it is going to.)
Apple has done plenty to lose my trust, and very little to build it. But that's not really the subject at hand, though I do see where word choice is misleading here.
You just brought up a better word: "liability". I'll go one step further: "attack surface".
When it comes to security in software, we don't need to work with many unknowns. The unknowns we do work with are the attack surface. By presenting a greater domain of unknown behavior, closed source software effectively presents me (the user) a larger attack surface. Sure, I could trust that the extra attack surface is actually covered; but I can't know. With open source, I don't have to trust, because I can know instead.
If I am to choose between open and closed source software, then I am choosing between knowledge and trust. That is a completely different position than choosing between closed and closed: trust vs. trust. So long as any securely-designed open-source messaging app exists, iMessage is at a disadvantage in end-user security. Even if Apple can know for certain that iMessage's attack surface is not larger than an open-source alternative, we the users can't. Closed source software will always present a higher demand for trust.
> Since I have no control over iMessage, I would not consider it safe.
Generally fair assumption. There's been some research (both positive and negative) around their E2EE claims, though AFAIK much of what's known about iMessage's E2EE guts has been learned through unofficial means. I think that for the vast majority of users, iMessage is probably safe enough.
As a user, you have the agency to choose a messenger app that better suits your privacy/convenience balance, though in fairness, I think even among users who care about privacy, many don't know how to judge privacy features and implementation details well.
Like others in this thread, I personally recommend Signal. It's widely available, easily usable, has been audited and researched a fair bit, and though it doesn't have a self-hosted option, it does have white papers out about its protocol which IMO are worth a read.
If I'm expected to believe a messaging app is secure, the first thing I want is an open protocol. An open source client would be nice too, but honestly I'm fine with just the protocol.
I do not need to have had a hand in developing any of this. It's not my expertise and, like you, I'd feel more comfortable having it developed by the experts.
(1) is exactly what that quote is pointing out. If Apple actually cared about its users' security, they would see this as a gap, and would have addressed it already. The fact that they haven't means that, despite all their posturing about being a security-first platform, they care more about lock-in and marketing than they do about user security.
It's a pretty indirect gap, since it has nothing to do with Apple's infrastructure, it's about users choosing to interact with users of non-Apple platforms using insecure means. There are dozens of secure cross-platform messenger apps that they could be using, and SMS is a legacy technology.
Putting aside that I count at least two glaring examples from this list[^1] in your reply, I suspect Apple would argue that it is in fact _solely_ preoccupied with its users' security: that's why iMessage is end to end encrypted and Apple does not offer 2FA / OTPs via SMS. Apple does not generally try to mitigate security issues which are beyond its control (e.g. non-Apple devices, protocols).
Last time I checked, Apple still used security questions any hacker can get answers to on Facebook. I'm not all that confident about Apple's approach to account security.
Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.
Apple chooses not to, and it's their choice, of course. It doesn't care about the privacy of it's non-users, and it doesn't care about the privacy of its users when they communicate with non-users. From what I can tell, it only cares if you stay within the Apple bubble.
Those security questions are now very much optional. I made sure to lock down my Apple account. If I lose either my password or access to all my devices, the only thing that can unlock my account is a long printed code or permission from a trusted family member. My account no longer has security questions.
Apple is doing it optionally because they're trying to balance two opposing forces here: helping its users access a locked account, and giving users tightly locked accounts.
My points are narrowly related to the parent's assertion that Apple preventing Beeper Mini interoperability / allowing SMS is evidence of their convictions relating to privacy being hokum, but since you're not one of those 3 month old accounts I see making specious arguments…
> Last time I checked, Apple still used security questions any hacker can get answers to on Facebook.
Apple's default for a number of years has been to use trusted devices IIRC. Their kb article on resetting a forgotten Apple ID password even suggests that it's better to wait until you're back with a trusted device than to immediately try to reset without one, suggesting that the process is somewhat intensive and perhaps subject to human review? I just kicked it off online and the first question _is_ to confirm an obfuscated cell phone number, but I can't imagine that after that it's mother's maiden name dreck?
> Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.
Which would thus expose them to security weaknesses of a device and OS they do not control, and potentially expose iPhone and iOS customers to increased risk should an Android iMessage user's phone have malware, or screen scraping, or keylogging, etc.
> Apple chooses not to, and it's their choice, of course. It doesn't care about the privacy of it's non-users, and it doesn't care about the privacy of its users when they communicate with non-users. From what I can tell, it only cares if you stay within the Apple bubble.
Nail on the head, but I do think that folks overstate the simplicity with which Apple could provide a comparably secure iMessage experience on Android.
Last time I checked, Apple still used security questions any hacker can get answers to on Facebook.
Check again.
I recently reset a forgotten iTunes password. This required:
- An email verification
- An SMS verification
- A verification code sent to another device on the account
- A ten-day wait
- Another second device verification
That's 5FA authentication just to reset a password.
The days of answering personal trivia questions to reset passwords are long gone.
> Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.
I'm surprised I haven't seen this mentioned more. They could even make a green (or whatever colour they wish) iMessage bubble to denote that it is not from an Apple device. Seems like it solves all the problems people present with E2EE/iMessage with Android interop.
On the issue of spam, which I feel is just grasping at straws, You could allow blocking unknown non-Apple iMessages by default. Unless I am mistaken, this really only leaves the walled-garden as the thing that stops Apple from implementing something like this.
In fact, you could even only allow Android iMessage conversations that include at least one genuine Apple device. This combats the argument that they shouldn't have to give resources away to Android users for free. This would be added-value to their own customers by providing more streamlined messaging with their Android contacts. Such as situations where group chats are forced to swap to MMS for a single Android user, sending pictures/video to a friend, etc.
They do offer 2FA via SMS. This is AFAIK the ONLY option for Android/non-Mac users. Why are those users less deserving of decent security? Apple still sells and offers services outside their platforms, so they're still customers potentially with hundreds or thousands of dollars worth of purchases and CCs attached. FFS Nintendo has better 2FA options than Apple for non-Apple platforms.
This is like making a car where the airbags only deploy if you hit another car of the same brand.
Sure, if this car is super safe it may be better if both you and the other driver both had it. But it is clearly better to have airbags, even if the other car is less safe than it could be if it was from the first-party brand.
It is one thing to not try to mitigate security issues outside their control and another thing to remove possible security because you don't control it entirely.
A third party client in iMessage allows for spam attacks, and (worse) malicious payload attacks. It’s very much in the interests of security that Apple fence them out.
Of course, this is a hard problem. I'm not saying Apple is bad at security, many good messaging platforms run into these kinds of problems. But the way you fix these problems (and the way Apple in fact did fix the bugs above) was through patching their own software, not by trying to control what attackers can send.
If security researches can send a malicious payload attack that compromises iMessage, the solution is not to make sure they can't send that payload (which would be impossible to guarantee anyway), the solution is to patch iMessage to no longer be vulnerable to that payload attack.
One hopes that the only thing preventing your iMessage client from being compromised is not whether or not the attacker has a spare $1,000 lying around.
Regardless, when a buffer overflow happens, it's not reasonable to say, "well, we'll just make sure nobody sends us badly formatted or maliciously formatted data. As long as only iPhone users can send us data then we can trust it."
The actual solution is to make the client/server not be vulnerable to malicious payloads that would cause a buffer overflow. Whether you do that by patching bugs individually or switching to a memory safe language, or whatever strategy is used -- "don't send our messaging platform bad data" isn't a security fix.
On macOS iMessage is scriptable in various ways (both officially supported and unsupported), so the security argument doesn't hold water to me. It's a business decision.
Since apple has no control over your fire extinguisher, they sent a man to securely take it from your house and dispose of it. It could have been a bomb for all you know.
Do you really consider Apple's control over a proprietary protocol which they invented and maintain to be comparable to a scenario in which Apple "sends a man" to take "your fire extinguisher […] from your house"?
I've re-written this comment five or six times in an attempt to find the most charitable interpretation, but I just cannot comprehend how it made it through your filter and out onto the internet.
Yeah anything that's not E2E encrypted is pretty useless for privacy/security these days. Might as well just use DMs on reddit, twitter, etc if you don't care about E2E
Aren't most protocols proprietary? Every app builds their own on top of standard protocols like HTTP, TLS, and IP. Not all services are hostile to third party clients though
well, there's proprietary in the sense of "not a standard" and proprietary in the sense of "no one else can make software that uses this protocol". the latter is very weird if you think about it.
Eh not really that weird. Consider how Microsoft repeatedly reverse engineered AOL for compatibility reasons and AOL actively blocked their efforts with every update: https://youtu.be/w-7PjunSxLU
Stuff like this happens all the time and the internet has always been like this. I'm sure older users will remember even older examples
It's not a super serious comment, it's more about how ridiculous the tone of "We are doing this for YOUR protection" would be.
On a more serious note though, in the end Apple absolutely has the power of increasing everyone's capability and security by doing something like setting up a playbook of how iMessage could just use Signal protocol and how other actors could join in, or really anything else but doing this.
