Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Beeper Mini – iMessage client for Android (beeper.com)
1521 points by erohead 10 months ago | hide | past | favorite | 874 comments
Hi HN! I’m proud to share that we have built a real 3rd party iMessage client for Android. We did it by reverse engineering the iMessage protocol and encryption system. It's available to download today (no waitlist): https://play.google.com/store/apps/details?id=com.beeper.ima and there's a technical writeup here: https://blog.beeper.com/p/how-beeper-mini-works.

Unlike every other attempt to build an iMessage app for Android (including our first gen app), Beeper Mini does not use a Mac server relay in the cloud. The app connects directly to Apple servers to send and receive end-to-end encrypted messages. Encryption keys never leave your device. No Apple ID is required. Beeper does not have access to your Apple account.

With Beeper Mini, your Android phone number is registered on iMessage. You show up as a ‘blue bubble’ when iPhone friends text you, and can join real iMessage group chats. All chat features like typing status, read receipts, full resolution images/video, emoji reactions, voice notes, editing/unsending, stickers etc are supported.

This is all unprecedented, so I imagine you may have a lot of questions. We’ve written a detailed technical blog post about how Beeper Mini works: https://blog.beeper.com/p/how-beeper-mini-works. A team member has published an open source Python iMessage protocol PoC on Github: https://github.com/JJTech0130/pypush. You can try it yourself on any Mac/Windows/Linux computer and see how iMessage works. My cofounder and I are also here to answer questions in the comments.

Our long term vision is to build a universal chat app (https://blog.beeper.com/p/were-building-the-best-chat-app-on). Over the next few months, we will be adding support for SMS/RCS, WhatsApp, Signal and 12 other chat networks into Beeper Mini. At that point, we’ll drop the `Mini` postfix. We’re also rebuilding our Beeper Desktop and iOS apps to support our new ‘client-side bridge’ architecture that preserves full end-to-end encryption. We’re also renaming our first gen apps to ‘Beeper Cloud’ to more clearly differentiate them from Beeper Mini.

Side note: many people always ask ‘what do you think Apple is going to do about this?’ To be honest, I am shocked that everyone is so shocked by the sheer existence of a 3rd party iMessage client. The internet has always had 3rd party clients! It’s almost like people have forgotten that iChat (the app that iMessage grew out of) was itself a multi-protocol chat app! It supported AIM, Jabber and Google talk. Here’s a blast from the past: https://i.imgur.com/k6rmOgq.png.




This seems like it won't last, but it's AWESOME and I really hope you survive Apple's inevitable attempts to kill this. A universal chat application would be amazing, and will maybe help bring attention to the value of standards and interoperability (hopefully by governments/regulators).


One of my companies lives from this kind of things so it would last if someone could fund it. More food for thought: "Reflecting on 16 Years of Work on Adversarial Interoperability" (now, more than 20...) [1]

[1] https://blog.nektra.com/2020/01/12/reflecting-on-16-years-of...


Have you ever received C&D for your work? There's a big problem of OSS projects being TOS-trolled by billion dollar companies and having to shut down out of fear.


You know, your question is very interesting: no, we didn't.

Anecdote: we reverse engineered several Microsoft products and before Microsoft Windows 7 launch we were contacted by Microsoft QA and they offered us support to check if our software was compatible with it! BTW, our software was installed in millions of computers around the globe. For example, Trend Micro used our software for supporting their antivirus in Outlook Express and Windows Mail.

Our Deviare Hooking Engine [1] was eclipsed when Microsoft Detours [2] turned to an MIT license and free. Even when our was superior in several ways. This is why I wrote that you should continuously fight for "adversarial interoperability".

[1] https://github.com/nektra/Deviare2

[2] https://www.microsoft.com/en-us/research/project/detours/


I agree. After receiving a C&D from Meta for my OSS project (along with some other maintainers from some other projects) I strongly believe adversarial interop is a basic digital right that is required to fulfil the broken or revoked promises of web 2.0

If you know anybody that can help please let me know because I want to get back to maintaining the project.


Did you contact specific organizations such as FSF, EFF, etc and/or specialized lawyers? There were well known people defending itself or being plaintiffs. For example, https://cr.yp.to/export.html


What is the project? On what grounds did they C&D you?


Here's a write up of the legal threats timeline to our projects and how it coincides with their in house development of an npm package:

https://gist.github.com/smashah/667d4d5cf31670ee87547450861a...

They sent us C&Ds based on ToS.

Meta has done this before to insta and android devs.

Some never came back to their projects. It causes insane amount of stress and depression amongst the devs I've spoken with who went through the same thing.


What would they demand they cease doing? Publishing software?

If the use of this software is against their rights in some way, the end users running it would be the ones in violation. Publishing original software is protected expression.


One prominent counterexample to this thesis is DRM circumvention software, which regularly gets taken down via DMCA notices. I wouldn't be surprised if Apple even invokes that particular law.


"Section 1201 provides for felony liability for anyone commercially engaged in bypassing a DRM system: 5 years in prison and a $500,000 fine for a first offense."

So it's even worse than the risk of being taken down. Way worse.

https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-w...


iMessage is not DRM. It is not protecting IP.


The component that tries to identify that you're accessing it from the right device isn't DRM? I don't think courts would agree with that.


It's not done for the purposes of content protection/DRM. There may be other laws it falls under, but I don't think the DMCA is one.


Interestingly, the reference implementation does seem to reference FairPlay, which is very much a copy prevention/anti-circumvention system (used for iTunes content, but also video encryption via HTML EME): https://github.com/JJTech0130/pypush/blob/main/albert.py

Assuming that DMCA does not cover API authentication (i.e. preventing unauthorized third-party clients from being able to access a server-side API – and I really don't know if it does or doesn't!), I wonder what the implications are if the same mechanism is used for both DMCA-covered DRM mechanisms, but also non-covered other purposes.

My intuition would be that it can't be good to "multi-purpose" a DRM tool from a DMCA enforcement point of view, but maybe that was never Apple's plan, and they just used the most secure attestation technology they had available on each platform, which for Intel Macs might just have been software-only FairPlay.


ROFL..

Yeah, and when exactly should everyone expect to stop seeing DMCA take down notices that didn't abuse the system, willingful harm creators, and an appeals process that is an unfunny joke?

Until then, it doesn't matter what the law says. They will abuse it, because PROFITS.



Emulation software isn’t wholly original as it needs firmware and software from the device so emulated. An iPhone emulator with no bootrom and no iOS isn’t very useful.

An open source client for an API need not include any non-original works.


Depends on whether you consider a private key an "original work": https://github.com/JJTech0130/pypush/blob/main/albert.py#L16

The situation seems very similar to the AACS key leak back in the day: https://en.wikipedia.org/wiki/AACS_encryption_key_controvers...


Note that a key cannot be copyrighted, but it can be considered a circumvention tool for access controls that protect other copyrighted works.


There is a very useful iPhone emulator with no bootrom and no iOS: https://touchhle.org/

It targets games, so manages to be useful without having to emulate or re-implement the majority of the OS.



After digging in more I believe that is only done in that proof of concept. If that's the case then it's too bad they didn't go back and update the POC to avoid the need for the binary.


For the app it is probably just done server side.


What are the potential legal and ethical ramifications for developers and users in using such emulation methods or accessing private APIs?


> Publishing original software is protected expression.

That means Jack Shit in a world where a lawsuit can ruin a person's life regardless of its legal merit, with zero consequences for the corporation that filed it even if it gets tossed out by a judge eventually.

LPT: Live as if human/constitutional rights didn't exist. Because if push ever comes to shove, you will quite possibly find that they indeed don't exist in practice.


But there are consequences. Even if the financial costs are not meaningful to a big company, the backlash created by such actions can have wide ranging implications, from lost sales to loss of the public mindshare, to attracting legislative attention.


We are in an age of shamelessness and self-interest.

There's no story in the world that will get people to stop using services like Whatsapp or Instagram.

The only thing stopping these big companies is potentially setting a legal precedent that interop projects are legal.

They can potentially win such a case as it stands because the targets for their threats are few and far between.

If we as digital humans want to solidify this digital right then we need to have a unified front against threats like this. That means we need to have an OSS union behind which companies and individuals can unify if a precedent setting case ever does come up


Yes they demanded us to delete and stop working on all projects.

At the time it seemed like a serious threat.


Tell that to Alexey Pertsev.


I saw an article on the topic where the reporter spoke with Beeper's CEO, Eric Migicovsky. He seems to believe that blocking Beeper might cause problems for legitimate Apple user's.

Obviously that outcome is something he wants, but I still think its interesting.

[0]: https://www.theverge.com/2023/12/5/23987817/beeper-mini-imes...


Apple maintains iMessage compatibility with devices that are long out of support, if Beeper Mini is sufficiently similar to the client in for example iOS 12 then it makes an Apple decision to break Beeper fairly expensive. Even if they do the work to publish iMessage updates for the old iOS versions it just buys a little time before the new version gets reverse engineered, and that at the cost of poor user experience for the people with those devices in a form they will directly blame on Apple. Given all that I suspect he's right.


> Even if they do the work to publish iMessage updates for the old iOS versions it just buys a little time before the new version gets reverse engineered

There's probably a cliff in complexity. Once Apple starts requesting signed attestations from the secure enclave on the devices that have one, it's game over.

They probably don't just yet, since still too many people use iMessage on first-party clients that don't have one, e.g. Intel laptops without a T1 or T2.


If Apple does start enforcing signed attestations, they will say that it's to reduce abuse. I have no doubt (being in the anti-abuse world) that spammers and phishing gangs will immediately begin using Beeper to spam iMessage users because this allows them to avoid buying an iOS device. With end-to-end encryption, Apple may also decide to roll out privacy-protecting client-side spam and phishing detection, which would IMHO be a really great thing.


The phone number registration https://blog.beeper.com/i/139416474/sending-and-receiving-me... will make it possible to enforce legal action against malicious and spammy messages.

Note that iPhones already receive SMS spam and fraud just like every other phone.

However, you are correct that the blue bubble is no longer a guarantee that the bad actor is using an iPhone.


> The phone number registration https://blog.beeper.com/i/139416474/sending-and-receiving-me... will make it possible to enforce legal action against malicious and spammy messages

Like the legal action that is currently protecting us from robocalls?

I don’t know if iMessage registration requires bidirectional SMS verification, though. If it does, that would be significantly harder to spoof than just caller IDs.


They do receive spam and fraud, but the numbers are orders of magnitude less than every one’s else BECAUSE it’s tied to hardware. I don’t know the details of how’s these guys got around it, but this is bad for the rest of us when phishing skyrockets.


I don't understand what you're talking about. I get far more SMS spam on iOS than I did on Android.

Whether the number uses iMessage or not is totally irrelevant.


How can you get more SMS spam on one platform than another? With SMS they're just blindly sending to your phone number, your SIM could be in any device. They don't know what platform you're receiving it on.


Android is much better at blocking it.

There were also differences in the platforms with how/when your phone number can leak to spammers and data aggregators, although I'm no longer deep enough into mobile OS or related CVEs to know current details.


Maybe Apple needs an even blue-r bubble to set apart the super attested users from the mere blue bubble peasants


they could call it "apple blue" and charge a few bucks a month for it. People love that stuff


They can desaturate the iPhone / MacBook Air users to disambiguate from the MacBook pro / iPhone pro / max users. Also device age in years will add hints of green hue. That way people know they're talking to someone who can afford to spend thousands of dollars on hardware every year.


wait is this where "green with envy" will come from?????


I’d pay for a blue Apple checkmark!


I imagine the next color being purple since that's a sign of royalty. Hail to the king baby!


> With end-to-end encryption, Apple may also decide to roll out privacy-protecting client-side spam and phishing detection, which would IMHO be a really great thing.

Spam protection should be on the recipient, rather than the sender.


As we’ve learned very clearly over the last 20 years of commercialization of spam, that never works. The only tractable way to fight fraud and abuse is to impose cost.


The massive prevalence of physical junk mail would refute your argument that even a significant per message cost would dissuade abuse.


Scope and scale is important here, the amount of junk mail from business interests outside of my immediate region is not very high. If physical mail were free and you could send it from anywhere in the world, junk mail would be so much worse than it is. You couldn't run a lot of internet scams at the costs of physical mail and be profitable.


Probably not because even if the postage is free the paper, printing, envelopes, etc. are not.


How many pieces of physical junk mail do you get per day? Now how many spam emails do you get per day? Include the stuff that lands in your spam folder, because we're talking about cost to send junk mail here.

I'm willing to bet the latter is much, much higher. It certainly is for me.


I disagree. Email has SPF and DKIM an what have you exactly because client side filtering doesn't work right. Mail gets dropped beforr the clients even get a chance to run filters.

That's not to say that requiring remote attestation or blocking third party clients entirely is proportional, but Apple should (and does) play a role in spam prevention.


SPF and DKIM are ways of signing a message, but it's still typically up to the recipient or the recipient's mail server to decide what to do with that signature. And they're only checkable on the recipient's mail server because email isn't properly end-to-end encrypted, and exposes metadata.


SPF and DKIM can be checked client side no problem, assuming your mail server doesn't mangle the received-from headers. We just generally only use them as server-side filtering.


That's a brief statement which makes me think I'm missing something obvious, but it doesn't seem obvious to me. Would you please expand on that?


I think it's a bad idea to lock out unattested clients, and as long as third-party clients are accepted, spam will always be sendable. If you're not doing end-to-end encryption, you can catch it at send time by having the server reject the client for sending spam. If you're doing end-to-end encryption, the only options are the sender or the recipient, and attempting to block it at the sender would require prohibiting interoperability.


While I love the principle of accepting third-party clients, Apple clearly doesn't which make this argument fairly non-compelling for them.


There’s also the registration process that could be locked down and/or hardened. There may or may not be additional metadata (including out of band) that could identify first-party clients.

I would think that’s the biggest issue right now. If spammers can register “real” iMessage accounts at scale without Apple hardware, Messages becomes less pleasant, very quickly.


Apple can break Beeper without relying on the secure enclave: If Apple devices just send their serial number (IMEI for their GSM products), their servers can refuse to talk to hardware they didn't manufacture.


Non-Apple devices could just lie


Not if they require a certificate containing the serial number/imei/... + a nonce provided by Apple, signed with a private key/certificate stored in the secured enclave, loaded into the device when it's manufactured.


The GP comment was:

> Apple can break Beeper without relying on the secure enclave: If Apple devices just send their serial number

You have come full circle with the comment 4 posts up.


Beeper will know only a small number of valid serial numbers

If it ever becomes popular, there will be a lot of duplicate serial numbers. That's easy to detect and ban.


How does this address iMessages sent from non-iPhone devices?


If in the data sent across (via Apple servers) the IMEI and serial no of the device are also transmitted, then Apple can in that millisecond query on their various lists/inventories that this device is legit (activated device + IMEI + serial) and if all lights are green, proceed to deliver, otherwise drop it.

(perhaps different sets of data can be used, but it must be something that Apple already has, and the user has already provided (i.e. the iMessage email or the iMessage phone number, from the iPhone's enabled Settings)


As someone who once bought fake airpods on ebay, I can tell you that Apple can't do this.

I spent a number of days with them where they were trying to work out if they were fake. The serial number was real but they were fairly sure the number had been taken from a real product and reused, but were unable to say for sure.

I ended up just returning them (because of the ebay return window) but found it interesting that Apple couldn't easily check this, and was very aware of the issue.


you already have to do this to get certain apple services (including imessage) working on hackintoshes. turns out there's a really easy work-around: guess-and-check serial numbers on apple's web site until one works. they rate limit it a bit but you can usually find a working one without a terrible amount of hassle.


Do you mean that I now have a nice party trick - DoSing friends iPhone from sending iMessage? :)


If you have a FlipperZero, DoSing iPhone users with Bluetooth is a bit of fun!


I believe you can bruteforce/generate IMEIs somewhat easily. https://github.com/bstein/py-imei-generator


Looks like Apple figured out a way to identify Beeper clients: https://techcrunch.com/2023/12/08/apple-cuts-off-beeper-mini...


That would make sense: because Apple have deeply coupled iMessage to the OS they can’t simply roll out a new version of the app with protocol changes that would block Beeper, they’d have to release entire OS updates.

No matter the method it would be a scorched earth approach. I suspect the number of people actually using Beeper will be far below a rounding error for Apple.


Non-Apple legitimate users aren't the only concern for Apple: Once third-party clients are readily available, this makes spam much harder to filter.

Right now they can probably just ban known-spam-originating devices, which is much more effective than banning iCloud accounts since there is a much higher cost to the spammers.


You say this like Apple doesn't release OS updates. Why are you putting that as some arbitrary limiter to what Apple could do to protect its walled garden?