> It's not a super serious comment, it's more about how ridiculous the tone of "We are doing this for YOUR protection" would be.
Right now I can presume a basic level of device security across all iMessage threads I have. Beeper deranges that: E2EE is still there, but Beeper exposes my correspondence to device security weaknesses from other OEMs, malware, keyloggers, screen scrapers, etc. as a result of lax app marketplace security & privacy.
It seems to me to be entirely disingenuous to suggest that Beeper increases security: in fact, the opposite is true.
> in the end Apple absolutely has the power of increasing everyone's capability and security by doing something like setting up a playbook of how iMessage could just use Signal protocol and how other actors could join in, or really anything else but doing this.
I don't see why any company should be denigrated for not helping the users of another competing platform, particularly when doing so likely comes at the cost of increasing the risk to its own users.
In addition to explicitly prohibiting it as a violation of the iPhone EULA, Apple goes to extraordinary lengths to close the exploits which allow jailbreaking. Apple doesn't just block iMessage on rooted phones, it tries to prevent jailbreaking outright.
If more users are sending encrypted messages over APNS instead of SMS (remember, SMS is effectively unencrypted plaintext), that sounds like the definition of "more security".
Hmmming and hawing over "OEMs... and ...lax app marketplace security" seems like quite a high bar to hold, a bar so high it ceases to be useful. Remember, iPhone users can disable passwords on their iPhone entirely; if that's not something you ever worry about, then worrying about a minority of OEM's seems like mere pretext to keep your comfy walled garden all to yourself.
The whole underlying point is that Apple will do anything to virtue signal when in reality they are making a decision on improving their profit regardless if it decreases security of its customers and other people. It is undeniable and silly to argue against.
> they are making a decision on improving their profit
Speculative, and "improving their profit" is clumsy enough vocabulary that it's a red flag on continuing to discuss this with you.
> regardless if it decreases security of its customers and other people
The plurality of countervailing perspectives in this thread – which you have failed to address or refute, as far as I can tell – ought to indicate to you that it is arguable that Apple's decision in this case increases security of its customers.
You know, one doesn't really even need to read the whole of your comment to know your way of "debating" is dead in the water. Take the argument as a whole. "Isolating" parts of it just makes you look like you're debating for flat earth or the like lol. "Red flag" rofl grammar police
My point stays exactly the same. You haven't said anything real against it.
> a basic level of device security across all iMessage threads I have
Is that really true though? Jailbroken phones, iMessage may still work. Any device security gets thrown out the window.
You also can't expect everyone to have an Apple device for security, which we've seen time and time again SS7 being weak - So is the requirement to remove SS7, for everyone to jump on the Apple train?
I see Beeper as doing Apple a service, not so much a competing platform, but a gateway to the iMessage ecosystem - 'Hey, this would be pretty cool to use without this app and have it native' vs the 'Only Apple devices can use this.'
> Apple closes exploits which allow jailbreaking, precludes it in the EULA. What more would you have them do?
Preventing jailbreaking is not a good thing, in part since that's what allows us to check on what Apple is doing on the device, in regards to privacy, security and e2e encryption. If nobody can check, do you suppose we just accept their statements about the device as fact?
> comes at the cost of increasing the risk to its own users.
iMessage using SMS to communicate with Android devices increases the risk to iOS users. Apple customers are still Apple customers when they communicate with Android users.
Every risk you describe is still present in the current implementation of iMessage when communicating with Android users, except the risks are much greater because SMS is much easier to exploit and intercept than an E2EE protocol would be.
A message platform that forces Apple users to use an insecure protocol when communicating with Android users decreases the security and privacy of Apple users.
So even an imperfect implementation of real E2EE between Apple and Android users, even with all the risks you describe above, is still an improvement in security over what we have right now: a situation where Apple forces iMessage users to use to what is quite possibly the least secure communication method possible when communicating with their friends and family in different ecosystems.
It's not necessarily about helping the users of another competing platform, Apple users who are using normal iPhones are sending unencrypted and unsecured messages to their friends and family members because Apple is more interested in vendor lock-in than it is interested in making sure that its customers are able to communicate securely with their contacts.
The idea that Apple users would suddenly stop caring about security or that they wouldn't want their conversations encrypted just because they're talking to someone else who's on an Android device is very strange to me -- it suggests that Apple is willing to sacrifice security for paying iOS users just to keep Android users from seeing any of the benefits of those security improvements.
Yes, there may exist reasons to distinguish between locked down vendor-controlled devices where users do not have the autonomy to change device settings that could damage encryption, and devices where users do have that autonomy. I understand that concern, even if I think it's usually disengenous. But there is really no reason and no excuse (especially now that we know how easy it would be for Apple to take its encryption multiple-platform) for going beyond distinguishing between those devices, and going so far as to actively drop all security measures and all encryption from those conversations. It's like saying that because a window can be broken we might as well take the door off of its hinges and put up a "burglars welcome" sign -- and, incredibly, it's claiming that anyone who tries to replace the door without permission is somehow decreasing security. Apple doesn't just distinguish between controlled and uncontrolled environments, it removes the door entirely by dropping its users into a messaging format with no end-to-end encryption at all. It's a bad policy that hurts Apple users and decreases their safety.
What? Does a fire extinguisher connect to Apple servers? Does a fire extinguisher secretly being a bomb affect the security of others? I don’t know if you could have come up with a worse metaphor.
If you think about it, blocking an app and stealing your fire extinguishers are both actions that a person or corporation could theoretically do. Since they are both actions, they are equivalent. Therefore blocking an app, burning down your house, baking a pie, writing a sonnet, doing a backflip are all the same thing.
It’s spooky. If you think about it if Apple can block an app what is to stop them from breaking into your garage and modifying your car to talk like KITT from Knight Rider but instead of being helpful it makes mean remarks about your clothes that make you cry?? What if Apple filled your refrigerator with concrete? They could build a brick wall in front of your house and paint a replica of the outside on it so you run into it like a looney toon!
It does work as a metaphor because if Apple could force you to use their iExtinguisher and ban others they absolutely would, with the argument that they are improving fire safety.
It's time that we as an industry push back against Apple and Google.
The smartphone is the single most important device for modern life and society. It's news, photos, communications with loved ones, work, entertainment, food, paying for practically everything...
And it's just two companies. Two companies with an iron grip over such a wide and diverse set of functionalities that, taken together, should be as inalienable as free speech.
- They control what you can put on the devices (or in the cases where they're open, they scare you or make it exceedingly difficult).
- They tax all innovation happening on the platform. Because web is second class. If you build an app, you have to pay for ads against your own brand. You can't have a customer relationship (yet Google and Apple get that). You have to keep up with their release cycles on their timeline. They can deny you or ban you at any point. They take 30% of your margin. You're forced to use their billing. In many cases, they actively develop software that competes with you.
- They're extremely user hostile. The devices aren't easily repairable, the batteries force upgrade cycles, and they do stupid things that make your kids want to buy the most expensive model for clout. Green and blue bubbles, etc.
- On top of this, they're gradually eating away at every related industry. The music industry. The credit cards and payments and finance industry. The film industry. It's all getting absorbed into the blob that is the locked down smartphone.
- They turn their devices into "CSAM detection dragnets" (read: five eyes, US, China, and every other entity that wants to surveil).
This is fucking absurd and it needs to stop.
We need more than two device and platform manufactures.
Apps should be at least one of: (1) portable, (2) freely installable from the web without scare tactics, (3) web should be first class / native
The device provider shouldn't be able to use their platform play to maintain dominance. The cost of switching should be zero until there are enough new peer-level competitors.
I could keep going... the status quo is a tax on the public, a tax on innovation, and a really overall unfortunate situation.
I use a Librem 5 as my daily driver without carrying a second phone around.
The battery thing is not an issue for me in practice. I carry a spare battery (they're swappable), but I never actually need it because there's USB-C chargers everywhere I go, and I made it a habit to plug it in whenever I can.
Look, no offense but it sounds like the battery thing is an issue for you in practice, as evidenced by the fact that you carry a spare battery and plug it into a charger multiple times per day.
A phone should adapt to your lifestyle. You should not have to adapt your lifestyle to your phone.
I don't have such issue. The battery is sufficient for one day unless I use the phone heavily.
Edit: Actually it did happen when I opened a Firefox tab with a heavy js and left it open with deactivated suspend, which you shouldn't do on any phone (and even then it's more than a couple of hours).
It's really not just two companies trying to pull this bullshit. Microsoft and Samsung also try to do the "ecosystem" bullshit. If you try to use a streaming music service other than Spotify, you'll eventually notice almost all social media has an exclusive connection with Spotify to do things like share "now playing" songs or your playlists or whatever. Retail companies tried to force everyone into their payment platform lol. Banks try to force you to only use iOS or locked-down android distros. (Some are even deprecating their desktop websites and forcing you to download the app now, apparently).