They don't usually remove features as important as iMessage from older iOS versions. I don't believe they push updates to the iPhone 7 and older anymore, so they'd be unable to use iMessage.


I have a 6sPlus, and messages work just fine, and it may not be iOS 17, but I recently-ish ran an update for its OS that Apple deliberately updated (which you just know must have been an important update). You can stop making stuff up now


Uptake for OS updates is very high on iOS though right? I heard a while back that it is like 90+% in 6 months. (could be totally wrong on that can someone confirm?)


Uptake of updates is, uptake of devices isn’t. Here I have 1st gen retina iPad from 2012 which is on the latest iOS available for it - 9.3.5 (from 2016, current version is 17.1.2). As of today FaceTime and iMessage still work perfectly fine.

That and reading the books is actually about the only thing it can do right now.


There’s a ton of devices out there unable to upgrade to the latest iOS. Obviously you can release point upgrades for old versions but I do wonder what the uptake of those is like. I’d wager there are a ton of very old iOS devices out there. At the very least many more than there are potential users of Beeper.


anecdote of 1, but i have a 6S+ that is kept up with any updates it receives which is 15.8. there maybe some devs that have older devices that they intentionally keep at even older versions, but if someone is using an old iDevice as a daily driver, they're probably still more likely to run the updates. at least, that's my reaches up and grabs for an opinion


I'm not that familiar with ios apps, can they not push out updates to individual apps?


On iOS many of the individual apps e.g. Mail, Notes you can delete and then re-download from the App Store.

And as part of Security Updates they have patched vulnerabilities just in the relevant apps.

So there is nothing technical stopping them. It's just been customary to treat iOS as a product where all features ship together.


I don’t think this actually physically deletes the app, given that it’s back once you reset the phone. It’s most likely just hidden/deactivated until you “reinstall it from the app store”.

Actual updates require the app binary/bundle to be mutable.


Apple never patches security vulnerabilities in individual apps except for Safari, and they’ve stopped doing that too.


Not the OS-included ones, afaik. Some Apple apps are through the AppStore normally, which can be updated independently (i.e. TestFlight, despite its deep hooks).


Why did google break out Google Play Services as a separate app, was that when they started integrating more with third-party android phone suppliers, and they didn't want to have to wait for OS upgrade cycles from slower-moving companies?


Probably they originally did it because Android has high-assurance embedded use-cases (compare/contrast: Windows IoT Core) where you want to strip out everything possible from the attack surface.

But mainly it's because base Android (AOSP) can be arbitrarily modified by the OEM; and Google doesn't want to have to trust installations of Google Play Services that have been arbitrarily modified by OEMs.

(Especially because those versions would likely all act differently-enough from one-another that they would be forced to loosen their server-side, network-traffic-fingerprint-based "authentic Android device" detection that allows them to ignore/block bots pretending to be Android devices.)

By shipping Google Play Services through the store, they can ensure that, on devices that run it, it's exactly the same code for every device that runs it, with no OEM alterations. (And they can also include various checks to reject devices that would try to alter that code at load time. This is the real reason why e.g. Huawei devices are blocked from using Google Play Services — they try to patch unspecified parts of the Play Services code while loading it, "breaking the integrity of the platform" from Google's perspective.)


Man, that's contrived. Really its simple: Google seperates out Play Services so they can harvest user data from virtually all Andoid devices. It lets them market Android as OSS while still reaping the benefits of closed source data scraping.


Google can harvest data from "virtually all Android devices" just by offering Chrome, Google Search, and Gmail as apps. Almost every Android user has at least one of those apps installed. They don't need Play Services itself to spy on you on top of that.


derefr cited one reason but there's another that's relevant to this thread: updates. In the Android model handset manufacturers and carriers decide when (or if) to ship updates. Google distributing their apps through the store gives them a way to roll out new features to a reasonable portion of their user base.


will iMessage Contact Key Verification coming in iOS 17.2 break Beeper — or just make it super annoying like the “not a genuine Apple part” warning when replacing a screen or battery


> because Apple have deeply coupled iMessage to the OS

No they haven't. On my Mac it's just an app and a reusable framework.

There is nothing stopping them releasing it on the App Store similar to Mail.


> There is nothing stopping them releasing it on the App Store similar to Mail.

In the sense that the app is just a wrapper around a system framework, sure. But changing that framework would be an OS release.


Mail is also deeply coupled to the OS. The app itself does very little.


I’m talking about the iPhone.


Messages is the same on OSX and iOS.

It's not deeply integrated into the iOS by any normal definition. It's just shipped together.


Messages has a bunch of special privileges on iOS, which is why they had to add the whole Blastdoor protection framework and why it's such a juicy target for sandbox escape exploits.


Nope. It just happens to be on everyone’s device and usually enabled


Yes, and when it's enabled it has more privileges than most other apps, doesn't it? But yeah you can still remove the app.

Btw, maybe related, on iOS I have "app privacy report" enabled, to show me a list of apps and the recent entitlements they used. Every Apple app, even those that don't need access to them, is shown as having recently accessed my Contacts. I find this weird. Anyone know why they do that? e.g. I've never even used the Health app and yet it's accessing my Contacts for some reason.


It’s basically the same as any other app, there are some special permissions it has to integrate with the OS a bit better but nothing too interesting. Not sure what’s going on with Contacts but it might be a bug?


The Messages app in macOS is less capable than the Messages app in iOS. It cannot even edit sent messages.


It can, by right clicking the desired message to edit. This is in macOS Sonoma, and I believe was a part of Ventura as well.


Oh interesting, I have a 2015 MacBook Air. Wonder if the feature is not available on whatever macOS version I have.


It’s a Ventura and later feature and your MacBook Air probably topped out around Monterey or earlier. 2016 MacBooks Pro also didn’t make the cut for Ventura.


fwiw it hasn't been called "OSX" for awhile now


It's not too hard to think through -

They would need to accept and verify a flag from messages that the copycats can't reproduce. At the very least that would require a client update from anyone using official iMessage clients, which covers many millions of devices.

Unless they're able to hook into already existing flags/keys on the devices since they already verify application signatures and a whole other host of things.

Apple can probably do it, but much like jailbreaking how fast can they release breaking changes?


They could probably require a new check but whitelist already registered numbers.


What's brilliant is they get press either way this goes down.


i understand no such thing as bad news/publicity, but if the 800lb gorilla squashes the little guy, then that's some pretty bad news. with the recent Twitt...er,X and reddit debacle with 3rd party apps, that 800lbs is pretty powerful when it wants to be

edit, because i used the wrong turn of phrase


is it powerful? In both cases X and reddit, nothing meaningful happened.

Apple could block any device without attestation then offer a discount for those on old products to upgrade. Now bad news is good news.


On the contrary, the EU law that enforces interoperability should put some wind under this project's wings.


Exactly what I thought


But EU interoperability laws are cancelled out by DMCA (aka EUCD). That’s why reading a DVD with VLC has always been “technically” illegal.

If Apple is able to update the protocol in such a way that it requires some kind of signed attestation from the secure enclave (basically a DRM) they’ll get legal protection.

Also. Nobody uses iMessage in the EU. It’s all WhatsApp here. Blue bubbles are an American obsession.


The recently enacted DMA requires interoperability. Unless Apple wins its case against iMessage being classified as a gatekeeper service, it'll be required to support interoperability. I'd be surprised if tricks like hardware attestation were compliant, unless Apple allowed other companies' hardware.


Furthermore some implementations cannot provide hardware attestation, so it probably couldn't be limited to implementations which can, if the EU really means "interoperable"


However, iMessage (the software) is already interoperable with SMS and MMS.


What exactly is considered bypassing DRM in the case of Beeper Mini, and what copyrighted content is the DRM protecting?

This might be news, but the DMCA laws don't allow you to restrict software which is compatible with your own, especially if the competitor never used your code.


> Blue bubbles are an American obsession.

No it’s not, it’s an obsession by a small number of users, not widespread at all.


it might even be the reason for it's existence


The timing is potentially clever. Apple has committed to supporting RCS next year, and will face regulatory pressure in places like Europe.

Even if short lived they could onboard a lot of Android users and then use RCS once it’s supported.


I wonder if these events are connected. Imagine Apple hearing through the grapevine that someone had a proper iMessage implementation and that they planned to release it for Android. Perhaps one way to get in front of that would be to commit to RCS. One could imagine the Nothing Phone events having the same cause.


>A universal chat application would be amazing

It would be, however would not bet my chatting account history on a phone number. Phone number does get lost over time. Email is more reliable, but may be a private key for authentication instead. Also a modern day chat app, one would expect to have chatting over bluetooth as well Internet such as Briar, and chatting over Tor such as Quite would be much more needed.


I'm not so sure about email being more reliable than a phone number. I believe more people have a contract with their cellular provider than with their email. Free email accounts could be banned with no recourse.


We had universal chat applications & standards and interoperability in the 2000s. Pidgin (et al.) + libpurple allowed users to use a singular application for chat--even the proprietary protocols. We also had (& still have) XMPP from that era which many of the big boys like Google jumped on, killed, then jumped off (EEE?). Are we just repeating history (https://ploum.net/2023-06-23-how-to-kill-decentralised-netwo...)? There’s an XKCD about inventing yet a new standard despite us having good ones for decades…


Given how many large chat systems are based on XMPP, it should be possible to select a set of standard extensions to interoperate with each other. Sadly, I don't see it happening.


True. But developers should push in that direction anyhow since it still means interop for those in that camp already… and considering how well those large systems have scaled, it’s a good idea.


This was never enough for me. On paper Pidgin did the trick, but you still had to remember which of your friends preferred which platform, you had multiple "friend" entries for the same person, many used silly pseudonyms that they certainly didn't go by IRL, you had no way to tell if your friends actually were monitoring each of their accounts (I uninstalled aim months ago, have you been sending me messages on it?), you couldn't have group conversations across networks without mental gymnastics or compromise, the features offered on each platform were inconsistent, both on their native apps and the features pidgin actually implemented.

That to me is not universal chat, that's just welding 10 chat apps into one, somewhat poorly.

That being said XMPP was well on the way to becoming something universally supported, and though the protocol itself was way more complicated and crufty than I'd like, it's a shame that Google particularly abandoned it for really no reason.


Since those services all died off my memory is a bit foggy, but I recall stacking contacts in one with Adium & being able to prioritize in that meta contact which service they provided. But I really only ever used it for two-person conversations so I had no experience with the group situation. Even still, a multi-chat app was a vastly better user experience than running several independent applications (with the cost of missing ‘advanced’ features & occasional outages as protocols needed to be reverse engineered & the proprietary providers had no incentive for backwards compatibility).

> Google particularly abandoned it for really no reason

What most annoying is seeing Big Tech now trying to write a new standard to comply with the EU instead of using the existing standard they abandoned that already has all the mileage & scaling looked at. Instead all the same hurdles will have to be overcome yet again, just like the current growing pains of Matrix meanwhile XMPP is still quietly holding strong for massive chat/presence systems.


I agree that it's better than using multiple applications, but today I just use one (for personal conversations at least, Slack for business and Discord for communities is a bit different), which is texting.


My texting is scattered. I’d prefer it to be all XMPP, but I engage with Signal, & Mattermost, IRC, & Matrix on a regular basis… & largely this is a result of me just quitting the other chat platforms that most are using here (LINE, Facebook Messenger) which has made communications more difficult for others. I could run gateway to puppet all those accounts which is a lot closer than Pidgin was at unifying it all, but I’ve been a bit lazy to set it all up (& if the common gateway tool wasn’t Python I’d be more thrilled to touch it).


What is currently not interoperable between the majors mobile OS makers?


Well messaging for one thing...

Some others:

- Find my device features including Bluetooth ping networking (airtags, Tile, Android's upcoming network)

- Airdrop/Nearby Share

- Bluetooth LE proximity pairing (at least I doubt this works when pairing cross ecosystem)

- Carplay/Android Auto

- Airplay/Google Cast


> Find My / Airtags

Another Apple ecosystem that can be used by non-Apple devices. OpenHaystack [0] has been working well for quite a while.

[0] https://github.com/seemoo-lab/openhaystack


See my comment below for why this isn't the interoperability I'm interested in. I don't want to use Apple's service, I want Bluetooth tag pinging to be standard across Apple, Tile, and Android ecosystem devices so that they all work equally well regardless of the percentage of one brand of phone or another in the area the tag is pinging from.


Is there a way to SEE the location of my Apple manufactured Airtags from Android?


Does this still work? that repository appears to be abandoned.


Apple did actually open up the network, there are plenty of third party devices that are 'Find My' compatible. It's intended for integration into things like bikes or scooters.

You can buy tags from AliExpress for $5 that implement it. I've been using a few for a couple of months, and no issues so far.


It would be preferable if Find My capable smart devices could forward tag pings on to non-Apple owners and vice versa. Right now, Find My is strong in the US where iPhones are very common, but it works worse in places where most phones are Android, and vice versa for Androids in the US versus abroad.

You are referring to being able to track devices via the Find My portal on Apple.com or your Apple devices, but I am referring to being able to merge the networks so that Apple devices will forward pings onto Android's Find My network and vice versa.


> that repository appears to be abandoned

The last commit and release is from october.


- Carplay/Android Auto

Are there any headunits that only support one or the other? The cheap Chinese unit I got last year supports wireless for both. It would be nice to have an open protocol though, so third parties could develop alternative UIs.


Or so that there isn't a duopoly lock in for a new phone OS or an android fork that doesn't have Google Play Services on it. Just like Google Cast and Airplay, this should be an open standard, not a pair of incompatible proprietary locked down solutions.


Sadly, yeah- even in OEM units.


okay but this "interoperability" is legitimately hard without degrading the user experience because apple's unique level of control allows it to produce a superior product with more consistency. airdrop is best-in-class; open-source solutions like wi-fi direct are dumpsterfires with trash UX. LE proximity pairing is, i believe, a custom chip apple put in airpods (h1 chip) because bluetooth is stuck in 2005 and still doesn't have easy pairing, full quality two-way audio, etc. carplay/auto have different feature sets and airplay is an objectively easier experience than google cast.

the EU is fundamentally interested in these changes regardless of consumer welfare. this is sour grapes because they fail at tech by every conceivable metric and by degrading everything to a common feature set and commoditizing certain standards, they hope to give domestic companies a prayer. that it prevents innovation and improvements is merely a secondary concern for the hard-headed anti-Americans in brussels.


> apple's unique level of control allows it to produce a superior product with more consistency

Another way to read this: Apple has a superior product because they perform anti-competitive practices and don't allow other companies to out-product them. And when they do, they buy them/shut them down before anyone is the wiser.


editorialization. you know as well as anyone that restricting your feature development to your own platform rather than doing a retarded design by committee helps one innovate faster.


We don't need to speculate; internal emails from the Epic trial discuss the motivations.

https://www.theverge.com/2021/4/27/22406303/imessage-android...

In short, Eddy Cue proposed in 2013 that Apple owning the best-in-class messaging app would be a win, and even mentioned the cost being low. Phil Schiller shut him down, arguing it would remove a barrier preventing iPhone parents from buying their kids Android phones.

That reads like anti-competitive motivation to me. In particular, it looks like tying, where two unrelated products are connected artificially. The wikipedia article on anticompetitive behaviors has a section on tying, and mentions another case involving Apple that bears some resemblance involving iPods being artificially restricted to only playing tracks either from iTunes or direct CD rips.

So I think the anti-competitive angle has some real merit.

The innovation claim, though, I have a harder time with. I don't see how releasing Messages for Android implies design-by-committee. They could just release it, like Beeper Mini just did, but without the reverse engineering part.


They could definitely just release an app for Android instead of opening the protocol, but as an Android user I'd reject it for the same reason I reject my Apple friends suggesting we all use WhatsApp or Signal: I don't want different conversations living in different chat apps for no reason. That to me is the bad old days of Facebook Messenger+Twitter DMs+SMS where I had to remember which platform each of my contacts prefers to use and then deal with missing features and an inconsistent experience all the time.

As much as I think Beeper's work on iMessage is important, apps like that do not and have never solved this problem. Because then you have different contact identifiers to contend with, the inability to make groups amongst those users, differing features, and the list goes on.

If you look closely at what I'm saying here, it's easy to compare it to what iMessage users say about why Android users create problems for them, and that's true. That's why messaging interoperability is important.


Interestingly enough, in my life, WhatsApp has just won. Everyone I know uses it, people I meet when traveling use it. Pretty much every Airbnb host tries to contact me on WhatsApp. My physio right now in Malaysia organizes all my appointments on WhatsApp. But I only travel East of the UK, so Europe/Afria/Asia, I have no idea what South America is like, and can guess that it's not as ubiquitous in North America based on these threads.

I cannot remember the last time I've received a non-spam SMS. The whole iMessage thing feels so alien to me. My girlfriend is an Apple fan-girl and has never used iMessage in her life. I kinda wanted to see what was special about it and when I asked her about it, she had no idea what I was talking about.