There's also the mountain of 'mobile first' (aka mobile-only) garbage out there, and stuff that is nerfed on mobile unless you download the app (so they can squeeze telemetry out of you).
Don't get me wrong, I'm not defending Apple or Google - far from it - but I'm saying there's a lot of real crap going on in tech right now.
To be fair, I am a curious person and use both android and iOS. I use onedrive and (sigh) icloud for storing photos. On my android phone, I can actually have it sync pictures to onedrive and nowhere else (and it'll free up the storage, even! I think...). On iOS it either fills your phone up and then nags you constantly to manually delete pictures, or you use iCloud. There's no other choice.
Keep in mind that this is spin — Erik's statement is ridiculous, and he knows it. To think that Apple would somehow not treat Beeper like any other bad actor hacking iMessage protocols is delulu.
Sure, that's fair. But if he knows that, why spend the time to build this app in the first place? Is it a marketing play? It did buy them a whole lot of attention.
Besides the obvious attention play, he might be going for an acquisition play... "Why bother writing our own iMessage for Android when we can just buy this little company that's already done it?" There's obvious issues with that plan, but that doesn't keep delusional founders from being delusional.
As much is apparent to anyone who has used Xcode or has encountered the special appeals process behind the official appeals process behind the ostensibly fair and evenly-applied public AppStore review process.
> They know iMessage exclusivity drives hardware sales. The emails have come out proving as much.
I find this incredibly hard to believe. And just because the Apple marketing department believes something is true, doesn't make it so.
Maybe I run in a weird crowd, but I've never met anyone who cares whether "text messages" are delivered over SMS or iMessage. In general most messaging I do happens over Signal, WhatsApp, Discord, or (in a few unfortunate cases) Instagram messenger.
I must be an idiot. Never even heard of iMessage before this debacle - I wouldnt even know I was using it.
On a more serious note regarding the Hardware sales- Apple inc does not make that much profit based on "what" they sell, its "who" they are selling to.
iMessage is the former name for Apple's Messages app on macOS and iOS. Some people still use the former name as it's a bit more distinct than the current name and/or it's what they're used to. See also iTunes/Music and iCalendar/Calendar, or people who still call macOS "Mac OSX/MacOS X/MACOS X" and so on.
iMessage is Apple's proprietary chat protocol. It's still named that -- for instance in iMessage apps and iMessage stickers. "Messages" is the current name of the user facing app that speaks both iMessage and SMS, which was formerly named "Text" when it just used SMS. I think you're thinking of the defunct iChat message client on macOS.
Actually not quite. iMessage is the protocol/service used by the Messages app to communicate between two iPhones. Conversely when you send a message between an iPhone and any other kind of device it uses SMS.
It’s possible that the GP is unfamiliar with iMessage because they don’t live in NA. I have neither sent nor received an iMessage for several years. I use the Messages app for receiving SMS OTP codes only and pretty much nothing else.
The Github page for the iMessage hack said something about Beeper "acquiring" it. Not entirely sure what that means in practice since it was open source code on Github.
But what kind of attention did it garner? Now, we all know that these folks are pretty delusional. They spent time developing an app that everyone except them knew was not long for the world. A rational company would realize that it wouldn't live long enough to recoup any money. Releasing such a still born product doesn't make me feel warm and fuzzy about it. Hell, Google releases products that live longer than this.
Continue to watch this space, remember - He created the pebble. The cost of this "Experiment", to put forward a point at a super simple level. reverse engineering architecture and providing a service on top of this would be a huge space, if it were allowed.
but the real problem some of use have with Apple's behavior is the real underlying reasons they're doing this
I am reasonably sure that their main driver is profit which really means exploitation of people;
I consider their public arguments lies made up to cover up the fact that what they account for as profit comes from what are in the end some really ugly historical and traditional imperialistic (colonial, neocolonial, and occulted) practices
My guess is Beeper calculated this was likely to happen eventually (maybe not this fast), but that they would get good press on the initial launch and on the shutdown announcement and that press would be worth the technical investment they made. They do have a different service they still offer and some percentage of people are looking at that now.
I find this a bit confusing though. It seems like this was an inevitable outcome, but what do they gain from this technical investment aside from exposure. Their website doesn't steer users to anything other than the now cut-off Beeper mini?
Exposure is something. The fact the developer had the chops to do this is now on the public record. That could be very valuable for getting a job or a college scholarship (since they’re in HS).
I did something similar, built an entire app around an undocumented developer api, got a lot of users and then ended up in a good enough position to find out there was a "hidden" official api for sale and it opened a lot of doors as well even to the same site had gotten it from. For someone as young as that with nothing but time, I'm sure they knew the outcome and it blowing up was probably more than they could ask for.
What do the Beeper investors get out of the kid having better job prospects? I don't think anyone is questioning that the whole situation has been great for the kid, the question is what the Beeper execs were thinking.
Who cares about the investors? Why is this an important question? Corporations and investors aren't the only people in the world with an ability to reap their rewards.
They have another product, Beeper Cloud, does the same thing + includes a bunch of other messaging services but (as the name implies) runs in the "Cloud"
They send your Apple credentials to a machine (possibly virtual) that runs macOS, which sends and receives messages. Those messages get relayed through Beeper.
What technical investment? They bought an open-source project from a high-school student.
Beeper Mini is an app they would have built anyway. They simply implemented the bare minimum of iMessage functionality there. Which is a couple of days worth of work, maximum. Maybe a week. And some for testing.
I’m somewhat certain it cost them less than 5 figures. And if it did, what a great marketing campaign. I had no idea what Beeper even was before this whole fiasco.
More like a few weeks to months since there‘s also emoji support and endless scrolling etc, but yeah. I agree it’s doable by one developer and that’s quite affordable to do, considering the scale Beeper is at now.
I still have no idea what Beeper is, because beeper.com only talks about Beeper Mini. I'm getting from some people here on HN that there's another product... somewhere... but if the purpose of the whole exercise were to draw attention to that product shouldn't they be doing that somehow?
As is all I know about is the chat app whose primary sales pitch is the now-broken iMessage interop.
Bottom of the page, click Beeper Cloud. They signalled that they want to move all of Beeper Cloud's features to Mini eventually and just call it Beeper.
Agree. It shows off their technical chops and gets a lot of press attention and goodwill for their target market of Android users who mostly don’t like Apple.
That seems like a possibility. But if I was a user (and I am admittedly not), I would be _less_ likely to continue with their services after something like this. This experience would not instill confidence in me that any of their services would be stable.
1,272 comments
[ 2.5 ms ] story [ 366 ms ] threadBasically a weapon to taint your competitors brands by redirecting their viewers away from their content to ad saturated AI garbage.
And the tweet fundamentally misunderstands how ahref works. If google killed the site in question, ahref would have no idea given they have their own crawl.
If anything, it makes iMessage look desirable, like a long line in front of a nightclub.
Literally everyone “saw that coming”. It’s also obvious that the client will be updated to make it work again, and the cycle will repeat.
https://arstechnica.com/apple/2023/12/imessage-will-reported...
It comes down to if, by having people send you messages, you are the one providing the data to the data controller, or not.
Currently I think it's ambiguous.
I don't have to let you into my house. I don't owe you a reason. It's my house.
The EU set up the rules of the game, and it turns out iMessage falls outside the rules (to the EU’s dismay).
Even if it would fall within the rules, EU regulations work on a policy level, not a technical one. In other words, they can force Apple to change their policy and facilitate interoperability, but there’s no legal mechanism to force Apple to allow unauthorized use of their service.
The best you can do, if you're so inclined, is hope that the EU will change the rules of the game, but that would be such a transparent attempt at targeting a specific company (a big no-no in the legal reality within the EU) that the European courts will strike it down before they finish their breakfast.
Surprised it only lasted this long though, I'm sure they weren't betting on that. I still wouldn't expect a refund for the 1,50$ of 3 weeks this payment cycle that you didn't use.
I would. They sold a service that they clearly cannot reliably provide.
Also humans.
I am shocked at this outcome, and shall write my senator.
Have you got a source on that? As far as I know, there's no workaround possible because the authentication blob is based on the UDID/serial. Put differently: without UDID/serial, there's no way of authenticating with the message servers.
Beeper keeps referring to pypush when it comes to details in their write-up[0], and pypush, in turn, clearly states[1] the need for information like serial and UDID when dealing with the albert server and IDS registration request.
As a “workaround,” they simply stuff fake serials, etc., and cross their fingers that it gets through Apple’s scoring mechanism.
0: https://blog.beeper.com/p/how-beeper-mini-works
1: https://jjtech.dev/reverse-engineering/imessage-explained/
Maybe it shouldn't be private or whatever, but it still seemed weird to me that they thought this would "just work".
Apple faces the heat of this competition - it frequently adds features to iMessage to make it equal or better than it's competition. Voice notes through iMessage was a direct reaction to popularity of that feature in other platforms.
Feel free to use the open standard but don't be iMessage.