Lack of competition has actually been shown to reduce innovation, not increase it. No one is asking them to do feature dev or even support for other platforms. They are asking them not to _shut out_ other platforms if others want to do the work.


Innovation is a good thing, but for many items on this list there's no more innovation happening. Google Cast and Airplay have been mostly unchanged for the last ten years, and the same is true for Airdrop and Nearby Share.

You can definitely make the argument about innovation in the messaging space, but RCS is very extensible. RCS Encryption definitely needs to be standardized, but I recommend you check out how Google layered it on top of RCS [1] including handling fallbacks for corner cases like switching your RCS client away from Google Messages before the system realizes it.

This is to say that RCS is pretty flexible, the key is handling the fallback paths in the extension design and working with other vendors to standardize promptly, so we don't end up with the same kind of broken mess that the carriers made.

[1] https://www.gstatic.com/messages/papers/messages_e2ee.pdf


> apple's unique level of control allows it to produce a superior product with more consistency

Honestly, this reads more like marketing spin to cover anti-competitive behaviour than a forum post.


i am not, nor have i ever been, employed by apple. i use none of their products as my primary devices. stop breaking the forum rules.


Have you used Nearby Share on Android? It's IME just as good Airdrop, the only real issue is that it's not baked into Windows PCs like Airdrop is with Macs (confusingly MS has their own thing called Nearby Share for Windows devices). I've actually had less issues with Nearby Share, my iPhone stopped sharing to my mini after a few months but could talk to everything else. Android solved BT pairing in a superior way years before with NFC pairing. Touch two things and paired. I could get my airpods to pop up on my iPhone 1/10 times. Finnicky, overhyped crap IMO. Only reason NFC pairing didn't catch on is Apple holding the NFC chip hostage for the sole use of Apple Pay.


yes, i primarily use an android phone. nearby share is janky and terrible. additionally, the fact that it's not built in everywhere is a ding from the standpoint of an end user.


It is built in to the Share dialog, so it is accessible anywhere the Share dialog is shown. And when you copy something to clipboard, the popup at the bottom includes Nearby Share. Where else would you like to see it?

Certainly not every iOS app has a custom Airdrop integration either.

Every time I've nearby shared it's worked just fine. What phone do you have?


It's really not. Just make the "superior product" interoperable.


But it often not that simple, anyone who has done cross-platform development can tell you this by heart, it doesn't matter what you do, you must adhere to the lowest common denominator. Interoperability isn't free.


I'm not asking them to implement these things on every platform, but it's not difficult to make documentation they certainly already have about protocols available.


Protocols calcify when you don't control all the endpoints, consider the case in point, iMessage, it is seems like there is some security implications for spoofing iMessage for any random number, yet, apple's recourse is very limited if it can't update all the endpoints (devices).

The same is also true, say about AirDrop, if apple makes it "Open" and they have to make a breaking change for security or whatever reason, they can't feasibly even make an update available for non-apple devices let alone enforce it.

Now "Apple" has broken your non-apple device and along with it their reputation.

Open is good, but the cost is non-zero.


By that logic the Outlook for Windows team should be responsible for patching Gmail for Android.

This argument is silly. You could use this line of reasoning to justify why all computers should use the same OS from the same vendor. Of course then you'd have a monoculture where implementation bugs that cause vulnerabilities are universally exploitable, instead of only exploitable on machines running that vendor's software.


This isn’t uncommon at all when dealing with development that requires interoperability.

Far from it, actually.

If a part of your user base uses another service, you’ll inevitably have to add workarounds specifically to cater to users for that service. It’s just a fact of life when multiple groups have to implement a spec. If you aren’t willing to add workarounds, users will think your software is broken when they should be blaming someone else.

For example, Firefox maintains a few workarounds for websites that ship in the browser. They aren’t the web developers responsible for the sites but someone has to make it work.

Interoperability is not free.


Not free, but worth it for messaging to solve the real pain points that iMessage and Google Messages users deal with while trying to communicate across the aisle.


You're free to make value judgments, but for a business to follow through, the economics of it must be sensible. As a consumer, I prefer a secure messaging platform over an open one any day of the week.


>A universal chat application would be amazing Can't Whatsapp, Signal, Telegram, Viber and other chat apps be installed on both Android and iOS?


> A universal chat application would be amazing

You mean like WhatsApp, Signal, Telegram and dozens of different chat apps available for both Android and iOS?


Beeper is an app that unifies all the messaging protocols you mentioned (and others) into a single app. They are not introducing another protocol.

Universal in this context is referring to the ability to use a single app across protocols rather than the ability to use a single app across platforms.


I miss the days of jabber being able to senselessly talk to aim, msn, yahoo, icq, etc. All chat contacts in one account.


Jabber transports, they were great.


Ok, I get it.

It's what EU mandated and from March '24 all major chat apps have to be able to communicate with each other.


Relavent xkcd: https://xkcd.com/927/


This downloads from GitHub and ’executes’ specific code points in what looks like a proprietary Apple binary, ‘IMDAppleServices’. Where was that binary sourced? Could you provide more context for what is performed at the hard-coded call-in addresses in your code? Does this relate to how you’re presenting a unique device identifier to the network? Do all clients share one identifier, or is it generated per Apple ID? Have any Apple IDs been locked out of iMessage during your development and testing?


I am not the developer but I also looked at that binary to help the project at some point.

It's taken straight from OS X 10.8 (more precisely from an Update Combo on their download portal). It's calling NACInit, NACKeyEstablishment and NACSign functions from it (which have no entry points but with reverse engineering the offsets have been figured out). They are themselves relying on OS X system functions to get device information. The Python code is using Unicorn to emulate it and patch the calls to those functions to stubs returning pre computed values from a Mac machine (stored in a data.plist file). All clients are using the same machine identifier. IIRC, nobody did get its account locked but if the Apple ID has not been used at all it might fail (it depends on the donor device that generated data.plist, if it's a hackintosh for example it will likely not work).


That seems like a problem. Emulating the protocol is okayish-to-gray but having the binary there will just be a straight DMCA.

Wonder what the actual app is doing since this is just the PoC.


I don't think the finer legal points matter too much. If Apple wants to sue them, they'll sue them, regardless of legal merit. And I suspect Beeper is betting they can make their case from a more philosophical angle, such that it's irrelevant what grounds Apple cites when suing them. Beeper will fight it either way.

I'm an Apple user who has no need for this app. But I really appreciate that Beeper has the balls to reverse engineer the protocol and build a business around it while fully expecting a lawsuit. That's some old school hacker shit and I'm here for it.

Apple tried and failed to sue Corellium for emulating their hardware, and now Corellium has a viable business around it. I don't see why Beeper should fare any differently. They just need to be prepared for a fight, both legally (lawsuits) and technically (ongoing game of cat-and-mouse).


Reverse-engineering and documenting protocol is OK. Implementing protocol according to the documentation is OK.

Copying and modifying binary with proprietary license is not OK.


How do you run the binary if that's not OK? In order to install it, The binary gets copied from the installer (dmg/zip/app store/CD install media), and then to run it, it gets copied from your hard drive to RAM, so that's clearly okay in some circumstances. Furthermore, once it's on my hard drive, I can copy it over and over again in random places on my hard drive for funsies and the operating system will gladly cooperate. Once it's on my drive, I can go in with a hex editor and randomly change bytes for funsies. It's on my hard drive. Am I then not allowed to delete the program from my system? If I use shred to delete it, which will set the bytes in the file to zero, or format the hard drive, am I breaking the law?


In my very limited understanding, distribution is the key.

It’s legal for Apple to distribute Apple binaries. It is not legal for someone else to distribute Apple binaries.

Copying a binary from installer to app folder: not distribution

Putting the binary on a USB and giving it to your buddy: gray area, not worth prosecuting, but maybe technically distribution

Uploading the binary to a GitHub repo titled “Apple binaries here”: obviously distribution


Which is weird if you think about it. If I buy a car, give it a paint job, mount some LEDs, and a new sound system, I'm totally within my rights to sell it. I can't say that I'm Ford or Honda when selling this modified car, but I'm totally allowed to sell it.


Yes, and this analogy is even more valid than usual, because unlike most software where each binary is an exact copy of all the others, in this case each binary is actually unique to a device.

But it's more like a ticket, or an NFT. It's a unique blob that was sold to you. You should be able to transfer it.

Apple's best argument here might be that the blob is meant for one person, and distributing it this way is like sharing a ticket to the cinema between multiple people. I can't enter the cinema, then come outside and pass you the ticket so you can enter it too.


In that case the easy way out (and what plenty of Hackintosh/console hacking/emulation/etc. communities have done since the beginning of time) is to just download the file directly from Apple when the app starts up the first time or have an “import BOOT.bin here” button you use to activate the app. If someone can source the binary you need to get the app to work I think that’s DMCA legal.


Those are all fine but it's not the context of the copying in the discussed scenario.


I dont believe Apple would sue. I think they would just change the protocol to block this from happening.


I think you might be right, especially with the heat on them from the EU right now. It's faster to play the technical cat-and-mouse game for as long as possible.


There's also a very small chance that the EU would sit idly by and watch Apple wreck compatibility.


>Beeper will fight it either way.

That sounds nice and all, but what happens when the first bill comes due from their legal team?


I imagine they'd use some of the $16m+ they raised in VC money to pay the lawyers...


I have a hard time believing that the folks who were smart enough to do all this work somehow forgot that lawyers cost money


i don't disagree, but nobody can compete with the money Apple can spend. not every David can find a Rainmaker when competing against Goliath. Goliath still wins a lot. He was a champion after all


I’d donate to a legal fund on this personally. I think a lot of people and large corporations would like to see Apple have to make concessions here.

I think if it comes to it, Apple will wind up looking very bad in a trial. Their behavior here is deeply anticompetitive. iMessage is just too important to modern text communication to be as locked down as it is.

If Apple doesn’t want to make an Android app, they should at least make an API so other developers can.


> iMessage is just too important to modern text communication to be as locked down as it is.

What do you mean; if a private company creates something, and enough people buy/use it, at some point it becomes a common good? I like the idea of iMessage being open, but I don't like the idea of forcing Apple under government threat to open it


I don’t know what you mean by “common good” in this context, but if a company has a dominant market position and uses its power to cripple competition, then it falls within antitrust laws.

iMessage is so important today, especially to young Americans, that its exclusivity to iOS has become a significant barrier to Android or other operating systems from being competitive.

It’s up to regulators and the court system to decide whether that is a violation of antitrust law. But if it is, then yes, the government should force them to open it. That’s what it means to enforce antitrust law.


Apple does not require any consumer to use iMessage, nor do they make installing alternatives such as Whatsapp difficult. iMessage is simply a messaging option. This is in stark contrast to how MS treated IE back in the antitrust lawsuit days.

The fact that lots of people prefer to use iMessage -- despite myriad easily-accessible alternatives -- doesn't feel anticompetitive in the slightest; in fact making a product that people freely choose over similar alternatives is the definition of winning competition.


The Messages app is the only one everybody has no choice but to use though, since it’s the only one on iOS that does actual SMS, which is needed for interacting with businesses and in other scenarios. It’s also the most discoverable one and the only one that comes on the phone by default. It has a privileged place in the ecosystem, and that’s why it’s a potential target for antitrust regulation.


I feel so old. What is it that I'm missing out in iMessage that is so important?

Honest question, I've been texting since t9 and have never owned an Apple device.


It’s really nothing special. I personally use WhatsApp with most of my friends.

The problem is when you have one person in a group that is on Android when everybody else is on Apple. This causes the iMessage conversation to use SMS instead. To signify this in the app, texts appear as green bubbles instead of blue, so it’s obvious when it happens.

This is bad because SMS is totally obsolete. It causes images and videos to be shared in extremely low resolution, along with problems of messages not getting delivered reliably and other missing features.

So effectively to the iPhone user, Android users very visibly cause group chats to be super crappy in iMessage.

This is not the fault of the Android user really, because it’d work way better if Apple supported RCS like Android phones do, but many people have a very strongly negative impression of Android due to this.

In fact, some iPhone users put social pressure on people with Android devices due to this in the form of excluding them from group chats or complaining about how they cause problems.

Apple has been perpetuating this problem because it suits them. People know this, but it’s Android and Android users that suffer regardless due to Apple’s dominant market position.


It provides a much better group messaging experience than SMS (you can see who’s in a group and add and remove people), delivery/read receipts, better image quality, is encrypted (although that gets somewhat negated by automatic iCloud backups), and is free as long as a data connection is available.

Of course many other messengers offer most of these features too, but for some reason, no alternative has been able to establish itself in the US.


iMessage was heavily integrated into the ios flow when sms was the dominant mobile text messaging system. It's not special, and that's the point. It just worked the way people want texting to work as smart phones gained momentum, and iPhones have so much of the market share that it's way more irritating to use a separate messaging app when you can't change the default integration on ios. I miss the convenience of heavily integrated iMessage comms at least twice per day.


Interesting, I use both Messages and a few third-party messengers, and I wouldn't say that Messages is integrated more deeply with iOS, in the way that e.g. Safari and Mail were for a long time (before you could re-associate http and mailto URLs).

The share sheet just shows my most-frequently-used messengers, as well as direct contact names for my most important contacts, no matter what messenger they're actually on.

The only thing I can't yet do on my third-party messenger is initiate messages from my Apple Watch, but that's presumably due to a lack of a native watch app more than anything.


Yes, governments can require interoperability and can limit monopolies. That's how antitrust laws work, like it or not. But if you want to get all libertarian, why should companies be able to use government power (as in courts, DMCA and the like) to shut down smaller companies that reverse-engineer their protocols?


I'm a major libertarian, and you have a great point. Apple should maintain their competitive advantage via technical means or let more cooks in the kitchen.


Which is pretty much where "if you can't innovate, litigate" has its roots.


coughs in AT&T


The Streisand effect will certainly boost enrollment if Apple sues.


There’s no need for Apple to react to this project at all.

Eventually, someone will send spam using this app, at which point automated systems at Apple will “console ban” the hardware identifier shared by all of the app’s customers. The project presumably has a library of valid hardware identifiers collected and ready to go, and eventually that’ll be drained by spammers faster than revenue versus device purchasing allows for. Apple can just wait silently as the app exhausts their pool of hardware identifiers, each banned by pre-existing anti-spam automation, without ever acknowledging their existence.


Apple may not buy WhatsApp will. If there's ever a commercial or OSS third party WhatsApp voice client I would expect they will try to send their Perkins Coie dogs after the project. They've already done it to many oss projects, terrifying Devs from continuing their work


Followup: One day after widespread press, Beeper has apparently triggered Apple’s protections and is temporarily offline until they rotate identifiers and perhaps IPs. Apple has neither acknowledged that Beeper exists, nor stated whether Beeper was blocked by automated or a manual process. This happens every year with third-party iMessage clients, but we’ll see how it goes for them. Perhaps it’ll be different this time.


The app is not redistributing it, it just requests a server to get validation data (since anyway the actual library loading involves patching every system function, making the function independent from the host device, see [0] if you want to see how it's stubbed to run on Linux using a data.plist file), and thus there is no need to emulate it on device.

[0]: https://github.com/Dadoum/imd-apple-services


My (very limited) understanding is that this "validation data" is related to the certificate generation (see [0]). So if the app isn't emulating this on device, and instead calling out to a Beeper server that is hosting the Apple binary, is this a potential security risk? Is it possible to use the data that gets sent off device to derive the client encryption key? If so, that would be a huge security hole in this implementation, completely negating their claim of maintaining secure E2E encryption.

[0]: https://www.reddit.com/r/beeper/comments/18duom1/is_beeper_m...


I didn't implement all the IDS stuff, but I am pretty sure the certificate is not used at all to derive keys for anything related to iMessage. I think it is used to attest that the device running it is running Apple software, and it may generate keys to make that an identifier to Apple (probably also because the user may not have any Apple account, so they have to generate another identifier for that purpose).


Doesn’t this already have precedent? Nintendo used to check for the existence of their logo in cartridges before loading them so that anybody who wanted to create an unauthorised cartridge for a Nintendo system would have to reproduce their logo and infringe on their copyright. I’m pretty sure the court ruled that reproducing the logo for the purpose of interoperability was fair use.


There are reverse engineering/interoperability exemptions to the DMCA so it may not be that simple.

So would be curious if they have already sought legal advice which says they are in the clear.


they raised $16mm. I assure you they've talked with a lawyer or two.


If they actually just took a binary from OSX and stuck it into their app it probably wasn't the best lawyer


I believe it's server-side: not distributed.


Sam Bankman-Fried raised $1.8B, yet we know how that ended even with lawyers available, so... We'll see.


I hope we get to a place where people like this simply generate an OpenPGP key/OpenSSL certificate for a pseudonym and just throw this stuff up on .onion and .i2p domains. A place where DMCA and copyright literally cannot be enforced because it's impossible to.


This reminds me of the near-ish-future "Rainbow's End" by Vernor Vinge, wherein instead of giving out phone numbers or email addresses or screen names (identifiers), people give out opaque GUIDs [0] that act as communication handles with capabilities baked in. So, you could give out one to friends that allows people to open a synchronous voice channel to you, but give out one on your business card that just allows people to send text messages to you.

The book doesn't talk about it too much, but presumably these handles could be limited-use (time-based or only granting a capability to send a certain number of messages) and could be revoked.

I know it would probably be off-putting to give each person I meet a different GUID for contacting me (kind of like telling them your email address is <their_name>@<my_vanity_domain>), but it might reduce the spam I receive.

[0] if you're searching the ebook, they're called "golden enums" in the text


Not sure how likely is that considering that Beeper is an actual/company startup which seems to have received funding from YC?

However, considering that I'd except they'd know better than to just outright take a binary from MacOS and use it in their app (assuming that's actually the case..).


It's not impossible, just currently not worth the tradeoffs of enforcing. There's nothing stopping governments from passing laws holding IP address owners responsible for the traffic they originate. At that point VPNs and Tor exit nodes will stop allowing illegal activity. VPNs are already moving this direction, no longer supporting port forwarding ie hosting content on bittorent.


If that becomes a problem and they get enough funding, I'm sure they can spend a few days / weeks reverse engineering the functions they need. At this point it just needs some effort, not some crazy research capabilities.


Given that these are cryptography-related functions, I feel like symbolic execution could yield the actual algorithm they use.


It's probably not even that hard. If some block looks like a crypto section, you can likely match the relevant constants to the algorithm. It's not like Apple will use some super custom solution there. "Where is the AES and how is the IV generated" is more likely question.


It’s already in the works, someone has already made a lot of progress on this front on pypush’ Discord server.


I already had a significant respect for Beeper (Cloud) as a technical product. The backend being Matrix with open source bridges was a great choice.

This write up adds so much more to that respect. It would have been easy to botch this, it would have been easy to do a worse implementation that would have caused problems for users whether they cared or not, but Beeper seemingly took the time to get right.

Congrats to Eric and the team on the launch!


Did you get permission from Apple to connect to their servers? Google Play does not allow apps to connect to 3rd party APIs without consent.

The relevant policy can be found at: https://support.google.com/googleplay/android-developer/answ...

"We don’t allow apps that interfere with, disrupt, damage, or access in an unauthorized manner the user’s device, other devices or computers, servers, networks, application programming interfaces (APIs), or services, including but not limited to other apps on the device, any Google service, or an authorized carrier’s network."

From what I understand your app connects to APNS without permission from Apple.

I have personally had my Google Play Developer account banned for making an app that connected to a 3rd party service


I'm surprised Apple hasn't cut them off yet. They must not be able to for some legacy reason. I suspect the only way to cut them off would be to cut off all the older phones like iPhone 3GS as well.

>the iMessage protocol and encryption have been reverse engineered by jjtech, a security researcher. Leveraging this research, Beeper Mini implements the iMessage protocol locally within the app. All messages are sent and received by Beeper Mini Android app directly to Apple’s servers. The encryption keys needed to encrypt these messages never leave your phone. Neither Beeper, Apple, nor anyone except the intended recipients can read your messages or attachments. Beeper does not have access to your Apple credentials.

>We built Beeper Mini by analyzing the traffic sent between the native iMessage app and Apple’s servers, and rebuilding our own app that sends the same requests and understands the same responses.

https://blog.beeper.com/p/how-beeper-mini-works


Is this specifically unauthorized, though? The user is permitted to use Apple's services, and Apple has, as far as I know, not announced that third party apps may not use their services.


If Apple files a complaint with Google it will definitely get taken down under this clause, so I think the only way it will stay up is if Apple doesn’t care.

With the trouble Apple goes through to ensure you are accessing APNS from an Apple device including obfuscating the signing algorithm and requiring unique hardware identifiers I think it’s safe to assume they don’t want 3rd parties accessing their services.


Even Signal pitches a fit if you use a third-party app with their servers. It's a common (and unfortunate) practice.


what does this mean? plenty of 3rd party signal clients exist (flare being a well-known one); signal explicitly factored out a libsignal presumably to _encourage_ this.

i’ve run multiple 3rd-party signal clients, even alongside the official apps, and never seen any problems or warnings.

[flare]: https://gitlab.com/schmiddi-on-mobile/flare


>what does this mean?

Moxie (Signal's founder) has thrown fits in the past over the existence of third-party clients using their servers: https://github.com/libresignal/libresignal/issues/37#issueco...


By calling that a “fit” it sounds like you’ve an axe to grind.

That was pretty damn polite for a heated mailing list discussion.


I use my own personal fork of the official Signal app (I absolutely despise the idea of going back to having a separate SMS app), so I do. Sort of.


> It's a common (and unfortunate) practice.

It would be nice if third party clients were allowed to connect, but it's totally understandable if they don't want to allow it. Servers cost money, and misbehaving client apps that you have no control over sound like a pain in the ass.


> I have personally had my Google Play Developer account banned for making an app that connected to a 3rd party service.

Well what did it do with the service?


I had app that connected to the Snapchat API and let you upload photos with custom effects and photos from your photo album before that was a feature (not sure if it is today, I don't use Snapchat)


Great job! Just from taking a quick look at this, what you have here is much bigger than iMessage itself.

This could literally allow things like Universal Clipboard to work on Linux and Windows - by using the method presented here to access the iCloud Keychain and generating Continuity keys and placing them there - then the iPhone will broadcast its clipboard data encrypted with those keys via BLE. If I understand all of this correctly.


I had been wondering where Beeper's route to profitability was, but if they can get Continuity and AirDrop stuff working with Windows that will be an instant no-brainer subscription for a lot of people (including me), so I guess it works out.


It works over wifi, but you might be interested in KDE Connect [1]. It can do clipboard, remote input, file sending, command running, etc. on Windows and Linux.

[1] https://kdeconnect.kde.org/


Would like to try it out but the developer decided to force sign-in with google and I have removed that from my AOSP build.


Beeper is a really cool idea by some cool people (people behind the Pebble smartwatch) but I've resisted using it for fear of bans. I don't want my Slack/Discord/Instagram/AppleId/etc to get banned for using something not allowed under the terms of service. How are people who use Beeper dealing with this? Are you just using dummy/test accounts that you don't care about or are you just rolling the dice.

I would like to live in a world where I could use Beeper without worry but I don't feel like we currently live in that world. Am I wrong?


I’ve been using Beeper as my main chat client for multiple years and haven’t had any issues with account blocks or bans on any of their supported platforms. I have Discord, Signal, WhatsApp, iMessage, and LinkedIn connected. There are technical issues at times but they are well communicated and usually resolved pretty quickly.


I've used Beeper for about a year with Facebook, Signal, Instagram, Twitter, LinkedIn, and iMessage. Instagram signs me out once a month or so for security suspicions, but I just reconfirm my account with 2FA. Other than that, no issues.


> I would like to live in a world where I could use Beeper without worry but I don't feel like we currently live in that world. Am I wrong?

I've been using Beeper for close to six months, and it's been a dream.


Since they've been on waitlist-mode for several years, it's not currently easy to try out in any case.



Says invalid - maybe used already ?


They’ve opened invites from existing users


Beeper mini does not require an apple account so there's not much harm Apple can do


If you have an Apple account, why are you even using Beeper? I guess it might have some advantages for convenience (multiplexing chat apps), but is that the main selling point right now? I'd imagine the target market is Android users who want to talk to people on Apple Messages. So they can just create a new Apple account, right? (Isn't that kinda hard anyway, though? You need to tie it to billing, etc.) And if that gets banned, who cares? It's not like they were using it for anything else anyway.


I sit in front of my work laptop which is signed into my work apple account. My iPhone is signed into my personal Apple account. I cannot iMessage from the keyboard because they won't play together. I've been using Cloud Beeper since early summer, and it makes the two apple systems play nice together. I also have a Windows machine signed in to it, but that's a nice to have.


Wait, how does this work? Is it using Handoff and sending from your phone, or Beeper is just a GUI and you've extracted a token from your personal phone to use with Beeper on your work device?

Btw, this is mostly unrelated, but do you work for a large company? I'd assume most security teams would have a problem with a setup like this.


Neither. Their cloud server is a farm of Mac Minis or similar. Then Beeper Cloud is basically a proxy from the app to that data center.


Ah I see. I thought I remembered reading about that on Twitter (in the context of people criticizing it as false advertising). So basically this Beeper mini is the "proper" implementation of full e2e encryption, while the cloud service was the bridge to get them here?


That's my understanding, yeah. I don't love my apple ID being signed into a box I can't access, so would love to see THIS service go cross platform.


I'm more interested in the multiplexing aspect, yes I'm iOS/macOS so I don't care about the iMessage aspect alone though I'd love to pull all my chats into 1 extendable app.


An Apple account isn't particularly useful for messaging without an Apple device to message people with.


It seems that at least the push notification registration part uses a "leaked/extracted" FairPlay private key [1]. As far as I understand, FairPlay certificates/keys should be unique to each iDevice. Couldn't Apple trivially ban all subscriptions originating from this fake device? The comment says you know how to generate more; does Beeper Mini generate one for each install? Why would Apple believe those certificates are authentic?

P.S.: the source repo mentioned in the comment (https://github.com/MiUnlockCode/albertsimlockapple) is 404.

[1] https://github.com/JJTech0130/pypush/blob/main/albert.py#L16


Snazzy Labs did an overview video [1] about this implementation. According to them, reusing a specific hardware token is such s common practice that Apple would need to "redesign their entire authentication and delivery strategy" to mitigate this problem. I guess we'll see how this statement holds up in the coming weeks/months.

[1] https://youtu.be/S24TDRxEna4?t=5m38s


This didn’t really say much. Apple definitely knows about Hackintosh users, they mostly just don’t care. The question is whether they will actually do something if made to care.


They 'don't care' because they know that the M series processors were coming and now there is a built in death counter coming for Hackintoshes...the day they drop Intel support.

June 5, 2028: Intel hardware will reach "vintage" status after having been discontinued five years prior, ending most of Apple's service and parts support for Intel hardware.

June 5, 2030: Intel hardware will reach "obsolete" status after having been discontinued seven years prior, ending all of Apple's service and parts support for Intel hardware.


> They 'don't care' because they know that the M series processors were coming and now there is a built in death counter coming for Hackintoshes

No, they don't care because they don't think about it at all. Hackintosh's numbers never mattered, it's always been too onerous to maintain even when it was at its easiest.


This is too high profile. Apple is absolutely, 100% going to kill this and it’s gonna screw this over for those of us who leverage iMessage in Hackintosh environments.


You might be right, but if ever there was a regulatory environment under which Apple would think twice, this might be it.


Apple may be reluctant to kill this exactly because it is high profile, given the current anti-trust investigations.


It's been around for ages, and Apple has taken no action so far.


It has never been this easy and it has never been behind a subscription fee.


Yes it has... Beeper, before Beeper Mini.

Using the aforementioned Mac Mini server farm method.


We're talking about a company that changes CPU architectures for their ecosystem every few years, completely seamlessly. If redesigning their entire authentication and delivery strategy is what it will take to mitigate this problem, Apple will do it.


What problem? Increased compatibility?


From Apple's perspective, yes. Social pressure to buy Apple devices to use Apple's messaging app is part of Apple's marketing strategy.

Apple also claims that blocking devices by serial number or similar unique hardware identifiers is a key part of its anti-spam strategy. If true, an end-run around that will likely create problems for users as well.


The creator of this is screwing things up for everyone. If it was an obscure, open source project Apple would probably let it slide and we’d be able to enjoy this indefinitely. This has been the case for Hackintosh stuff and the like.

But no, the author had to make a dumb, flashy looking website that looks like they’re advertising a product built around reverse engineered Apple tech. I bet they get a Cease and Desist by the end of the week and the hole is patched shortly after.


Isn't apple implementing full RCS support next year?


There is no encryption in the RCS standard, so of course no encryption.


The current state of affairs re encryption is an accident of history that I would bet doesn’t last much longer once Apple gets formally involved.

“Apple says it won't be supporting any proprietary extensions that seek to add encryption on top of RCS and hopes, instead, to work with the GSM Association to add encryption to the standard.”

https://www.techradar.com/phones/iphone/breaking-apple-will-...


I think so, but something makes me think they're not going to do it in a way that gives RCS users full parity with iMessage users.


Not encryption, apparently. And the blue iMessage bubbles indicate encryption, so RCS bubbles will be green.


Apple has control issues. If they don't control it or at least sign off on it, they want it to be incompatible with their hardware.

Hell, they don't even allow alternative browsers on their iOS devices. All the non-Safari browsers are just Safari in a (Chrome, Firefox, etc) skin


One man's increased compatibility is another's security vulnerability.


Bridging the blue bubble moat.


Does this look like the same file from the deleted repo? https://github.com/rdxunlock/albertsimlockapple/blob/main/AL...

I'd love to see an open source version of Beeper with no analytics. I'd be happy to host my own notification server.


The python library they provide should be a good start at least: https://github.com/JJTech0130/pypush


Beeper already advertises the self-hosting route: https://github.com/beeper/self-host


I hope they open source their client app or at least makes it possible to connect to other matrix server. For me, their client app is the best matrix client in terms of UI.



OK, took a while to figure out what it is, as I barely know anyone using iphone. Though it's not for me, BUT if they deliver this:

> Over time, we will be adding all networks that Beeper supports into Beeper Mini, including SMS/RCS, WhatsApp, Messenger, Signal, Telegram, Instagram, Twitter, Slack, Discord, Google Chat and Linkedin. We'll also bring Beeper Mini to desktop and iOS.

I'm interested, even if it's paid. I'd love to have most of those apps gone and use a cleaner one.


Happy Beeper customer and original poster here to tell you: Beeper Cloud is already out there and works really well! It's also free, though you'll have to get through the waitlist somehow. It doesn't perfectly replace every app just yet but it covers the most important functionality extremely well. And it's available on mobile as well as desktop devices.


IIRC, though, Beeper Cloud does not come with end-to-end encryption on messaging services that usually have that feature through their regular app. Messages are encrypted between your device and Beeper's servers, and between Beeper's servers and the other end of the conversation, but the Beeper folks can still read your messages if they want.

(Please correct me if I'm wrong; the architecture of their product is pretty confusing.)


Do you mind giving me a referral for Beeper?


Here you go - refer.beeper.com/39gJJ0


Possible to generate another ? Says invalid code

Edit: I mean a code for Beeper Mini on Android - not desktop


> Says invalid code

Well yeah it was already used and you came 3 hours after the fact.


Is this some sort of new mobile Adium?


Trillian


EveryBuddy


Not sure what EveryBuddy is. Trillian was a multi-protocol chat client from 2000 [0] named after Trillian [1] from 1979.

[0] https://en.wikipedia.org/wiki/Trillian_(software)

[1] https://en.wikipedia.org/wiki/Trillian_(character)


ah didn't realize it had gone away. its successor appears to be [0]

now I'm reliving the chaos of the late-00s/early-10s instant messaging apocalypse when AOL sunsetted AIM. Clients like Trillian were absolutely necessary before AIM shut down. Everybuddy was a good linux-friendly client. When I still spent time on IRC, I really really liked Bitlbee [1] with ERC [2]. Gaim was one of the first open-source projects I ever contributed to.

(I'm not saying that there's a connection there, but rather that all the chat protocols started getting used less around the same time for the same reason, which was smartphones becoming commonplace in late-00s.)

[0] https://en.wikipedia.org/wiki/Ayttm

[1] https://www.bitlbee.org/

[2] https://www.gnu.org/software/emacs/erc.html


Pidgin


Gaim


Miranda-NG.


Ive tried the legacy version to consolidate Signal, Whatsapp, etc and you can't send/receive calls, only messages. It's very much still a work in progress


> as I barely know anyone using iphone.

where are you located?


I'm from the Netherlands and I know plenty of people who have iPhones but I also know (and am) plenty people with androids. People use either WhatsApp or Telegram. Isn't iMessage just texting within a walled garden?


The situation is very different in the US, primarily because in other countries SMS fees tended to be really high a decade and change ago, and thus drove users to WhatsApp, but in the US most carriers had adopted some form of unlimited texting shortly after the iPhone first came out.

Thus, for many socio-economic groups, iPhone is definitely king in the US, and for them iMessage is just the default way to message people because when it was introduced it was the default way to use SMS on iPhone. A restaurant in Texas famous for their funny signs put this out, https://twitter.com/ElArroyo_ATX/status/1693316647677825160 , and tons of people (myself included) could immediately relate.