I'm a long time beeper user. It's been nice to sign up with my email, and at least be in a few of the iPhone only chats.
When I saw Eric's post the other day, my first thought was 'what an arrogant dumbass.' My guess was that they though they have an anti trust case, and my guess is that apple may have thought the same, and so they enabled 'iMessage' access to RCS.
This was so predictable, especially after the RCS announcement, that I messaged my group threads and said they'd be borked by the end of the week, please switch back to signal.
So, I think I'll ride that train until RCS is a thing and be done with beeper. I honestly think they just shot themselves in the foot.
https://www.theverge.com/2023/11/16/23964171/apple-iphone-rc...
Not discouraging the endeavour but now they are on the hook for all of these customers who bought on this promise. Feels like it should have started as a free product to see how Apple would handle it.
[0]https://en.m.wikipedia.org/wiki/Poe%27s_law
Show HN: Beeper Mini – iMessage client for Android - https://news.ycombinator.com/item?id=38531759 - Dec 2023 (863 comments)
iMessage, explained - https://news.ycombinator.com/item?id=38532167 - Dec 2023 (143 comments)
Beeper the company also has Beeper (Cloud) which bridges a whole lot of chat apps via Matrix to their other client app, including iMessage via a Mac relay.
Been using it a while now, pretty good.
This was a proof of concept to expand that app, it's not the entire company
There's always a possibility of me being wrong! It does look like a bit of a pivot doesn't it.. Good point, well made.
I think I'll go double check I can still log in to my chat apps directly just in case haha
Even without iMessages, a fully local application like this would be a great product. The fact that it relied on their servers put me off of using Beeper cloud
> Our long term vision is to build a universal chat app (https://blog.beeper.com/p/were-building-the-best-chat-app-on). Over the next few months, we will be adding support for SMS/RCS, WhatsApp, Signal and 12 other chat networks into Beeper Mini. At that point, we’ll drop the `Mini` postfix. We’re also rebuilding our Beeper Desktop and iOS apps to support our new ‘client-side bridge’ architecture that preserves full end-to-end encryption. We’re also renaming our first gen apps to ‘Beeper Cloud’ to more clearly differentiate them from Beeper Mini.
“Apple and Google want you to use their app stores in this way.”
…they want you to use their app stores, their way, because they retain 100% control of what you can and cannot do.
It’s impossible to avoid relying on other people’s platforms. (Unless you want approximately zero customers, I guess) I wish these monopolistic corps didn’t have such an iron grip, but I’m not demanding creators single handedly remove every dependency on them. There is no ethical consumption (or production) in late stage capitalism.
Does it come down to The Law of Leaky Abstractions?
>> https://www.joelonsoftware.com/2002/11/11/the-law-of-leaky-a...
Which means that if Apple wants to change something eventually, then they will possibly break downstream abstractions and then people will complain and the downstream abstraction will say "Well Apple changed their API, it is their fault". Letting someone do it from square one would be enabling that future scenario, as it isn't "if" it changes, it is "when".
If it was an open source API that would be different, but Apple's is closed source, that is Apple's philosophy at the core. It is a closed API yah? Not even an open spec right?
https://9to5mac.com/2023/11/16/apple-rcs-coming-to-iphone/
Vendors are going to have to actually work on improving the standard (and Apple has committed to working within GSMA on an appropriate multi-vendor E2EE mechanism)
In the absence of interoperable standards through GSMA, there will likely still be quite a bit of broken behavior, e.g. when it's not a Google RCS Server and all Google clients.
There is zero benefit for apple to make it good and no commercial reason for these vendors to make it good for multi vendors.
Not that we'd get it in the US but it would help reduce Apple/Google market capture efforts.
What for? Everybody in the EU already uses whatsapp. That shows how unnecessary these selection screens are.
Going further: if we download different messengers, it stands to reason we can download different browsers, therefore if safari is the most used it's because it's the one we choose.
Honestly - and EU-regulation that Apple faces over iMessage would just be collateral damage from EU targeting Whatsapp.
Meanwhile, wait until Mr. Zuckerberg looks for new ideas to monetize their messaging ecosystem.
WhatsApp is the current leader because it's no-nonsense and works everywhere. The moment Facebook fucks that up even a little bit, people will have moved on to the next thing.
The last messages on a dying messenger are always instructions on how to move on to the next thing. In skype, my status and most recent messages are just informing people of my discord handle. I accept that I may not be the norm, because generally I don't reach out to people and don't initiate contact, meaning that the onus is on them to use the appropriate channel to reach me.
Maybe it's worse for people who voluntarily stay in contact with many others using different messengers, but I don't see the problem with just having multiple messaging apps, especially since modern phones just consolidate all messaging services's contacts into your contacts app (at least on Android). You don't even need to remember who is reachable where.
This is the problem I was expressing. If I want to contact Joe I have to use Signal, if I want to contact Sarah it is WhatsApp. Sam is SMS. Its hard to remember who is using which app.
> but I don't see the problem with just having multiple messaging apps, especially since modern phones just consolidate all messaging services's contacts into your contacts app (at least on Android). You don't even need to remember who is reachable where.
That is easy enough if you use the contacts app. I usually go straight to the app I want. Regardless, it doesn't solve the core problem because people use multiple apps. How am I supposed to remember which app they prefer? I could message them on their non-prefered app, but I don't like doing that if I can avoid it.
Thats the reason why until now they only added non intrusive monetizing ideas than company accounts and so on. And when you ask me, they found a way to make whatsapp better. I can now order sushi via whatsapp. Here in Germany I know no other messenger that makes this possile.
Facebook's business model is predicated on being able to sell access to me to third parties.
I can control the first one directly.
But messages falls back to sms and that I can notice.
Thats was the way to my blacklist. Droped Signal caused by unreliability.
Additionally, same as now iMessage, close out of other clients. Other asshole, same shit.
Wasn't that in 2014, so literally 9 years ago? Things are pretty different now.
There’s no other good group chat encrypted option for both iPhone and Android.
At scale yes, signal, telegram and whatsapp are perhaps more significant than the apple ecology and the ratio of android to apple outside the USA and canada probably shows why.
“Installs” are muddied by the fact that everyone with a Facebook account has a Messenger capability, and every Apple user has an iMessage app downloaded.
“Messages received” is distorted by group chat dynamics and commercial messages.
“Messages sent” is distorted by the unequal value of relationships.
For example, I generally communicate with FB marketplace sellers & acquaintances from high school on Messenger, but use WhatsApp for talking with overseas family members.
More generally, there are social dynamics which make messenger apps radically different from one another. Even when the feature sets of the applications are very similar.
But it gives normal users a choice if they want it. Maybe it would get some to think oh maybe I should try Signal. That's how some people found out about Firefox - unimaginable I know.
Most of my family, friends and colleagues are on iMessage. I often need to explain why facetime will not work.
Whatsapp is also common, but different as it does not as easily replace SMS.
Make X low enough, 250, and all of this would go away: no more corporatism, no more monopolies, no more special groups interests paying for government lobbying, no more abuse of power from a handful of companies...
Also there are a lot of things people could say “You know what you’re describing is never going to happen.” That did happen.
I’m not suggesting this one is. I don’t think so either, but it isn’t a very productive attitude.
Now I have a company that cannot compete at the scale some chinese company can. OK so we close the border to imports from companies that are larger than our rules. When has that ever worked out?
In fact, I didn't realize it's actually viable until now.
https://gs.statcounter.com/browser-market-share/desktop/worl...
Why does so many people have this attitude that Safari sucks and the only people who use it are idiots who don’t know better?
It’s so incredibly insulting.
Not that putting native Mac in quotes implies anything nice either.
It’s absolutely baffling that you could read my post as saying safari sucks or that people who use it are idiots.
Let me try to be more clear… there are two reasons someone uses Safari on macOS, in my experience:
1. They like it better. Usually, the reason they like it better is because it feels more “native Mac”. This term is in quotes because it’s not a technical term and my understanding of what it actually means is vague, but I by no means dispute that it’s real.
OR…
2. They don’t care, so they use the default.
The way this is written implies to me you think they should install something else, but obviously they just don’t care.
Whenever there are discussions about Safari on hacker news they tend to be a lot of people who seem to have the opinion it should die and that anyone with a brain uses chrome.
Between your word choice and that seemingly common sentiment here that’s what I thought you were saying. I’m sorry if I misunderstood.
I'm trying to understand the reason for the white knight HN commenters NPC reactions coming with their "stop insulting my favorite trillion dollar corporation".
There’s a very common sentiment on HN and other technical places that safari is a serious problem that needs to be removed from the web so that things can be “better”.
That’s why I’m insulted. Not because someone is insulting Apple, do that all you want if they deserve it. Because I’m tired of people implying that the browser I like is shit because it’s not chrome and its only used because people have no choice or can’t figure out how to switch.
People are entitles to their own opinion regarding products. If they think it's shit, it's their opinion same how you're entitled to your own different opinion, no need to be Apple's unpaid white knight and froth at the mouth at everyone calling their stuff shit.