> Isn't iMessage just texting within a walled garden?

Isn't that exactly what WhatsApp (and to a lesser extent) Telegram are?


They run on basically any confumer device, so no.


Poland. I know a few apple fanboys but those aren't people I communicate with outside of work. Just not my bubble.

It's actually weird and silly when they send me text messages and somehow I end up in the same conversation multiple times - like once 1:1, once in a group chat with myself included twice or more (as a number, as an email, as a second number). It's a bizarre experience and usually iPhone user can't see anything wrong :D


I think this might be launching at an opportune time. The EU is already trying to force them to open up the App Store and iMessage has a target on its back. A cease and desist about this won’t look great in the inevitable antitrust hearings…


Does iMessage have a target on its back? It doesn't have a dominant position here in messaging, if it has a position at all.


over 50% of US market (and a few other countries), for starters. Not EU's jurisdiction, but it is a major messaging service.


Yes, I know but I was specifically talking about the EU, since that's the only government legislation for open access.


bit of irony that this can fly because of legislation in a mostly irrelevant market


Which is irrelevant, eu or us?


First they require email and personal info. Then they tell you it's a monthly subscription. Felt like a terrible onboarding experience and a bit of a dark pattern.


If you scratch around enough they do say it's a paid product. Pretty cool yes,"show hacker news"? Dunno.


This is an amazing technical achievement and there is no world where it doesn't get banned.


Dang, I support your efforts but I just don't have any incentive to pay for a texting app. Normal texting and WhatsApp and discord and Instagram and tiktok messages etc etc are all free. So I just don't really have a reason to subscribe to this.


> Normal texting and WhatsApp and discord and Instagram and tiktok messages etc etc are all free.

This product is not for you. I don't know where you're commenting from, but I'm guessing it's not from the US. Using WhatsApp or Discord or Instagram or TikTok messages only have value because the people you want to talk to use them. In the US, iMessage is by far the dominant messaging service for iPhone users, and iPhones dominate certain socioeconomic groups. This situation sucks, but there are lots of Android users who get extremely frustrated when a large group of their friends are on iPhones, to the point it can be socially isolating when you're "the odd man out" in a group chat (and it's not the whole green/blue bubbles the media likes to talk about, it's that interoperability between iMessage and other clients sucks and breaks many features).

This is a great option for US Android users who want to be able to better communicate with their friends that have iPhones.


I am in the US and have been here my whole life. My entire extended social circle uses whatsapp. I realize that is the minority but it does exist.


In Hong Kong everyone has an iphone but everyone uses Whatsapp. I'm so surprised iMessage is even used at all, we all consider it a gimmick here, like, Whatsapp and Telegram are so great at their respective subset of features and WeChat does the rest.


I recently paid >$1000 for the privilege of access to iMessage when switching from Android to iPhone. I'd have been _much_ happier staying on my preferred operating system and paying $24/yr.

(iMessage has, for me, actually been worth it - but still, I frequently find myself wishing that something like Beeper Mini existed so I could go back to android).


You switched from Android _just_ for iMessage? Why on earth for? Could you elaborate?


I did as well. Because there are group chats I need to be in that I can only access if I have iMessage

I can't convince dozens of people in the groups to go sign up for signal just to accommodate me


In many circles in the US, it is the way to communicate. You just end up left out of “fun” group chats where people want to use iMessage features and then end up left out of actual events because people forgot to invite in the greenie group.


For both social and work life it's an important way of communicating for many people.

Some people are just a little less quick to message you back if you're a green bubble or ask to use WhatsApp, especially in certain circles.


it's very hard to socialize with non-techies in the US without it. you miss so much.


What do you prefer about Android?


Long list, I've been meaning to write a blog post.


Would be very interested in seeing the list of things that you feel _aren't_ possible on iOS and aren't things I'd consider extremely "niche" or purely "cosmetic". (Sadly, I'll probably never know if you ever write such a blog post...)


How about not being in a walled garden and actually having access to your device?


Yeah, I hear Android manufacturers and app developers are very encouraging of unlocked bootloaders and user root access.

It's not 2008 anymore, we're all in walled gardens now.


Many people still buy Androids exactly because you can still flash different roms.


Agreed, and I'm one of them. However flagship devices have been neutered, and core (for many peoples lives) apps require significant compromise.

Whilst there are edge cases, the majority of Android users are effectively within a walled garden, which the opposite used to be one of its strongest appeals.


I'd still say it's not a walled garden, as long as you can install f-droid or the amazon app store. I can still access port, torrents, install a rel alt browser etc. It's a significantly less walled garden.


Affordability.


Yeah, the cost is a bummer but if I look at it as spending $2 a month to avoid buying an iPhone, it's worth it.


There really is no free lunch.

// insert some clever "you are the product" here.


Their older app, Beeper Cloud, is free anyhow.


Really happy to see that original customers are getting this included as well. I was worried that this was a ploy to say "we know we said you all would be grandfathered in, but that was for _Beeper Cloud_, our old legacy one. This new one is a monthly charge". Thanks for being great, @erohead


Yes, they didn't have to do that, and I certainly appreciate it. I think this business model is going to work for them, and the timing couldn't be better with the recent kerfuffle about Nothing's terrible attempt at this. They knocked it out of the park here especially with the no-compromise completely functioning end-to-end encryption.


That's one view. As a non Android user who enjoys unified messaging, I suspect this is the beginning of the end for the matrix driven client and whilst the grandfathering is nice, it does nothing for me and my Beepy.


> many people always ask ‘what do you think Apple is going to do about this?’ To be honest, I am shocked that everyone is so shocked by the sheer existence of a 3rd party iMessage client.

These are two completely different concepts?

I’m aware third-party clients have existed for eons.

I also believe Apple would shut this down.


Third-party standalone clients? Which ones?


Very interesting. I was under the impression that Apple used hardware keys to validate iMessage accounts. But it seems that this is able to talk directly to Apple without and Apple hardware? In the post it just says that you need to send and receive a SMS to register.


Old Macs didn't have a secure enclave so I assume this is using an old version of the protocol that was used in those days.


I would have also made that assumption, but I have to admit I'm not surprised it doesn't. IIRC, iMessage was introduced with iOS 5, which supported iPhone 3GS. The secure enclave didn't show up until iPhone 5S which shipped with iOS 7.


ah interesting, so Beeper's days may be numbered by when Apple drops support for older devices. But if they can grow quick enough then they'll have enough users that Apple can't quietly nail them and stuff their body into a dumpster.


Perhaps. They didn't start including the SE with Macs until the first TouchBar Mac in 2016. So there are many millions of non-SE devices in use right now. Of course, Apple could still decide to unilaterally drop support for iMessage on older devices, but doing that risks pissing off and probably losing for life tens of millions of users to prevent, let's be realistic, several hundred thousand users (this is a paid app, this isn't free) from using iMessage on Android using this method.

I wouldn't put it past Apple and other reverse-engineering routes might have to be taken but I don't think this is as easy of a "Apple will instantly shut this down" scenario as many others seem to.


If it realistically stayed with just several hundred thousand users, I would agree.

My suspicion though is that there will now be a rush of apps doing imessage on android or windows etc, and probably also spam on iMessage will go up which might stoke the fire a bit.

I guess we'll see what happens!


Blocking it might be a cat-and-mouse thing that works with heuristics, which would of course be unreliable in both directions.


In the related pypush repo it mentions something about hardware serial numbers used in rate-limiting, etc. So I guess they do something?

But yes, I was expecting it to be based on some kind of hardware root of trust certificate system that comes from deep within the hardware and secure enclaves!


I'm on the fence about using this. I don't want to switch all my conversations over to iMessage and then have Apple figure out how to ban this. That kind of feels like a recipe for lost messages.


For those trying it out or if it does get banned, here's the iMessage unregistration link:

https://selfsolve.apple.com/deregister-imessage/


I tested it out, unregistered in the app and now I can't receive SMS from iPhones. This link says my phone isn't registered either. Yikes!

Edit: it's working now, took 15 mins to work itself out.


Thank you, this was probably my biggest concern


That's my main concern as well. I don't want to strengthen such a closed ecosystem by building their network.

(That and desktop support is a must for me)


Beeper desktop supports iMessage too, I'm using it right now.


Do you have an invite - I'm on beeper mini but on the waitlist for the desktop!


Tis better to have loved and lost than never to have loved at all.


Same concern here. I think it's a more valuable use of time to get all your friends/family to switch to Signal. AND pay for (donate) to Signal.


It doesn't help that they want to pursue the exact same approach for the other apps they want to provide service for.

They are looking to get banned and completely damage the Matrix/Mautrix bridge ecosystem.


What's the point of matrix integration if not to use it? Gaim/pidgin ended because of changes not because it was too powerful.


If Apple bans this they will have to answer to EU courts. I very much doubt they will in this political climate.


They wouldn't have to ban it, they could just alter the protocol to make it impossible. iMessage is designed to only work on devices manufactured by a single company. All of those devices have secure cryptographic elements built into them. It's not a stretch to think Apple could lock down iMessage under the guise of security.


The only way I could see this happening is if they have all of the public keys of the secure cryptographic elements in a database of all Apple devices ever created. Because otherwise, it would just be trivial to emulate a "secure cryptographic element" if it's just a public/private key.

They aren't running a client by Apple. A glance at other posts seems they are using Apple code, but that would just be a matter of reverse engineering if the code required the secure enclave.

I can't think of a way that a server would be able to prove a device is Apple or not if you were to replicate the protocol completely. Only if there was some established public/private key would this be possible. And then the private key on the device would be in a secure enclave that you could feed it data to sign to prove the device is an authorized device.


I wouldn't be surprised if they in fact do have a list of serial numbers for all the mac, ios, tvos devices they have ever sold, linked with some corresponding device-unique public key data?


After reading some other comments, this very well might be the case.


I don't know how the secure enclave works in detail but if there is a private key inside it that it uses for attestation / signing, presumably it could also have a certificate signed by an internal Apple provisioning CA infrastructure which Apple can verify on their end.

Importantly, this matters even for those older devices that were created without secure enclaves. iMessage still used this PKI architecture back before every new mac/iphone/ipad had a SE.


Of course they have all of the public keys of the secure cryptographic elements of all Apple devices (that run iMessage) ever created. Why wouldn't they?


Again, they would have to answer to EU courts. They are legally required to be interoperable now. Banning non-iPhones would definitely be litigated.


Good luck testifying that they specifically adjusted a private internal protocol to block an App vs improve/iterate on the existing protocol.


That would be easy and wouldn't even require lying. "We identified and fixed a security vulnerability and fixed it"


That would break old devices.


This is not true. iMessage hasn't been declared a core service by the EU. This takes seconds to Google.


Yet. There's a decision happening next year. This also "takes seconds to Google". https://arstechnica.com/gadgets/2023/11/google-argues-imessa...

They are already a gatekeeper with core services that are required to be interoperable. Even if iMessage specifically hasn't yet been declared a core service, Apple is in the crosshairs and behavior like banning competitors will be harmful to their legal position at a very sensitive time for them.


Your link—hell, even the URL slug and headline—make it clear that this is something Google is claiming to the EU, not something the EU itself is claiming.

Yes, it's possible that the EU will rule that iMessage needs to fall under these rules, too, but citing a major competitor (who's even more under the gun for the same stuff themselves) making the argument that Apple should be restricted is, shall we say, not super persuasive on its own.


>who's even more under the gun for the same stuff themselves

Are they, though? Google allows alternative app stores on Android, they already implement an interoperable, open standard in their primary texting app (RCS), they allow alternative browsers on the Play store itself, and they don't block interoperability with other platforms the way Apple does.

That's not to say they're not under the gun, but what they're under the gun for is different, like bribing Epic and others to not move to their own app store or make a self-updating app downloadable from their website.

They're both monopolistic asshole companies, don't get me wrong, but they're using fairly different strategies.


> they already implement an interoperable, open standard in their primary texting app (RCS)

Yes, but Apple has announced they will do the same thing. That is not the same thing as interop with the actual iMessage protocol. Similarly, Google Messages does not allow interop with its encryption and newly announced sticker/effects, which remain proprietary to the Google Messages app.


You said "They are legally required to be interoperable now." which is factually incorrect. It's okay to just admit that you were wrong.


You're right, my statement was factually incorrect. The correct statement is "Apple is currently fighting an effort to require iMessage to be interoperable".

The argument stands. It would be a bad idea for Apple to ban competition from iMessage, even with an attempt at plausible deniability, while they are fighting European regulators about interoperability on multiple fronts.


Could they just require the client to send over the Apple logo, which is trademarked, like Nintendo did with the GameBoy?


That was defeated 30 years ago https://en.wikipedia.org/wiki/Sega_v._Accolade


And if Beeper keeps it up they’re likely running afoul of the CFAA in the US.

The EU doesn’t rule the world. They haven’t forced iMessage open yet, and Apple is clearly trying to avoid it with their announced RCS support.

I don’t think things are as far along as you do.


Can you explain more about the suspected CFAA violation?


See https://en.wikipedia.org/wiki/Craigslist_Inc._v._3Taps_Inc.

The CFAA says that "having knowingly accessed a computer without authorization or exceeding authorized access [is a federal crime]".

The courts held that 3Taps scraping the Craigslist website was accessing a computer and exceeding authorized access because it should have been obvious to 3taps that craigslist did not authorize them to scrape their website (namely from some IP blocks and a C&D letter), so it stands to reason that talking to the iMessage API from a non-apple device is a federal crime. Apple has only authorized apple-devices to talk to their API, it should be incredibly obvious to all of us that this is not being done with apple's authorization, hence crime.

In case it's not clear, I think the CFAA is a rather poorly thought out law since "authorized access" seems like it could be as vague as a ToS violation, which means it escalates things that seem more like civil matters into federal crimes.


The Supreme Court has significantly weakened the CFAA since then in Van Buren. The weakened version might not apply.


Not to mention, nearly everyone in power in the US has an iPhone, and Apple is a darling of the establishment in the left and the right, and virtually nobody else has any power.


Probably because no one uses iMessage in the EU.


I'm pretty sure almost everyone sending messages from an iPhone to another is using it.


Even iPhone users in Europe tend to just use WhatsApp. It's the default there, largely because of the history of carriers charging thru the nose for SMS back in the day...when WhatsApp offered "free" messaging (uses tiny amounts of your data plan), it took off.


> Even iPhone users in Europe tend to just use WhatsApp

Europe is not that homogenous, WhatsApp isn't even the most popular messaging app in much of Central/Eastern Europe and Scandinavia (in addition to that iOS has a similar/higher market share in Norway/Sweden/Denmark than it does in the US).

> of the history of carriers charging thru the nose for SMS back in the day.

Again, this wasn't the case in every European country (where I am text messages were already free or very cheap in the early 2010s so WhatsApp didn't really take off that much and FB Messenger is still quite a bit more popular to this day because it worked on PCs/browsers and most stuck to it when smartphones were becoming popular ).

same applies to Britain and Switzerland.


Doesn't iMessage predate WhatsApp for sending data based messages? I recall that being an early selling point.


I'm from Europe and live in Hong Kong, in both places, iMessage to us is like Edge for Windows users: a gimmick we see auto-installed but we dont use. So many people don't have an iPhone, and we change phone number every few months anyway. The US experience might be diff, and Europe / Asia aren't a single country, so maybe it even varies within.


> I'm from Europe

> in both places

> so maybe it even varies within.

Definitely Europe is not as homogenous as that. I do also live in Europe, people do use iMessage (or just text messages in general) where I am (to a much smaller extent than the FB messenger for instance which is much bigger than WhatsApp here).

And any meaningful number of people changing their phone number every few months is certainly not my experience whatsoever. Pretty much everyone I know have had the same number of years or over a decade or even longer.


Yeah I used it because the original comment did: ofc Europe is not a real homogeneous place.

I'm from Normandy to be hyper precise, and there, we don't have much iPhones or use iMessage. I certainly never heard of isolation due to lack of iMessage: we use sms or whatsapp.

In Hong Kong, it's common, maybe only among immigrants like me, to change number often, it just is, everyone I know does it, we just migrate with whatsapp. We do it to reduce the spam explosion over time as we give our numbers to more and more people, or to switch to cheaper 5G plans over time or stuff like that. I certainly hate now keeping a phone number too long, it just feels unsafe.


addandsubtract is referring to low usage rates of iMessage in Europe compared to other messaging systems, especially Whatsapp.


I was excited until it asked me to login with my Google account. If it doesn't need an iCloud account why does it require my Google one?


For the $1.99/mo subscription fee via Play Store in-app payment.


Yipes no thanks. I would consider a one time payment but this is too pricey.


It's got one of those "We'll charge you if you forget to cancel" subscriptions. Might be google's fault, but I'm not signing up.