Not every app needs to be compatible with every other app, though. There is a user base cutoff (and even then there is some room for interpretation) of 45 million users (10% of the EU population)/10k business users.
Negotiations aren't done yet, but it seems iMessage isn't popular enough to meet this cutoff. Alternatives like WhatsApp definitely are, though; I'm pretty sure that's exactly why Facebook is working on cross-platform messaging for WhatsApp: https://www.theverge.com/2023/9/10/23866912/whatsapp-cross-p...
This law doesn't just effect chat app developers: it also applies to app stores and other methods of digital gatekeeping.
That being said, Apple argues the app store for its iPads aren't popular enough to cross the threshold (they split up the iOS app store and the iPadOS app store in their statistics), so the impact of these requirements will depend on what specific iDevice you use.
When the EU forced that implementation, it was already behind the ball.
It all but ensured Chrome’s dominance by killing Firefox’s momentum and proved unsuccessful, which is why the browser selection screen got killed.
Received messages on iPhones show up as neither blue nor green. They always have a gray background. The blue and green bubbles are the colors of the messages sent by the iPhone users on their own phones. Recipients, on other iPhones, will see messages with a gray background regardless of whether it was sent with iMessage or SMS/MMS.
I’ve never thought about it but that would be a huge black mark and could end up pushing a lot of people to WhatsApp/FaceBook Messenger/whatever.
This are not just spam but most are sms phishing with links. We have poor, inadequate cyber laws, so we are glad Apple is doing its part sealing this off.
Well no; spam yes, only spam no.
Signal is open source. It's a fair argument that they make it difficult to use servers other than theirs, and we can't be sure exactly what they run server-side, but their code is possible to fork and all that. Their licensing is clear. Even the choice of AGPL is significant here: they must provide the source for exactly what they run on their server.
Network access is orthogonal to source availability/openness. Closing source as a means to limit access is security through obscurity. Not to say that it wouldn't work, but we certainly wouldn't expect the Signal Foundation to take this approach.
The most significant measure Signal uses to manage access to their network has to do with the phone number requirement. That's an intentional choice on their part (arguably controversial, but I don't have an opinion about it).
I've never received a spam message from another Signal user... is this common for you (or anyone)? I think in all the years I've used Signal I've only received less than 5 spammy "message requests" that are quite obvious/easy to decline because I don't already have their phone number in my contacts. I've always had to first ask someone "hey, can we use Signal?" so I'm already expecting legitimate message requests when they arrive.
Now that Signal has usernames you can share, rather than phone numbers, I think the phone number decision is a lot less problematic.
Strangely enough, I did receive spam this week. Or at least I think I did, an account I didn't recognise with a profile picture of a woman I didn't recognise sent me "hi". This coincided with my first SMS spam of the year and spam on an email address I used for one specific company, so I guess they've been hacked and had their database dumped. Maybe I'm just lucky, but spam just isn't a problem for me.
> This doesn't appear to be some easy thing Apple can just turn off.
> It will require a complete redesign of their entire authentication and delivery strategy for not just iMessage but Apple ID account access as a whole.
It’ll be interesting if beeper mini ends up bypassing it.
They’re tech fans, not experts but act like they know the domain space enough to make strong authoritative claims since that’s what gives them an audience.
Honestly many people here, myself too probably at points, tend to just repeat what they’ve heard elsewhere as fact. You can see it if you try and notice phrasing patterns repeating.
My real lesson is less that the internet is a shit show (it is though), and more that people like to take a very strong opinion as fact, over a more nuanced opinion that requires understanding of a topic.
/s obviously!
literally yes, that is the correct course of action.
the issue is that you cannot publish videos and make money if you refrain from talking about stuff you don't really understand.
which is one of the problems with modern society, in general.
SMS messaging is a feature of the mobile network, and they're sent directly from the device to the carrier SMSC without going through Apple's servers. You might be confusing iMessage with Messages. The former is a messaging platform, the latter is an app that can send messages either via iMessage or SMS (assuming a mobile device, or pairing with an iPhone).
> what an incredibly bad move it would be for them
I don't see it very different from Apple's choice to degrade arbitrarily the experience of messaging with android users. There are infinitely better alternatives to sms for private messaging, Google could say it's encouraging its users to move on them.
Edit: to respond to your edit
Apple is blocking 3rd party access to their own services. Google blocking access to messages delivered via an 3rd party isn't at all the same thing. And the optics of it would be incredibly bad for Google.
"My prediction is that Apple will make changes—fixing bugs and/or closing loopholes—that break Beeper Mini. It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.
It’s a very nice app, remarkably clever, and for now works like a charm, but if Apple wanted an iMessage client for Android they’d release an iMessage client for Android. Seems irresponsible for Beeper to charge a subscription for an unsupported service."
https://www.threads.net/@gruber/post/C0k1VgyMGZN?hl=en
- From the National Association of Criminal Defense Lawyers
Other way around. If anything, it sounds to me like Beeper Mini was acting illegally by accessing Apple’s servers in a way they didn’t give permission for.
The CFAA is ripe for abuse. I’m not saying applying it here would be just or not, only that Apple likely wasn’t the one acting illegally.
So I would summarize it as the corporate entity connecting to an Apple API and using it in undocumented ways that they reverse engineered, intercepting messages meant only for Apple software, doing so without prior permission, for purpose to selling access to services which would normally be covered by an Apple EULA.
It is not quite like a smaller word processor wanting to be able to import Word documents - without tying into Apple's service, Beeper Mini has zero value.
They may very well have violated the law as it is actually written.
Beeper is lucky they weren't sued under the DMCA anti-circumvention clause, as they clearly were bypassing the technological measures Apple uses to prevent genuine devices from connecting to iMessage & Apple services.
I think you’re likely right though. If they had such a claim I think their lawyers would have been on it instantly.
That’s why I mentioned the CFAA. Accessing servers without someone’s permission is the exact kind of thing people have gotten very stiff punishments for under the CFAA in the past. It’s basically the main reason I know the law exists, stories about peoples ridiculous punishments for relatively benign things.
Sure it’s useful for real things. I bet you can prosecute ransom under it. Or hacking to break into a rival company.
But it’s also great for when someone embarrasses a politician with stuff that they published on their own website and “something has to be done”.
At the same time, I miss the era of rich third party client ecosystems for things like AIM or MSN messenger. Blocking interoperability is a bummer for innovation.
Android vs iPhone is definitely a thing people in their 20s and 30s even use to judge others. I have polled quite a few family/friends, and it is near unanimous that it is a dealbreaker in dating, mostly because they assume there is a higher likelihood they will not mesh with the type of person the non iPhone user is.
>but that seems like a poor basis for anti-trust action.
Correct.
Whether that argument holds is for governments and courts to decide, ultimately.
I was sharing that theory as a conjecture, since I have no reason to believe such a provision exists.
1. An enforceable contract existed (check!)
2. Beeper knew about the contract (check!)
3. Beeper's actions intentionally caused a breach of that contract (check!)
4. An actual breach of Apple's Terms & Conditions occurred
5. Apple had damages
None of those elements have much to do with profit.
That doesn't mean it's a sure winner, just that it's a live question until more info is known. I imagine Apple would say they need to tighten up any parts of their system that could allow for spoofing or other security issues, and that was their 'legitimate' reason to make these changes.
I don't follow this logic at all. Shouldn't supporting thirdparty clients be desirable if security is a primary feature in the interest of transparency? Especially if the reference client is proprietary and undocumented.
From what I understand Beeper Mini is interfacing with iMessage on-device, what's to stop another clients from using a server and intercepting messages? While I don't have time to look it up again, I think there was also something on how Beeper Mini is handling the push notifications when the app isn't open. While that may not leak a lot of information, and there is also the news of Apple/Google sharing push info with some governments, that's something that can at least raise some eyebrows when it comes to how private it is.
It sure as heck better have been designed with that in mind, because it sends SMS messages to uncontrolled 3rd party clients that could be stealing your information or spying on push notifications every single time you message an Android user.
I genuinely don't understand this argument. Do people think that SMS messages don't generate push notifications? Does Apple have a 1st-party SMS messenger available on Android that I'm not aware of? You're already communicating with 3rd-party clients that could be spying on you, and you're already receiving messages from those clients in the iMessage app. The biggest difference is that your messages with those clients today are fully unencrypted, so spying on them doesn't even require compromising an app.
It's weird for people to be so concerned about push notifications as if that's a decrease in security when the alternative system they're proposing is for iOS messages to be sent to Android devices fully unencrypted. Apple/Google can share all of that information with the government as well; if they're not being asked to it's only because the government can get it even more easily directly from the telcos.
It also changes nothing about my comment, because you can call SMS a different system all you want, but your conversations with Android users are still being sent unencrypted and any malicious payloads you get from SMS phones are still being loaded into the same Messages app. If you're worried that a 3rd-party client on Android is going to let a company spy on conversations you're having with Android users, then I still have real bad news for you about how Apple sends messages to Android users.