I remember Meebo (https://en.wikipedia.org/wiki/Meebo) tried to do a similar multi-chat client as well, but for the web.


I mean… yes, that is generally how subscriptions work. Google and Apple make it relatively easy to cancel in-app subscriptions.


Yeah. It's pretty shitty. You should get cut off after a week with a positive opt-in to continue.


If you want that, just cancel the subscription immediately. You still get the free trial period and you can subscribe at the end if you want to. Works for any Google Play subscription free trial AFAIK.


Beeper was made by the pebble dev. Eric should have read the goal by Eli goldratt, it's a case study of TOC. I still love my slides of time.

Pebble: https://en.m.wikipedia.org/wiki/Pebble_(watch)

https://www.kickstarter.com/projects/getpebble/pebble-time-a...


For anyone confused, "TOC" refers to "theory of constraints":

https://en.wikipedia.org/wiki/Theory_of_constraints

I also enjoyed The Goal and found it helpful for my manufacturing business, although I'm having trouble understanding how it connects to this blog post.


It doesn't do with this post. It has to do with pebble. They overproduced and were too carried away with efficient over production and (probably) had warehouses full of pebbles. For years after you could get a new in box one for $40 or $99 at retail when it was supposed to be $200 or so.


What's Pebble? It's mentioned on the Beeper home page too with no context as though everyone should know what it is, sadly I don't.


One of the original smartwatches, if not the original:

https://www.kickstarter.com/projects/getpebble/pebble-e-pape...

(At least I think that's what the word salad of parent is referring to.)


I would name Seiko Data-2000 the original, some 28 years earlier. Even if you'd like something more modern-looking the list still has IBM Linux Watch and Samsung SPH-WP10 and others before.


Thanks. I had one of those and quite liked it.


The unfortunately fatalist question to ask is... how long until Apple shuts it down?


Seems like the local implementation may be durable, but the system for backend polling (BPN) they built appears to ping Apple servers server side. I imagine that creates a block of homogeneous traffic for Apple to spot.


I give it a week, tops. The next iOS update at the latest.


They’re gonna break iMessage for the ~50% of population not on the latest version of iOS next week?


...They obviously would do it in a way that doesn't do that? Do you think this company can outsmart them in the long-run?


This is a replay of the Messenger Wars. Yahoo IM, AIM, ICQ, etc played a game of cat and mouse with clients that wanted to get all of the messengers in one spot.


Right. What is stopping Apple from requiring a valid unique device key with every request now?


Old hardware that doesn't have it. Are they gonna ban my iMac from 2009 that was before iMessage was a thing?


Yes, they are. You already don't get OS updates.


No they aren't. My iMessage still works, and so will other devices that had iMessage.


just because it works now doesn't mean it will tomorrow. You're on officially unsupported hardware / os version.


Ask someone with 32-bit Mac apps about Apple’s willingness to leave parts of their userbase behind.


They still work. Apple doesn't stop services from working or programs from functioning.


That's what I'm curious about too.

If it does manage to do a good job imitating what an actual iPhone would do though - is there any way Apple even could shut it down without breaking iMessage on old iPhones or forcing people to update?


Besides being allegedly hard to shut down without breaking iPhones, there's also this statement given to Ars Technica:

> Migicovsky had a few different answers. The broadest one, regarding the tech behind the app, is that reverse-engineering for interoperability is legal—a fair use exemption to the Digital Millennium Copyright Act's restrictions against circumventing encryption or other protections. The app also goes out of its way to avoid trademarks like iMessage, referring instead to "blue bubbles" and the like, and the rest might be considered nominative fair use.

https://arstechnica.com/gadgets/2023/12/beeper-mini-on-andro...


It's legal. But it doesn't mean that Apple has to quietly allow it.

What is maybe more relevant is the EU talking about forcing federation. If Apple lets this live it may give them more bargaining power in those discussions. If they shut it down thatay throw jet fuel on the fire.


Or it may lose them bargaining power. This is a very real technical proof of concept, and deprives Apple of one fewer claim that opening up is a technical challenge.


Apple can easily argue that this implementation violates their security controls and doesn't count as a PoC. As soon as the last iphone without a secure enclave loses support, they can flip the switch and kill Beeper('s iMessage service) instantly


I’m curious to know if this tech requires spoofing an iPhone or otherwise falsely representing to Apple’s servers that the Android device is an iPhone. If so, I would be looking at the CFAA more than the DMCA.


Van Buren protects it from CFAA.

The only avenue that is untested is based on Terms of Service.

I did a OSS WhatsApp reverse engineering project and got a C&D from 800 billion dollar Meta's lawyers all based on violation of their Terms of Service.

As far as I'm aware, there's no precedent for interop against ToS.


Way outside my area of experience, but Van Buren itself doesn’t appear to address this issue. I was thinking more in terms of Apple framing a claim based on access through an act of fraud.


I've been told by a C-level exec at a similar company (but relating to banking) that citing Van Buren against CFAA claims gets the claimant's lawyers to back all the way off.


From their blogpost: https://blog.beeper.com/p/beeper-cloud-and-product-roadmap

> Everything changed in August when a security researcher reverse engineered the iMessage protocol.

> At a high level, here’s our product plan for the near future (in very rough order, and very subject to change): > Add support for SMS, WhatsApp and Signal into Beeper Mini, using the same end-to-end encrypted client-side connection architecture. No cloud servers in the middle.

so they are changing their whole business model to rely on illegal proceedings, breaking the ToS of every service they want to provide an alternative for.

I'm pretty sure Apple isn't fond of random people using their servers and their proprietary protocol on a client they haven't created. Signal is the same, they C&D every fork that becomes popular, the only official clients are the CLI and the ones they release (Signal is open source though). WhatsApp is also similar.

It's interesting and disappointing to see that they are hoping to create a business model on top of that, and it will probably backfire and hurt Matrix users as well, because these chat companies will become stricter and completely forbid third-party clients.


Beeper (Cloud) has been around for 3 years. It supports iMessage, Whatsapp, Signal and 12 other chat networks. We have 100,000 users on Beeper Cloud.

We haven't had a single problem like the one you're describing. Not to say it will never happen.


If Beeper Cloud uses a Mac in the middle then I would have assumed that is actually permitted, as its presumably a legitimate iMessage client and some software to forward your messages after that.

It seems similar to the parallel of iOS builds where its been possible to do so with virtualized MacOS on non-Mac hardware for a long time but its a violation of the TOS of MacOS to do so. Apple does spend effort ensuring that companies running cloud builds do so on Mac hardware; they don't care that the true end user is running Windows and achieving an iOS build as long as there was Mac hardware doing the actual building.

So this reply is along the lines of "we did something for 3 years that allow and they never stopped us" which isn't very strong evidence they won't stop you now that you're doing something they don't allow.

They may not do anything here thanks to the current EU climate though, I only mean that the fact they did nothing about Beeper Cloud is not evidence one way or the other.


Apple or Meta (WhatsApp) trying to take down something like this would almost certainly be viewed unfavorably by the ever-lurking EU regulators.


Please read this:

https://gist.github.com/smashah/667d4d5cf31670ee87547450861a...

The game being played here is poker. If they call beeper's bluff then they risk setting a whole industry wide precedent that interop supercedes ToS (that's the only angle).

As it stands, ToS based C&D for interop is untested afaik.

We as a community need to discuss ToS-trolling and fight against it.


This doesn't hold up.

https://github.com/signalapp/Signal-Android/issues/9966

https://github.com/libresignal/libresignal/issues/37

unless the EU rushes out their legislation that interop is not grounds for terminating someone's account, I'm sorry, but they can do whatever they want to with their app.

Would you feel happy if someone used your home network to seed torrents? Using your bandwidth to seed them?


Terminating accounts is fair game. Billion dollar companies making legal threats to OSS devs is another.

I can kick said person off my network. It shouldn't be grounds for me to go and start legal proceedings against the developers of uTorrent.


That's the only reason I'm not confident that Apple will kill this. They wouldn't want the regulatory attention and (at least for now) this is a niche area that few people know about.


Easier to kill something when it is a small niche area that few people know about rather than wait until it gets bigger and more people use it.


Except that Matrix never profited from it. Beeper is the first company to provide a paid service for it and had their own servers. But now they are providing a paid (with a free tier) service that runs on Apple/Meta/Signal infrastructure.

This is asking to draw unwanted attention towards yourself.


Do you remember back when Pidgin, Trillian, and others created clients that worked across AOL, MSN, and other messengers. They worked for a while, they'd stop working, they'd update and start working, and that went over and over again. I'm not really looking forward to having that experience again.


As others pointed out, you used official Apple hardware.

Now you're replacing that with Apple's own infrastructure.

They won't like this and I really hope an eventual C&D from Apple, Meta and Signal won't affect the development of the Mautrix bridges.


Yeah Apple won't like this or ever officially approve of it, but you make it sound like you'd call the police if you saw someone using an unofficial AIM client. I think the dramatics can be chilled. The ToS is dumb and not worth the virtual paper its written on. If Beeper can keep up with the cat-and-mouse game, this is no different than Trillian or GAIM/Pidgin/Bitlbee/libpurple or aMSN or Miranda IM or Gtkcord4 and on and on and on... Apple doesn't need an internet defense force for their stupid ToS.


I feel like there are two questions Beeper needs to ask itself...

1) Are they going all-in on being an antagonist to Apple?

2) Will the users be willing to stick around during any outages/downtime/failures due to the cat-and-mouse game? (That I agree will follow and continue.)


I can't answer for Beeper, but why would they be unnecessarily antagonistic to Apple? It's not related to their product or mission. Beeper offers interoperability. Antagonism is an undesired byproduct of any of this work, and it's immature to be antagonistic for no reason.

Will it be a cat-and-mouse game? Maybe. Will users stay? Probably. In many cases, Beeper users already WERE iMessage users. Beeper users ARE Discord users. They are users of the upstream service and explicitly want a unified and interoperable chat system, for one reason or another. Maybe it's more practicality than ideals, but it's all the same in the end.

That said, it's not like Beeper is new, and it doesn't seem like antagonism is a primary driver of operational issues yet, so it's not clear it's about to start any time soon, either. Perhaps one of the most annoying tech company strategies is to try to establish a horrid status quo before regulators and law enforcement have time to catch up with you, making it much harder to actually do anything about. I see Beeper as one of a small number of companies that are basically on the opposite end; if they gain a large enough mass of users, it's going to be harder and harder to antagonize Beeper without antagonizing their own userbase, especially when you consider that the value of IM networks is largely in the connections between users. So, the clock is ticking.


When there's money involved, the results are way more dramatic.

If Beeper was free, sure, they wouldn't bother that much.

But Beeper relies on this business model. Apple and co wont let this slip.


When TOSes forbid interoperability, breaking them is just.


I agree with this statement but in the end, the effects of Beeper will negatively impact everyone else who hosts a bridge for these services.

Just because a legal binding document seems stupid it doesn't mean you can break them.

I find most laws stupidly worded, it doesn't mean I should disrespect them.


but now explain this in "Legaleeze" to Apple, to Nintendo, etc....


Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.

17 U.S. Code § 1201 - Circumvention of copyright protection systems


Has this ever succeeded in court? Has it ever even gotten to court or do people just give up at the first lawyer's letter?


Yes, it has been tested many times, famously for unlicensed video games on consoles.


You do know DMCA is not the only law they can refer to to sue freeloaders, right?


> Signal is the same, [...], the only official clients are the CLI and the ones they release

Is there an officially supported CLI for Signal? Please tell me it's true, that would mean so much for small scale automation!


Not official but this works darn well: https://github.com/AsamK/signal-cli


It's not official but they don't want to kill it for some reason, maybe their own devs use it for testing


> Signal is the same, they C&D every fork that becomes popular, the only official clients are the CLI and the ones they release

This always rubbed me the wrong way and made it seem like it's an NSA operation


The source to Signal is open to analysis if you doubt its security. I suspect they C&D forks because they don't follow coding/security practices as upstream does, and it would be too hard to ensure they would if they just let anyone fork it.


Not really. Moxie just said "we pay for the infrastructure so it's unfair that you get to use the servers we pay for".


No guarantee the build on the app store is the same as on github.


> No guarantee the build on the app store is the same as on github.

I don't know why this comment always pops up on HN every time Signal is mentioned.

Signal builds on Android have been reproducible on Signal for nearly eight years - basically the entire time Signal has existed as an app under that name.

On iOS? No, because Apple doesn't allow reproducible builds on the App Store, period. But you can't blame Signal for that.



Nah. Not NSA. CIA


I just downloaded it, and can't get past the landing/sign-in page: "Google sign in error.null"

Unfortunately, signing in with Google is the only option.


For some reason this security setting was turned off on my account even though I don't remember turning it off and use sign in with Google in other places.

https://help.beeper.com/en_US/beeper-mini/beeper-mini-how-to...


Note that if you have added more than one Google account to your phone, this setting must be enabled for ALL accounts (not just the one you intend to use to activate Beeper Mini) or the "null" error will appear.


Unfortunately, I'm still getting the error even after switching this on.


Thanks! I was having this issue as well.


Me too but I have no Google account logged in on my phone. Google shouldn't be the only login option though. Why always the push to give up privacy??


Same as above. Pixel 5, running Android 14. (Edit: the help link provided did not help, as the toggle was already on)


Was able to fix. I have 6+ Google accounts, and one of the accounts didn't have it checked, so it needs to be all, instead of just the account you're looking to connect.


Same. Wanted to sign up immediately but couldn't on a de-googled Pixel.


Same. Activated Google Account sign-in prompts and the error still appears.


I've been using Beeper for 3-4 months. I find it very useful, easy to use, and easy to setup. I use both the mobile app and the desktop app.


Same here. I really like it. Don't mind occasional connection issues, but what really irks me is that every message has separate notification. When someone sends me 5 consecutive messages I get 5 beeps. In whatsapp app I only get notification for the first one. So when there is some conversation going in group chat and I don't have time to read it right now I'm getting bombarded with notifications.


Very cool, but some basic stuff is broken having used the app. For example, I'm unable to create a new conversation since I'm unable to click on a contact after having searched for their name in the "New Chat" flow. Looking forward to using it once this is fixed!

Edit: Seems like I have to double tap instead? Not super easy to use but it works so I'll take it!


Side note, i'd love if Beeper could impl some "standard" open APIs to brute force us in a new unified direction. I feel like the chat ecosystem is in the days of pre-LSP editors. Anytime i wanted to try a new fancy term based editor, i'd lose out of very basic features like code completion, jumping, etc. Since LSP came around, i can basically jump to any editor because everyone has this baked in now, and it works with "all" languages - it's great!

I want this for chat. I loved how great everything looked and felt with Telegram, but then i left for Signal and it was super bare bones. Eventually Signal got some stuff, but it's still missing a lot of stupid features that make it fun for me (integrated gif lookups, etc).

I'd love if we could unify around some of these behaviors and as we add new chat apps, users don't lose "basic" functionality.

Anyway, wishes aside - Beeper is really cool. I just signed up to Cloud, and my wife has been a happy user for quite a while.


Beeper (Cloud?) is based on Matrix, so I guess that's the open standard you're looking for?



The biggest question I have is what does the exit story look like? I know it's a common problem for people switching to Android from an iPhone (keeping their phone number) and not receiving any messages from iPhones as their contacts are still trying to send via iMessage.

What happens at the end of the trial when I choose it's not for me. Will I suddenly loose my ability to text with every Apple user? What about in the event of a service failure of your infrastructure (it says it talks directly to Apple's servers but does it also rely on you?)... What if Apple does go after you or makes a breaking change to the protocol?

In all those scenarios, what happens to my messages? Can I export and keep them?

I'm very interested to try but the potential to loose access even for a day or two is a really hard ask.


Someone on r/android reported that they could not receive messages from iPhones once they uninstalled the app. They had to remove their contact from the iPhone and re add it to fall back to SMS.

Someone else commented that you can de-register your number on Apple's site, but the person then said that it didn't work either.

So yeah, I am holding back on it to until there is more clarity about this. The overwhelming majority of people I text are on imessage and it would be a royal pain if I had to have all those people delete and re-add me.


> Someone else commented that you can de-register your number on Apple's site, but the person then said that it didn't work either.

I don't know how Beeper could possibly prevent Apple's iMessage deregister form[1] from not working. Apple handles whether or not you have an iMessage account, not Beeper. It might take a bit for it to fully be purged, but this was only announced/launched less than a day ago so I can't believe that person really waited before confirming it somehow doesn't work.

[1] https://selfsolve.apple.com/deregister-imessage/


They complained that when they entered their number to de-register, they were presented with a "number not found" error. Which seems like a plausible error for a backdoor imessage implementation.