Draw the lines however you want between Messages and iMessages, but the security implications of Apple's setup are exactly the same. When you write a message to an Android contact, Apple sends that message unencrypted to a 3rd-party client that could by spying on you, leaking your data, or sending malicious payloads to your iOS Messages app. It still makes no sense whatsoever to be this concerned about the security of the push notifications for your messages to Android users when the alternative being proposed is to throw security entirely out of the window for those conversations. It is still a clear security improvement for conversations between Apple and Android users to be E2EE rather than to be sent over SMS, because the risks being raised about 3rd-party messaging clients are already present within those conversations today.
Certainly this is not the first time some entity in the world has reverse-engineered iMessage; it's just the first time that it was publicized.
Apple did leave the hole open; they left it open until it threatened their customer lock-in. Only at that point did they decide that it was a security risk.
Beyond optics, let’s just look at attack surface. The implication that the sort of security holes that “openness” would fix are anywhere near the top of the list is…where’s that xkcd about cryptography and crowbars? It’s very clearly in the realm of nerdy cosplay. You know what is* a much more realistic threat? Some stupid third-party client on the Play store that exfiltrates all messages sent and received. Apple has absolutely no control over that. No protocol security accounts for that.
One way to avoid that outcome would be to have a first-party client on the Play store.
Instead, Apple drops all message security entirely from cross-platform communications for iOS users, allowing anyone to read those messages whether or not they have a crowbar. This is security 101: users do dangerous crap when the secure options don't have affordances for their use-cases. Users are lazy. If an official 1st-party secure client exists that meets their needs, they won't install a 3rd-party client. Users resort to dangerous and unsupported options when the safe, obvious options either don't work or aren't available.
And thankfully, we now know that it would be entirely possible for Apple to fix that problem and to move its own users off of SMS for communication with Android contacts, and we know that because a 16 year-old high-schooler was able to build that support with zero documentation. Presumably Apple is capable of doing the work of a 16 year-old. We now know that it would in fact be entirely possible for Apple using a 1st-party controlled, proprietary client with a proprietary protocol, to encrypt virtually every message that Apple users send to every one of their contacts, rather than what Apple does today where it encrypts... some of them.
None of this requires Apple to Open Source anything or to document or make available any of their protocols. The only reason Apple is in this position right now of needing to deal with 3rd-party clients is because of a lack of support from their 1st-party client.
I think that's my biggest gripe with the situation. Or my second-biggest. My biggest gripe is that the only notification that your messages are now not end-to-end encrypted is the green bubble. They don't tell you anywhere that the green bubble (also) means that.
The first half definitely made me think sarcasm, then the second half... I mean I know some people actually believe this... Then I noticed you said "encryption" instead of "protocol". Breaking an encryption standard is obviously very hard, breaking a protocol is obviously not nearly so hard.
On the other hand, taking this stance would be insane given the post we're talking about. A company that actively circumvented apples security measures. So you must be being sarcastic. You just have to be.
Remember, on the internet it's kinda hard to tell. Make sure to throw in a /s unless you really REALLY sell it.
It's just that in addition to sending your messages to 3rd party clients that could be stealing the data, Apple goes the extra step to make it even more insecure and also sends your messages completely unencrypted, so that everybody along the path from your device to the 3rd-party client can join in and also read your messages and can also use them for ad targeting or worse.
I'll make the argument that this is strictly worse for security than tolerating an encrypted 3rd-party client (or better, releasing their own 1st-party client rather than relying on SMS).
yeah can’t imagine why apple doesn’t use it
But Apple doesn't have to use it. They could release a messaging app for Android that used their own encryption, and they could encourage Android users to switch. But they don't do that, because distinguishing between Android and iOS users is ultimately more important to Apple than securing the conversations that Apple users have.
If RCS is garbage (and it is) then it is extremely weird that Apple has committed to supporting RCS for cross-platform messages instead of encouraging adoption of what would be a superior form of encryption for those conversations.
What you have to ask is, if you are an Apple user, why isn't Apple trying to encrypt every message that you send? Why are they asking you to use a garbage protocol when you send messages to Android users?
> yeah can’t imagine why apple doesn’t use it
Really, this statement should be reversed, it's difficult to imagine why Apple is planning to use RCS. Why is Apple more willing to implement a garbage protocol than they are willing to release a messaging app for Android?
https://texts.com/faq
Everything you said is correct.
Imagine there is a theme park that has normal ticket booths and some requirements there to get in. Then there comes a Beeper that finds a hole in the fence on the perimeter and sets up their ticket booths there. It's in theme park's best interest to close that hole and cut off the revenue stream of somebody pigging back on their theme park.
Okay, I've stretched the metaphor out enough.
A Lamborghini Urus costs $230k so I guess it's morally acceptable to break into a dealership and steal it.
If the richest company in the world wanted their chat app to run on Android, it would by now.
It's strange Apple doesn't sell an iMessage Android app, but I'm sure they've had somebody do the math and found out that it's more money for Apple in the long run if they don't.
years and years of "apple sheeple" variants tend to take their toll, you're just the latest in an endless parade of microaggressions even if you don't think your particular case was notable.
why is it so important for you to push on the idea apple users being thoughtless trend-followers? just don't do that, be better. you can do it. the next time you feel like posting that, simply take a deep breath and don't post it.
there is just no reason to go around posting that "[device that 50% of people own] users are all doing it for [trite/dismissive reason]" in the first place, let alone on a tech forum where everyone has very specific reasons for their tech purchases. and it's so completely normalized, android users do it so routinely and don't even think that what they are saying is offensive. it's literally the classic microaggression problem.
Thats a very funny statement. From my experience tech people in general are the ones falling for vanity, fashion, dogmas etc. most often while claiming some "practical" reasons
Android doesn't suffer from that kind of complaint because it's often perceived as the opposite: a socioeconomic indicator for low status. It's socially acceptable to mock people for choosing high socioeconomic indicators, but not low socioeconomic indicators.
"You only bought that because you're rich" has a very different ring than "you only bought that because you're poor".
That perception of low vs high indicators is somewhat wrong (high-end Android phones cost more than the latest iPhone, used iPhones are pretty affordable) but it is the perception.
Or put another way: If the privacy and security of imessage is compromised by someone building another client, I'd argue that you never had either to begin with.
I can't think of an any with independent implementations.
For instance, have a few third party Signal clients, which work by using the official libSignal . These are not third party clients, but third party GUIs. Use of libSignal on the official Signal network is also not supported or recommended.
Likewise, all the third-party Telegram clients I know of are forks using Telegram source.
This makes sense, because neither of these are stable systems. A third party has to stay up-to-date with features and changes made to the official servers and clients.
Do you know of a security and privacy focused messaging platform which is both:
1. documented
2. has multiple independent implementations of the networking and security protocols?
Security wise, there is interesting work adopting MLS (and I believe key transparency) under Matrix, see https://arewemlsyet.com for example.
That's like saying the internet protocol is neither private and secure because people willingly use random public Wi-Fi
Another theme here is BBM (Bloomberg Messaging). People/Companies pay BB five figures per year just to get BBM. Why would they ever release a messaging app outside of the terminal. They will die before this happens.
Apple doesn’t sell apps they sell hardware and services. There’s no incentive for them to provide a free iMessage app for android, and I doubt many people would pay for one.
Enough people paid for one. Enough to make Apple scared and use engineer time to ban/block people anyway.
> We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage.
> We will continue to make updates in the future to protect our users.
[0]: https://techcrunch.com/2023/12/08/apple-cuts-off-beeper-mini...
Completely wrong. It's a job-seeking ad. “Look, I'm ruthless enough to fuck over users who buy this bogus subscription.” Which SV startup wouldn't pay millions for a crook of that caliber?
What a stupid take on the situation. At most it's untenable to Apples short term financial interests. A well designed protocol and implementation would be even better at protecting user privacy and security especially from a privileged attacker like the service provider and anyone able to put covert pressure on them.
The only way in which vendor lock-in helps the the existing users is that spammers and scammers have to invest additional money to acquire Apple devices to create new accounts instead of just phone numbers and a labor to create accounts.
yes, you can indeed build a secure system on the basis of increasing the economic cost of attack beyond reasonable levels and by forcing attackers to repeatedly slash their stake to perform an attack
Apple is, however, nothing for "privacy and security" beyond what they need to do to be marginally better, and that's a stretch these days. If Gruber really believes what he wrote he's full-on living in Apple's orchard behind the walled garden that Tim Cook splendidly gatekeeps. But because Apple puts marketing dollars behind ads that say "privacy" and "security" it must be so!
This is why it's always funny to me when the trope of the hour is the mass privacy failures of Signal through use of phone numbers. And then the author turns around and types out an iMessage to a blue-bubble friend. I really hope we can move beyond the Apple reality distortion machine and move to truly user focused platforms that aren't designed to steal user data or make the board richer.
Apple has become rotten.