Apple has a form to de-register a number from iMessage here:

https://selfsolve.apple.com/deregister-imessage/


I've been using beeper for a long time for Linux, and it has been a delight to use. The updates are regular and they seem to constantly be working on improving performance and staying ahead of various breaking changes forced upon them by the messaging services.


https://blog.beeper.com/p/how-beeper-mini-works

> SMS access is used to send an SMS text message from your number to Apple’s “Gateway” service. The gateway sends a response via SMS, and the contents from that SMS response are sent to Apple to register your phone number as a blue bubble. Your SMS chat history is also used to determine if any of your recent SMS chats were with people who have iPhones. If so, these chats are shown in the inbox.

Does this mean that Apple is sent the phone number of every person you have ever sent or received an SMS with?

Very cool program, by the way. It’s refreshing to see a company take privacy seriously.


Beeper Mini checks only the last 50 contacts and determines if any are on iMessage.


Thanks for answering. Any plans to make the check optional? Some people may not want to send that info to Apple.


seems likely? or atleast a hash of it.


A hash of a phone number would be trivial to brute force.


Hmm, could it be salted somehow?


Not sure why downvoted, this is a reasonable question.

No, even a gigantic salt wouldn't help because the input data is too low entropy - only 10 digits that are 0-9. Salts are only helpful to prevent rainbow table attacks by making the size of the pre-computed output space too large to fit on a drive.

The salt has to be stored in plain text in order for the verifying algorithm to compute the hash of the input and compare it, so if you have the hash you also have the salt and can brute-force old school and crack all of them in short order.


That makes sense. Thanks.


My first thought is "was Apple behind this?" I understand that they claim to have reverse engineered it...but if it's such a trivial conversation exchange, it is a bit surprising this hasn't been utilized before. Seems convenient given the loud exchanges happening about RCS and the like. And unlike RCS, iMessages actually has E2E baked in.

The next thought it the utilization for abuse such as spam. E2E is wonderful but it also means that the normal cryptoscammer / phishing checks can't apply. There are mentions of rate limits and that surely comes into play, but given the simple proof of concept it would be easy to scale out.


I don’t think so. The security researcher is a kid in high school that seems really fucking sharp.


I have confirmed with him that he hadn't been born yet when Steve Jobs announced the iPhone.


This is really cool, at least in theory. I keep hearing from only iPhone users on podcasts that they find it annoying to message amyone not on iOS. As an Android user, I couldn't imagine this being a concern to me; have any of you Android users even had the passing thought that you're missing out on hypothetical conversations between people who only use iMessage?

I use Messenger for the gen x people in my life, Signal for others, and sms and google chat for some others, but I don't even know what devices any of my friends use on a regular basis, seems arbitrary to me.


Every single person I message regularly uses iMessage. As far as I know none of them are “iPhone users” in the sense that they particularly care, they just use ‘the normal thing’ (which is iPhone).

So for the opposite question, I’ve never had the passing thought of missing out on what Android users do either.

I wonder if people just sort of mostly self select into mostly non-overlapping groups?


Android users don't have platform specific messaging apps as far as I know, so the fact that some people use iMessage as their normal is mostly inconsequential to Android users, but not the other way around since things appear differently based entirely on the platform. But I suppose I answered my own question, and something like this would enable iMessage to be more platform-independent, and thus an iOS user could hypothetically switch to Android without concern that they'll be ostracized from their messaging group or whatever.


At this point, why not just wait for Apple to release their RCS implementation?

The nicest thing about iMessage (for me, at least) has always been that it was a significant improvement to SMS that just worked, with graceful fallback to SMS for anyone who didn't use it. No installing third party apps, wondering if someone new I wanted to contact would be on that messaging app, etc. A nice bonus, but not something that would ever get in my way. Wanting to install a third-party app on an Android phone just to get blue bubbles is weird.


It's not weird. It might be weird in your eyes, but given how much exclusionary behaviour I've seen based on bubble colour, it's not weird in the slightest. I'd like to believe that apple supporting RCS will magically fix the whole 'green bubble/blue bubble' thing but I'm bearish as it seems to be more a cult thing than anything to do with functionality (I say this as an iMessage user).

And please, spare me the trite 'get new friends' comment.


> And please, spare me the trite 'get new friends' comment.

Wow, okay then.

Anyway, I'd argue that the bubble color serves a useful purpose. At this point I definitely want to know whether someone I'm talking to is SMS or iMessage, because there's a meaningful difference in capability that will affect choices I make (like how to get pictures or video to them). Whether it's colored bubbles or something else, it's going to exist in some form.

I'd be bearish too if that were an important thing to fix, because it's human nature that's the problem, not the technology. The solution is a universal messaging technology that is as good as iMessage and has the broad reach of SMS. Perhaps if Google can get their proprietary extension of RCS standardized and implemented by the carriers directly.


I mean, the way everyone else solves this problem is by having an SMS app and a "proprietary messaging platform". Cramming them together in order to increase adoption of the proprietary thing is definitely a... choice.


> with graceful fallback

Have you ever tried to stop having an Apple device? Hopefully better now, but a few years ago there was no way to unlink iMessage. So say good bye to all your Apple friends, as them texting you goes to the Apple cloud and not your new phone.


> a few years ago there was no way to unlink iMessage

Deregistration[1] has been supported since November 2014.

[1]: https://support.apple.com/en-us/HT203042


Maybe that would be obvious to the average Apple user, but as a non-Apple user, it would never occur to me that I'd have to explicitly de-register my phone number with Apple after activating a new phone.


That seems okay? It's only applicable to the Apple user to begin with.


heh, fair point. I was mainly thinking about somebody dipping a toe in or trying out an iphone for a little bit before switching back


There was a time after you still needed to have the iPhone to do it, though. And I'm not sure how many are actually aware you have to do this, just getting messages for them sent into the void.


Yep, I used to switch back and forth between iPhone and Android every couple years. I'd deregister the phone number when switching over to Android. I don't remember a time they didn't offer that ability.


WhatsApp, Telegram and many other platforms do everything that iMessage does and more, without the deliberate segregation of users on different platforms.

In effect, you are using a third party app (as opposed to stock SMS), but Apple has integrated it into their OS and refused to release versions for other platforms.


Your literally talking about WhatsApp and Telegram as if they aren't their own segregated microcosms you can't message from whatsapp to telegram for instance so obviously they are their own segregated users by platform, its just a software platform not a hardware platform.


They are hardware agnostic, iMessage is restricted to users of very specific hardware.


Its only now just arrived in beta on the iPad.


...what is the "it" that just arrived to the iPad?



So you're saying that if I install WhatsApp on my phone, I can text anyone I want, if I have their phone number? Doesn't matter if they have WhatsApp installed? I just say "send this to 5551212" and it gets there?


They need to install the app, which is free. What they don't need to do is buy an iPhone, which is not free.


Android phones are free? I have to buy the phone no matter what, so I don't see that as a differentiator.

I don't want multiple ecosystems that don't interoperate at all. I don't want to give my private conversations over to an ad company like Facebook. I like iMessage because it adds features without taking. I don't worry about what app I need to use depending on who I want to talk to, I just send them a message and move on with my life.


You can run Android apps on almost any non-Apple brand of phones, Windows PCs, Linux, Mac OS and Chromebooks.

You can run iMessage on Apple devices, nowhere else.

Surely you see the difference.


> Surely you see the difference.

I know what argument you're trying to make, but I think it is disingenuous to pretend that WhatsApp is free while iMessage is not. As a practical matter neither is free, and both are free.


iMessage is not free insofar as one much purchase an iPhone to use it.


So they absolutely segregate users onto their proprietary platform, it just happens not to cost money to use.


> SMS that just worked, with graceful fallback to SMS

I’ve never seen it fall back gracefully. My experience is that there are missing messages, unsent messages and confusing group threads.

I’m not in the US and am in New Zealand which may or may not be relevant.


The full app, Beeper Cloud, has a bunch of clients built in, that they'll be adding to this (as said in the link). This isn't just iMessage support, it's (eventually) multi-client.

> Over time, we will be adding all networks that Beeper supports into Beeper Mini, including SMS/RCS, WhatsApp, Messenger, Signal, Telegram, Instagram, Twitter, Slack, Discord, Google Chat and Linkedin.


If what you care about is the color of your bubbles, then that won't make a difference.

Green bubbles don't mean "second-class citizen" or "doesn't support proper group chats"; they mean "SMS" (or possibly "not iMessage"; that's not yet clear).

It's extremely unlikely Apple will make RCS bubbles blue—even if they don't make them green (and keep that reserved specifically for SMS), they'll make them some other color.

It's not a way to make sure you can identify the outgroup and shun them; it's a meaningful signal of what technology other people you're chatting with are using, which tells you useful information about their capabilities.


> It's not a way to make sure you can identify the outgroup and shun them; it's a meaningful signal of what technology other people you're chatting with are using, which tells you useful information about their capabilities.

That seems like a false dichotomy to me as those are not mutually exclusive, and indeed can (and are) both easily accomplished with the current system.


Sorry; I was, perhaps, unclear.

Apple does not in any way intend it to be used to identify the outgroup and shun them.

SMS on the iPhone used green bubbles for years before iMessage existed. When iMessage was introduced, it had blue bubbles simply to distinguish it and make clear "these are users of the new service you can video chat with, send files to, etc". Like I said: a useful informational signal.

It wasn't until years after that that this wailing and gnashing of teeth about blue vs green bubbles started. To the extent that such a social dichotomy exists, it is a purely emergent socially-created one, not one that Apple has pushed in any way.

Furthermore, it would be a regression for Apple to remove that useful informational signal just because people are upset that they get accurately identified as "the one in the group who is using a different device, and thus cannot safely be added to group chats for reasons entirely outside of Apple's control".

The bubble color isn't the problem. The problem is, as you somewhat allude to, inseparable from the fact that there is a way to tell the difference between People Using iMessage on Apple Messages and People Using SMS.


The fee and requiring account signup are a dealbreaker. Hopefully someone will create a FLOSS alternative.


Why are people so godawful cheap that they demand so much labor from others for free? I'd gladly pay for this, it's hella cheaper than me having to switch from Android to iPhone.


there are FLOSS alternatives: jabber/XMPP (or arguably Matrix, etc)

okay, i sound snarky: but how is this aligned at all with FLOSS projects/communities/ideals? how/why would a FOSS project tie itself to a network run by a company that’s going to constantly be trying to kill their implementation? both the users and the devs would be constantly fed up with the breakages: you solve that either with open protocols or by paying somebody to do the dirty work of defending against Apple.


AirMessage is open source (and quite old, unsure if its maintained). It requires a Mac computer to run some kind of forwarding software however.


BlueBubbles is the new hotness I believe.



Related ongoing thread:

iMessage, explained - https://news.ycombinator.com/item?id=38532167 - Dec 2023 (73 comments)

Normally we'd downweight it as a follow-up but I think it's worthy of an exception.


Great work, this looks very cool and seems to work well. I hope one day to see a local backup option, as it's important to me that my chats are not lost.



How does the generation of validation data for registration work? As far as I understand, this requires details from an actual Apple device (serial number, model, etc.)



They mention the generation needs a plist from an actual Apple device, and provide one of their own in the repository. I wonder what Beeper does. Maybe they have just one serial number? Maybe they have multiple and rotate?


I think it's calling a server generating validation data (probably with a pre-set hardware informations to be able to run it on a Linux machine which is cheaper, with emulation as pypush does it or by directly loading the macOS executable in the memory and run the right code snippets there).


I'm curious what are the implications of having pre-set hardware info. Maybe rate-limiting? or easier for Apple to flag those particular serial numbers to block the service if they wish?


This reminds me of using Trillian to connect to AIM, MSN, ICQ, etc. back in the day.


The people in control of Apple know their market power, ironically, derives from a closed-garden messaging product. Exactly like Blackberry.

The longer the anti-customer behavior continues the greater the resentment becomes. Customers do not like being treated as captives to Wall Street thinking. Mega-tech will face consequences for the unapologetic greed they exhibit right now.


I'm really surprised people will go to so much effort for a blue bubble.


For me, it's not a blue bubble as much as the higher quality images/videos, compared to SMS/MMS. Trying to figure out which proper app a certain person has/uses, and remembering which to open for a certain person, is a huge pain. The full Beeper app is like old school Trillian: a bunch of clients in one. I just see messages from people. It's great!


I'm really surprised people still pretend they don't know it's not only about the bubble color


It's the images, videos and most of all, this the group chats. Being the only person on Android sucks if everyone else is on a group chat.


Whatsapp is known for banning accounts that use any kind of third party clients.

For Android users on iMessage (insane achievement!) obviously this isn't such a big issue, as they didn't have an account before, so the sanction of being banned is not so important.

I would never dare, however, to switch over my WhatsApp to a 3rd party client. Do you have something planned in this regard?


The best you can do now is run whatsapp apk on an emulator or spare device, then auth that with the matrix bridge, then you can avoid needing to use whatsapp clients on daily drivers. Works decently well: https://github.com/mautrix/whatsapp


Emulator based WhatsApp accounts are highest risk of bans just f.y.i

If you're worried about using beeper due to bans then just get a second hand burner phone (needs to have had WhatsApp before so it is safe from being identified as "poisoned") then make an account on there to use with beeper.

Beeper is very helpful NGL.


Beeper Cloud has supported Whatsapp a long time and I haven't heard of anyone getting banned for using it.


> 'many people always ask ‘what do you think Apple is going to do about this?' I am shocked that everyone is so shocked by the sheer existence of a 3rd party iMessage client.

I'm not shocked that someone figured out how to create a 3rd-party iMessage client, however I am somewhat skeptical of the notion that Apple will not find a way to break it.


If this really works, it is what Nothing's partnership with Sunbird claimed to do (and lied about) a couple weeks ago - before being called out and shut down

https://texts.blog/2023/11/18/sunbird-security/


It's really not. Beeper (and Sunbird, and others) up until today used a Mac server to sync messages. OP is describing an Android app that's natively talking directly to iMessage infrastructure, for the first time.


Sunbird was claiming they reverse engineered iMessage (either to maintain e2e encryption, or to just do stuff on device).

It looks like Beeper has actually managed to do the latter, which is really exciting!!


I’m one of the authors of the blog post you linked — Beeper Mini is entirely different.

There is a great blog post by JJTech (author of the pypush library, tech Beeper Mini is based on) also on the front page right now: https://news.ycombinator.com/item?id=38532167


I'm using Beeper on my Mac and iPad, specifically to chat with friends who are on arcane chat platforms such as Instagram.

I'm quite happy with how the service works, and wrote a review a while back: https://news.ycombinator.com/item?id=37745270


How come there’s a waitlist for the main product but not this one? I feel like it should be the other way around?


There's no stress on their servers with Beeper Mini, as it communicates with Apple servers directly.


Oh that makes sense. I was thinking that there’s added risk of spammers and botters on mini and they’d want to gate that


Fortunately, I think this is going to be a forcing function for the RCS conversation.

Unfortunately, I'll be waiting for the data loss post coming in the near future. As some one who had to deal with a stuck iMessage validation with Apple support on a genuine iPhone a few years back this can get sticky.


RCS is not an iMessage replacement though? it's not encrypted, it doesn't support a single identity for multiple devices, it requires cell service and a phone number


RCS supports end to end encryption (it's on by default for Google Messages), Apple just isn't implementing it in their planned implementation of RCS. Google Messages does support a desktop app and you can link it to your phone with a QR code, so it can use a single identity for multiple devices.


No, google has an extension they use that is not part of the RCS standard.


I don't mean to insinuate they are like for like. I just mean Apple is starting to pick up scrutiny on interoperability which started with USB-C and I think the focus on this project is going to increase the scrutiny especially if Apple cuts it off.


This is amazing -- I've been a happy Beeper user for everything except iMessage and Signal until now, and this mostly kept me from using iMessage much at all. Congratulations to the team, and wow -- that high school kid hopefully has a long and impressive career ahead of him.


This is incredibly awesome. You really don't think Apple is going to attempt to crack down on this?


Looking at the pypush, it looks like it uses Mac framework code with a .plist from a real Mac to generate encryption keys. Is beeper sending the metadeta of a genuine mac to the client so the client can generate the encryption keys that Apple will trust?


Will this be available from F-Droid or as an APK? I'm using a deGoogled device. Too cool!


Nope even if you install it using aurora store it requires a Google account linked in play services (you can't even log into it manually!). So even on a device with play services but no Google account logged in I get an error logging in. On a Google free device it definitely won't work.


Beeper's clients never were open source. They were based on Apache 2 licensed Element. The new client won't be open source either, given how they don't even open source their server part (contrary to their matrix bridges).


Thanks


So yeah, it seems ok for one-on-one chats, but for group chats it's super buggy. Can't tell who said what in the history of any of my group chats because Beeper Mini is confused and thinks all of the messages, left and right, are from me.