They’d block an account out of spite without a second thought.
1. If Apple sees this as a gap, it is very obvious that they would address that themselves, rather than by allowing a hack to exploit loopholes in their architecture
2. Since Apple has no control over the Beeper mini client, they would not consider it safe, it could easily be spying on users without their knowledge.
Since I have no control over iMessage, I would not consider it safe. It could easily be spying on me without my knowledge.
If Apple actually cared about security they'd implement an open protocol that is provably secure. Imagine if they supported something like Matrix. But that's clearly not their primary concern here. It's just a convenient excuse to maintain their walled garden.
It does not.
If there is some recent revelation that makes phone numbers all of a sudden a secure, portable and censorship-resistant identifier please link me that.
Until then I'd prefer to not have my private communication determined by telephone companies that often have not cared for either security, censorship or privacy. Regardless of signals e2e encryption having my access to the network determined by a telephone company is not the right way to go.
For a nominally privacy focused app, for them to literally alert people to my new Signal account I'd gotten to securely message someone violated all trust I had in them. What's to stop someone from just adding a Contact for every single valid phone number on their phone and then getting an alert for any time anyone makes a Signal account? I may as well just use Facebook then.
A correctly implemented end-to-end encrypted protocol would be safe for all participating clients.
The only way to break that security is by copying messages outside the protocol in the app itself.
Neither of us knows whether iMessage or Beeper Mini does this. To bring up the possibility is to criticize both apps equally.
As long as the clients are closed source, this is a circular argument. The client itself is a vector. Not just for a good E2E implementation but for the 3rd party company to not outright steal everyone’s messages, create a backdoor, etc. You have to be willing to trust every client used in the thread.
If we must be willing to distrust one closed source client, then we ought to distrust both.
That said, I don't personally trust either of them. When it comes to matters of security, I prefer open protocols which can be proven to be secure over pinky swears from companies.
The level of trust I currently give in Beeper is that identity verification happened such that someone could potentially be prosecuted for abuses after-the-fact.
They have not built up a reputation, and in the face of potential scams or privacy abuses their reputation may not be as valuable as the user information they can gain access to.
Small incidents can cause significant reputation harm to Apple, and those equate to billions of dollars lost in corporate value.
Even the recent notification monitoring announcement harms their reputation, where the government itself mandated non-transparency. (For this reason, I somewhat expect they are trying to design an oblivious notification system, where role separation prevents a single intermediary from knowing both where a notification is from and where it is going to.)
You just brought up a better word: "liability". I'll go one step further: "attack surface".
When it comes to security in software, we don't need to work with many unknowns. The unknowns we do work with are the attack surface. By presenting a greater domain of unknown behavior, closed source software effectively presents me (the user) a larger attack surface. Sure, I could trust that the extra attack surface is actually covered; but I can't know. With open source, I don't have to trust, because I can know instead.
If I am to choose between open and closed source software, then I am choosing between knowledge and trust. That is a completely different position than choosing between closed and closed: trust vs. trust. So long as any securely-designed open-source messaging app exists, iMessage is at a disadvantage in end-user security. Even if Apple can know for certain that iMessage's attack surface is not larger than an open-source alternative, we the users can't. Closed source software will always present a higher demand for trust.
Generally fair assumption. There's been some research (both positive and negative) around their E2EE claims, though AFAIK much of what's known about iMessage's E2EE guts has been learned through unofficial means. I think that for the vast majority of users, iMessage is probably safe enough.
As a user, you have the agency to choose a messenger app that better suits your privacy/convenience balance, though in fairness, I think even among users who care about privacy, many don't know how to judge privacy features and implementation details well.
Like others in this thread, I personally recommend Signal. It's widely available, easily usable, has been audited and researched a fair bit, and though it doesn't have a self-hosted option, it does have white papers out about its protocol which IMO are worth a read.
I would trust iMessage about 95% less if I had written, or even implemented, the protocols myself, and I consider myself a pretty good developer.
I do not need to have had a hand in developing any of this. It's not my expertise and, like you, I'd feel more comfortable having it developed by the experts.
[^1]: https://en.wikipedia.org/wiki/List_of_fallacies
Last time I checked, Apple still used security questions any hacker can get answers to on Facebook. I'm not all that confident about Apple's approach to account security.
Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.
Apple chooses not to, and it's their choice, of course. It doesn't care about the privacy of it's non-users, and it doesn't care about the privacy of its users when they communicate with non-users. From what I can tell, it only cares if you stay within the Apple bubble.
Apple is doing it optionally because they're trying to balance two opposing forces here: helping its users access a locked account, and giving users tightly locked accounts.
> Last time I checked, Apple still used security questions any hacker can get answers to on Facebook.
Apple's default for a number of years has been to use trusted devices IIRC. Their kb article on resetting a forgotten Apple ID password even suggests that it's better to wait until you're back with a trusted device than to immediately try to reset without one, suggesting that the process is somewhat intensive and perhaps subject to human review? I just kicked it off online and the first question _is_ to confirm an obfuscated cell phone number, but I can't imagine that after that it's mother's maiden name dreck?
> Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.
Which would thus expose them to security weaknesses of a device and OS they do not control, and potentially expose iPhone and iOS customers to increased risk should an Android iMessage user's phone have malware, or screen scraping, or keylogging, etc.
> Apple chooses not to, and it's their choice, of course. It doesn't care about the privacy of it's non-users, and it doesn't care about the privacy of its users when they communicate with non-users. From what I can tell, it only cares if you stay within the Apple bubble.
Nail on the head, but I do think that folks overstate the simplicity with which Apple could provide a comparably secure iMessage experience on Android.
Check again.
I recently reset a forgotten iTunes password. This required:
That's 5FA authentication just to reset a password.The days of answering personal trivia questions to reset passwords are long gone.
I'm surprised I haven't seen this mentioned more. They could even make a green (or whatever colour they wish) iMessage bubble to denote that it is not from an Apple device. Seems like it solves all the problems people present with E2EE/iMessage with Android interop. On the issue of spam, which I feel is just grasping at straws, You could allow blocking unknown non-Apple iMessages by default. Unless I am mistaken, this really only leaves the walled-garden as the thing that stops Apple from implementing something like this.
In fact, you could even only allow Android iMessage conversations that include at least one genuine Apple device. This combats the argument that they shouldn't have to give resources away to Android users for free. This would be added-value to their own customers by providing more streamlined messaging with their Android contacts. Such as situations where group chats are forced to swap to MMS for a single Android user, sending pictures/video to a friend, etc.
Because they don't own an Apple device or have iMessage, which is the entire point of this discussion?
Sure, if this car is super safe it may be better if both you and the other driver both had it. But it is clearly better to have airbags, even if the other car is less safe than it could be if it was from the first-party brand.
It is one thing to not try to mitigate security issues outside their control and another thing to remove possible security because you don't control it entirely.
Of course, this is a hard problem. I'm not saying Apple is bad at security, many good messaging platforms run into these kinds of problems. But the way you fix these problems (and the way Apple in fact did fix the bugs above) was through patching their own software, not by trying to control what attackers can send.
If security researches can send a malicious payload attack that compromises iMessage, the solution is not to make sure they can't send that payload (which would be impossible to guarantee anyway), the solution is to patch iMessage to no longer be vulnerable to that payload attack.
One hopes that the only thing preventing your iMessage client from being compromised is not whether or not the attacker has a spare $1,000 lying around.
The actual solution is to make the client/server not be vulnerable to malicious payloads that would cause a buffer overflow. Whether you do that by patching bugs individually or switching to a memory safe language, or whatever strategy is used -- "don't send our messaging platform bad data" isn't a security fix.
> The app doesn’t connect to any servers at Beeper itself, only to Apple servers, the way a “real” iMessage text would.
https://techcrunch.com/2023/12/05/beeper-reversed-engineered...
I've re-written this comment five or six times in an attempt to find the most charitable interpretation, but I just cannot comprehend how it made it through your filter and out onto the internet.
SMS can be read but it is still at least somewhat decentralized. It isn't being funneled to a single party whose business model is profiling users.
Stuff like this happens all the time and the internet has always been like this. I'm sure older users will remember even older examples
On a more serious note though, in the end Apple absolutely has the power of increasing everyone's capability and security by doing something like setting up a playbook of how iMessage could just use Signal protocol and how other actors could join in, or really anything else but doing this.
Right now I can presume a basic level of device security across all iMessage threads I have. Beeper deranges that: E2EE is still there, but Beeper exposes my correspondence to device security weaknesses from other OEMs, malware, keyloggers, screen scrapers, etc. as a result of lax app marketplace security & privacy.
It seems to me to be entirely disingenuous to suggest that Beeper increases security: in fact, the opposite is true.
> in the end Apple absolutely has the power of increasing everyone's capability and security by doing something like setting up a playbook of how iMessage could just use Signal protocol and how other actors could join in, or really anything else but doing this.
I don't see why any company should be denigrated for not helping the users of another competing platform, particularly when doing so likely comes at the cost of increasing the risk to its own users.
Hmmming and hawing over "OEMs... and ...lax app marketplace security" seems like quite a high bar to hold, a bar so high it ceases to be useful. Remember, iPhone users can disable passwords on their iPhone entirely; if that's not something you ever worry about, then worrying about a minority of OEM's seems like mere pretext to keep your comfy walled garden all to yourself.
Subjective, speculative.
> when in reality
I think you mean "when in my opinion".
> they are making a decision on improving their profit
Speculative, and "improving their profit" is clumsy enough vocabulary that it's a red flag on continuing to discuss this with you.
> regardless if it decreases security of its customers and other people
The plurality of countervailing perspectives in this thread – which you have failed to address or refute, as far as I can tell – ought to indicate to you that it is arguable that Apple's decision in this case increases security of its customers.
> It is undeniable and silly to argue against.
I'll let others judge who seems silly here.
My point stays exactly the same. You haven't said anything real against it.
Is that really true though? Jailbroken phones, iMessage may still work. Any device security gets thrown out the window.
You also can't expect everyone to have an Apple device for security, which we've seen time and time again SS7 being weak - So is the requirement to remove SS7, for everyone to jump on the Apple train?
I see Beeper as doing Apple a service, not so much a competing platform, but a gateway to the iMessage ecosystem - 'Hey, this would be pretty cool to use without this app and have it native' vs the 'Only Apple devices can use this.'
Apple closes exploits which allow jailbreaking, precludes it in the EULA. What more would you have them do?
Preventing jailbreaking is not a good thing, in part since that's what allows us to check on what Apple is doing on the device, in regards to privacy, security and e2e encryption. If nobody can check, do you suppose we just accept their statements about the device as fact?
iMessage using SMS to communicate with Android devices increases the risk to iOS users. Apple customers are still Apple customers when they communicate with Android users.
Every risk you describe is still present in the current implementation of iMessage when communicating with Android users, except the risks are much greater because SMS is much easier to exploit and intercept than an E2EE protocol would be.
A message platform that forces Apple users to use an insecure protocol when communicating with Android users decreases the security and privacy of Apple users.
So even an imperfect implementation of real E2EE between Apple and Android users, even with all the risks you describe above, is still an improvement in security over what we have right now: a situation where Apple forces iMessage users to use to what is quite possibly the least secure communication method possible when communicating with their friends and family in different ecosystems.
It's not necessarily about helping the users of another competing platform, Apple users who are using normal iPhones are sending unencrypted and unsecured messages to their friends and family members because Apple is more interested in vendor lock-in than it is interested in making sure that its customers are able to communicate securely with their contacts.
The idea that Apple users would suddenly stop caring about security or that they wouldn't want their conversations encrypted just because they're talking to someone else who's on an Android device is very strange to me -- it suggests that Apple is willing to sacrifice security for paying iOS users just to keep Android users from seeing any of the benefits of those security improvements.
Yes, there may exist reasons to distinguish between locked down vendor-controlled devices where users do not have the autonomy to change device settings that could damage encryption, and devices where users do have that autonomy. I understand that concern, even if I think it's usually disengenous. But there is really no reason and no excuse (especially now that we know how easy it would be for Apple to take its encryption multiple-platform) for going beyond distinguishing between those devices, and going so far as to actively drop all security measures and all encryption from those conversations. It's like saying that because a window can be broken we might as well take the door off of its hinges and put up a "burglars welcome" sign -- and, incredibly, it's claiming that anyone who tries to replace the door without permission is somehow decreasing security. Apple doesn't just distinguish between controlled and uncontrolled environments, it removes the door entirely by dropping its users into a messaging format with no end-to-end encryption at all. It's a bad policy that hurts Apple users and decreases their safety.
it's going to become illegal not to have one in california! so you better invest NOW!!!
go to double U double U double U blah blah blah dot yadda yadda yadda
*full disclaimer, this technology is patent pending**
**doubly full disclaimer, "patent pending" in the sense that the invention is still to be invented, the panel of experts said 20 (more) years!
The smartphone is the single most important device for modern life and society. It's news, photos, communications with loved ones, work, entertainment, food, paying for practically everything...
And it's just two companies. Two companies with an iron grip over such a wide and diverse set of functionalities that, taken together, should be as inalienable as free speech.
- They control what you can put on the devices (or in the cases where they're open, they scare you or make it exceedingly difficult).
- They tax all innovation happening on the platform. Because web is second class. If you build an app, you have to pay for ads against your own brand. You can't have a customer relationship (yet Google and Apple get that). You have to keep up with their release cycles on their timeline. They can deny you or ban you at any point. They take 30% of your margin. You're forced to use their billing. In many cases, they actively develop software that competes with you.
- They're extremely user hostile. The devices aren't easily repairable, the batteries force upgrade cycles, and they do stupid things that make your kids want to buy the most expensive model for clout. Green and blue bubbles, etc.
- On top of this, they're gradually eating away at every related industry. The music industry. The credit cards and payments and finance industry. The film industry. It's all getting absorbed into the blob that is the locked down smartphone.
- They turn their devices into "CSAM detection dragnets" (read: five eyes, US, China, and every other entity that wants to surveil).
This is fucking absurd and it needs to stop.
We need more than two device and platform manufactures.
Apps should be at least one of: (1) portable, (2) freely installable from the web without scare tactics, (3) web should be first class / native
The device provider shouldn't be able to use their platform play to maintain dominance. The cost of switching should be zero until there are enough new peer-level competitors.
I could keep going... the status quo is a tax on the public, a tax on innovation, and a really overall unfortunate situation.
Sent from my Librem 5.
That basically makes it a non-option for the overwhelming majority of people, and it was still an issue 6 months ago.
I really want to like the Librem but it's hard to justify the price tag when you're going to have to carry another phone around with you anyway.
The battery thing is not an issue for me in practice. I carry a spare battery (they're swappable), but I never actually need it because there's USB-C chargers everywhere I go, and I made it a habit to plug it in whenever I can.
A phone should adapt to your lifestyle. You should not have to adapt your lifestyle to your phone.
Edit: Actually it did happen when I opened a Firefox tab with a heavy js and left it open with deactivated suspend, which you shouldn't do on any phone (and even then it's more than a couple of hours).
that would be nicer than the current situation where they take away 30% of your revenue
There's also the mountain of 'mobile first' (aka mobile-only) garbage out there, and stuff that is nerfed on mobile unless you download the app (so they can squeeze telemetry out of you).
Don't get me wrong, I'm not defending Apple or Google - far from it - but I'm saying there's a lot of real crap going on in tech right now.
To be fair, I am a curious person and use both android and iOS. I use onedrive and (sigh) icloud for storing photos. On my android phone, I can actually have it sync pictures to onedrive and nowhere else (and it'll free up the storage, even! I think...). On iOS it either fills your phone up and then nags you constantly to manually delete pictures, or you use iCloud. There's no other choice.
Ding ding ding! We have a winner!
It's the same reason they dragged their feet supporting RCS, until regulatory pressure started mounting.
I find this incredibly hard to believe. And just because the Apple marketing department believes something is true, doesn't make it so.
Maybe I run in a weird crowd, but I've never met anyone who cares whether "text messages" are delivered over SMS or iMessage. In general most messaging I do happens over Signal, WhatsApp, Discord, or (in a few unfortunate cases) Instagram messenger.
https://www.thurrott.com/apple/248931/apple-didnt-bring-imes...
On a more serious note regarding the Hardware sales- Apple inc does not make that much profit based on "what" they sell, its "who" they are selling to.
It’s possible that the GP is unfamiliar with iMessage because they don’t live in NA. I have neither sent nor received an iMessage for several years. I use the Messages app for receiving SMS OTP codes only and pretty much nothing else.
It was an acquihire involving a 16 year old who was doing it for fun.
I am reasonably sure that their main driver is profit which really means exploitation of people;
I consider their public arguments lies made up to cover up the fact that what they account for as profit comes from what are in the end some really ugly historical and traditional imperialistic (colonial, neocolonial, and occulted) practices
Just wondering if you've forgotten what site you're on.
This is YC which exists to build companies whose main driver will always be profit.
that's the generalized pattern
What phone do you use that does not have the same issue?
As opposed to Beeper?
The GitHub developer I guess. Still his project got noticed because of all of this so it still sort of fits.
Doesn’t mean it wouldn’t be an awesome project to do. I don’t blame them one bit. It’s an awesome achievement.
What technical investment? They bought an open-source project from a high-school student.
Beeper Mini is an app they would have built anyway. They simply implemented the bare minimum of iMessage functionality there. Which is a couple of days worth of work, maximum. Maybe a week. And some for testing.
I’m somewhat certain it cost them less than 5 figures. And if it did, what a great marketing campaign. I had no idea what Beeper even was before this whole fiasco.
As is all I know about is the chat app whose primary sales pitch is the now-broken iMessage interop.
https://www.beeper.com/cloud