> We currently offer a 7 day free trial, afterwards there is a $1.99 per month subscription. Beeper Mini is available to download today with no waitlist.

> Our business model is simple - we build a great app and earn money from those who find value in it. We feel that this business model aligns our success with your goals. No ads. Complete data security and privacy. Plus, we’re incentivized to continue improving the app with new features and improvements.

So... Until a fully blown beeper with multiple services. This app basically is still a subscription based reversed engineered iMessage (unofficially) compatible client.


I got into a debate with someone over this. It didn’t last. Apple killed it. Copyright Infringement is serious. They reversed engineered iMessage. In Apple TOU it specifically says that they are not allowed to do this. I would be expecting a response from Apple in the form of a lawsuit. Unjust enrichment by this company. They know better.


Is there any way to do this on iPhone? I use a Google Voice number since Google Voice came out, and I would love to iMessage from it, but Apple won't let me add it as a number for the device.


It only runs on Android for now, although I think a desktop version is on their roadmap. But also, Apple will refuse to register Google Voice numbers. You need a number tied to a real carrier account. You'd have to port your number into a carrier, do the registration, then port it back.


I believe all you need is an apple id with a valid email to use imessage. my devices sometimes ask me if I want to message from/to a number or an associated email. I could be wrong though.


guess the eu will have to regulate this as well


I remember Nothing tech did something similar-ish not too long ago, but I can't find their announcement of it. But then I stumbled upon a video talking about privacy concerns[0]. What's the difference between what they did and what Beeper is doing? Sounds cool though, impressive work! (also, "hacker"-news needs to be more embracing of their name lol)

[0] https://www.youtube.com/watch?v=fMdj8RyMb64


Nothing's thing was a branded version of Sunbird https://www.sunbirdapp.com/ which is technically similar to the iMessage part of Beeper Cloud. It is essentially a way for you to login with your Apple ID on a Mac Mini in a server farm, and then interact with its desktop iMessage client from an Android app.

This was done because Apple obfuscates how its notification system works, so the cheapest short-term solution is to just use real Apple hardware.

When Nothing released it, it was found to have many flaws, which is where that video comes in. Nothing unreleased it and hasn't followed up since.

Beeper Mini uses the long-term solution of reverse engineering Apple's notification system so that it can run independently of an Apple device.


Nothing/Sunbird lied about how their bridge worked, while Beeper has an open source matrix <-> imessage bridge implementation with docs.

Technically they are similar with both using macs in a server farm for their hosted offers.

[0] https://github.com/mautrix/imessage


this one doesn't have reports of using insecure http during account linking and I think you have the option to self-host


It's really impressive that a high school student [1] has managed to reverse engineer iMessage. What I'm wondering is:

1. How stable is it; would it be trivial for Apple to patch this?

2. If it's as simple as reverse engineering the protocols, how has it taken this long?

[1] https://github.com/JJTech0130


Its more a commentary on how amateur it is in my respectful view. iMessage is a fundamentally unserious "product" in search of enough collateral flaws to harm those foolish enough to depend on it for anything.


Do you somehow think complexity is the opposite of amateur - that is, complex = professional?

Because I have bad news for you. If iMessage is simple that means literally the opposite of what you think it means.


How so? Other than the security issues that get exploited by NSO group from time to time (that appear to be mitigated fairly well by lockdown mode if that's something that's important to you) or the obvious flaw that you can't talk to anyone that doesn't have an iPhone it seems to be a perfectly good platform. The alternatives either have worse encryption (Telegram, RCS), worse privacy (WhatsApp), or the same platform lock-in as iMessage (Google's RCS).


> the obvious flaw that you can't talk to anyone that doesn't have an iPhone

That's because iMessage is a first and foremost a marketing tool that Apple compels users to rely on.


iMessage is the LastPass of messaging apps. This has been endlessly discussed and I want people to use their curiosity to help direct them to why I would comment in this way. In practice (not whitepaper or the ideal implementation), it is no more secure than sms (actually worse)


This is absolutely not true. iMessage is a full E2E implementation; it’s nothing like SMS.


I'm curious how Apple implements Keychain in the sense that they claim it is also e2ee but they also use e2ee for ADP and its absolutely not (or at least not zero knowledge), rather it is convergent encryption which is not zero-knowledge and also allows for knowledge of filenames and hashes cuz "de-dupe" is so important for people with TB of cloud storage at the expense of their privacy.


Pretty sure they use a different implementation, iCloud Keychain long predates Advanced Data Protection.


"E2E" is a joke when Apple holds the encryption keys to the vast majority of all messages, and uses them to respond to law enforcement requests. (It's how iCloud backup works by default and we know people don't change defaults. This is documented by Apple, not a conspiracy theory.)


> It's how iCloud backup works by default and we know people don't change defaults

Are you referred to Advanced Data Protection being opt-in?

If I'm using ADP then these concerns are moot, right?


No, when you sign into iCloud/your account in Settings, it sets a bunch of insane defaults like iMessage and Facetime and every app you add is opt-out for iCloud storage. Defaults are end-runs around true explicit and informed consent and open people to implications they didn't knowingly understand


Not unless everyone you talk to also has ADP enabled.


Thats a Bingo!


It’s still a substantial upgrade over SMS or unencrypted (non-Google) RCS, where anybody can snoop on conversations with little effort.


Last time I checked, everyone knows SMS is cleartext and can't take over your phone in the profound way built-in 1st party apps/services you emphatically cannot remove (only toggle) can seize the means of production so to speak.


“Everyone” may be overly broad… just about everybody with any technical inclination knows yes, but for many years now the overwhelming majority of smartphone users have not been particularly technically inclined, and as such I would not expect most of them to be aware of the security and privacy implications that come with use of the various messaging services.

With that in mind, I’d say that most messaging apps don’t go far enough to make that distinction clear. Any app handling SMS or any other unencrypted messages should have ever-present, readily visible warnings when conversations aren’t encrypted.


Didn't mean to sound so bratty, I just get frustrated by this topic. My apologies if I was a bit testy. I just mean that iMessage is extremely misleading and overly-technical in what it takes to truly have a chance at making it secure and private to the extent it extolls itself.

This shit matters now that people aren't able to receive proper reproductive care and education and other grey areas where Apple is setting its users and itself up for terrible and unjust outcomes that depend on everyone but Apple having flawed/imperfect information and Apple pretending 'Saul Goodman...


Ok, but you can change yours, yes? Just like Signal isn’t installed by default on your phone and if you want what it offers you can use it.


But unless everyone you talk to also changes it then Apple still holds the keys to your conversations. If you care, it is best to avoid software with bad security defaults altogether.


Bingo


The joke will be when they increase iMessage security to prevent these solutions from working well ;)


That's the thing tho: it will never be secure because its the skeleton key. It was never truly intended to be secure. Same reason why only WebKit's allowed on all billion+ iPhones. Access is only guranteed if its monocultural.


It is normal these days to have login with buttons BEFORE the subscription info? I mean I wouldn't even try to download if I knew there was a monthly subscription fee. Thanks


Right? I felt like it was some kind of trick to at least get your email before showing you the app actually is a subscription only app.


100% this. I don't really care about the whole bubble thing. I just though oh cool, let me try this and find some iphone user to see if it works. Downloaded, auth'd my google account which was the only option which is not right either... and then bam, paywall. Yes it does say it costs $1.99/mo almost at the bottom of the linked page, but I 100% would not have downloaded this if I knew that up front. And absolutely would not have auth'd my google account.

There 100% should be a message BEFORE logging in that has the pricing. And allow for actual email signups too, not google or any other 3rd party logins.


So you can use this to spam iMessage?


You could spam iMessage before this.


Before, there was an Apple ID or device that could be banned for spamming. Here, there is no account required at all, just a phone number.


No, because you needed an actual account which could be trivially banned.


What's hilarious about all this is the main reason people want iMessage on Android is not missing features, or speed, or anything practical. It's because Apple chose an intentionally terrible shade of green to use for SMS messages, to make messaging Android users unpleasant. If they had used a green with similar contrast and saturation as their iMessage blue, this wouldn't be such a big deal. Literally a single color swatch, that's what this is about.


I wonder how much money Apple would make by releasing an Android app that for $1 a month, would allow Android users the ability to have a "blue bubble" or whatever.


Thinking maybe this isn't working. I downloaded, installed. It said it detected all my chats with iPhone users and that I was 'upgraded' to iMessage chats with them. I then tried using Beeper Mini to message someone I know has an iPhone (continuing our existing chat that it 'upgraded' from SMS) and I asked him if I was coming up as a blue bubble and he said it's 'grey', not green and definitely not blue.


Can't comment on whether it works or not, but it sounds like there's a mix-up here. On iOS, it would be their bubble that is either blue or green when messaging you, not yours. To an iOS user, everyone else is a grey bubble.


Also, even then, sometimes existing conversations won't automatically switch from SMS to iMessage. I'm not sure what the trigger is - he might just need to wait a while, or delete the thread and start it again.


Hah! Whoops!


That's because received messages are grey, but the messages sent from an iPhone to an iMessage recipient are blue. So I'd ask if when he texts you back if his texts are blue.


Could you guys please explain why Telegram sent me this: " Data export request. (censored), we received a request from your account to export your Telegram data.

Device: Beeper, 0.15.0, Beeper bridge server, Web, 1.33.0a1 Location: Germany (IP = 178.63.65.55)

For security reasons, please confirm this request by pressing the Allow button at the bottom of this message using one of your mobile devices."


The referenced technical write up is fascinating[0]

I wonder how well this architecture (including privacy preservation) would work for LinkedIn messaging?

Specifically the BPN service since that seems to come from a data center IP and more likely for Apple / others to have a choke point.

[0] https://blog.beeper.com/p/721485af-aad0-4962-b418-eea9bc1e8f...


Trying to use this an I am stuck at the AppleID login screen (I don't have an AppleID).

However from your message it seems that it should not be required:

>No Apple ID is required


Sounds like phone-only registration didn't work. This may happen if you don't have a SIM card that can text outbound. If you are outside of US, Apple's SMS registration number is in the UK (+42)


Yes, I am outside of US and it could not send the verification message to the short number.


+42 is Czechoslovakia

+44 is UK


Czechoslovakia isn't a thing anymore.


Has anyone played with pypush enough ( https://github.com/JJTech0130/pypush ) that I think this is based on to get it easily usable in the same way that signal-cli is? Would be neat to use this for actually cli sending to my one or two friends stuck in Apple land. Thanks!


If this is a standalone app (not requiring ongoing server/relay maintenances), why charge a monthly fee and not a one-time fee?


They still run a server on your behalf to translate from Apple push notifications to Android ones. Somehow they were able to do it without compromising the end-to-end encryption too, which is awesome.


Why charge $10, when you can charge $10 per month?

But seriously, Beeper does have server side components. They're just optional ones. If you don't pay, you don't get those features.


Sounds like Texts the app Automattic acquired https://www.theverge.com/2023/10/24/23928685/automattic-text...

These all-in-one messaging apps should be interesting


Can I make this work with my Google Voice number?


Same question. No RCS, no iMessage... Us few Google Voice users have been forgotten by Google. I live in constant fear that the service will be "spring cleaned".


Yeah I'm too far commmitted. I hope they'll let us buy the number off them

But my theory is that too many google execs use it so it'll hurt them too if it gets canned. They did update the app semi recently


My main glimmer of hope is that Google has started selling Voice as a hosted VoIP enterprise solution[1] recently, showing that they are doing _something_ with the technology... even if the consumer offering is languishing.

1. https://workspace.google.com/products/voice/


You know, if Apple wanted to be really snarky, they could run some of those "Make Apple support RCS" ads, except with Google Voice.


They started working on a bridge. I have endlessly begged them to make one.

https://github.com/beeper/googlevoice

If I knew Go I would roll up my shelves and work on this myself.


This is the coolest thing I have seen all day! I’ve been using Jared [1] running on a Mac VM to send and receive iMessages from my locally hosted AI. If I could just use a python library that would make my life significantly easier

[1] https://github.com/ZekeSnider/Jared


Really annoying that I need a Google account though. I don't have one of those (yes I'm on Android but not Google)


This is a really impressive reverse engineering feat of the iMessage protocol, all the way down to the iMessage auth flows and identity credentials. The deep dive the authors posted is interesting

https://blog.beeper.com/p/how-beeper-mini-works


I am pretty sure this exploit is probably the source of iMessage spam so I hope they figure out how to close this hole.


I love the concept of Beeper or now "Beeper Cloud" and I am trying really hard to use the app but the app is just too sluggish to be usable. I am not sure why, perhaps because it's built on top of the Matrix oss app, not sure.

Eventually, opening WhatsApp/Telegram is super quick and Beeper is too slow


How can the most popular article on HN this week be just a bog standard messaging app? This should have been a solved problem long ago. But instead of a bunch of greedy bastards can't give up even a tiny bit of control they have over other people.


I'm more interested in the future of now beeper cloud. As I understand it you will deprecate it at some point in the future. Does that mean that you will stop supporting the matrix bridges and go all in on the client side beeper?

Will beeper mini be open sourced?


From their description it seems like they will move these into beeper mini and drop the "mini."


Awesome!!

I'm an iOS user, and juggle SIMs a lot. For your upcoming iOS app -- what sorts of SIM liveness requirements do you require? I'd love to be able to auth periodically and predictably and then disable my iMessage-aware SIM for some period of time.


I would love for this to work with my Google Voice number, instead of the number from my SIM.


My wife has been using Beeper for a while (6+ months? not sure), think i should give it a try.


https://blog.beeper.com/p/how-beeper-mini-works

Very cool. A question: will you be revenue sharing with JJTech0130? Their work made this possible, correct?


This project is licensed under the terms of the SSPL. Portions of this project are based on macholibre by Aaron Stephens under the Apache 2.0 license.

This project has been purchased by Beeper, please contact them with any questions about licensing.

They seemed to comply with the SSPL as well.


Nice! Glad they took care of it.


Also see BlueBubbles[1]. It could easily be integrated with pypush/rustpush.

[1] https://github.com/BlueBubblesApp/bluebubbles-app


Good luck with this one - dunno how Apple is going to react - a Steve Jobs nuking upon from high via API changes or Tim Cook ignoring it and just disgruntled acceptance that it exists but not care why folks in the US choose Apple.


There is probably a tense debate happening internally right now about how they want to respond. PR says no, Product says nuke it, Legal is stretching their fingers, and Engineering just finished reproducing the issue.


My understanding is that they are re-using a device serial number but they imply that changing this means a major change to how iMessage works so they banking on Apple inertia.

Charging $2 before the horse has bolted seems a bit ... would have preferred that Apple was involved.


This brings back the days of trillian (the best multi-chat client for the desktop in the age of ICQ, AIM, MSN) that got killed by the raise of mobile phones and mobile chat apps.


I tried Beeper Mini today on my android phone/phone number and it works!!

I probably won't use it with my main AppleId due to fear of being locked out of it. They really do have me in an iron grip with their lock in.


Isnt Apple adopting RCS and won't that solve the green / blue bubble issue?

Personally if it's a business / marketing advantage unless their hand is forced for business reasons they should never change it.


Apple is adopting RCS, and no, that won't solve the green/blue bubble issue. They'll still distinguish RCS and SMS from iMessage.

iMessage is Apple's value-add and has its own app ecosystem, apparently/allegedly true E2E.

  *> Personally if it's a business / marketing advantage unless their hand is forced for business reasons they should never change it.*
Yep, that is Apple's intent, according to Apple emails leaked from various court cases.


To the vast majority of people though it will solve the problem. Android to iPhone communication will be close enough to the iMessage experience.


Yeah, maybe it will make some improvement for Android people, who are the majority of the mobile market.

For iPhone users, they'll still be some non-blue bubble people who lack the E2E[1] and tight iMessage app integrations that are popular among iPhone users these days. At least until governments possibly intervene.

1. E2E insofar as not carrier-accessible (unlike RCS), which is a bit of a hot button issue in the US, post-Snowden/PRISM. If carriers have access to RCS payloads or even metadata, they will most definitely harvest it for marketing purposes, as well as ship it off to the US government.


Green/blue bubble is about the prior probabilities people use to make assumptions about others. E.g., if you use Android/iPhone, there is a prior probability of x% of being y type of person.

WhatsApp/Signal have been available for a long time for anyone that has wanted group chats with modern capabilities.


WhatsApp/Signal involve other people you want to communicate with having those apps, which is fairly unlikely in the US (at least outside of tech/international social groups). Only chat apps out here you can count on are facebook messenger, sms/rcs, groupme, or imessage. iMessage is probably the best of these.


I have directly asked many relatives/friends in their 20s/30s, and they have told me they would assume an Android user has a higher likelihood of being “weird”.

The barrier to entry to installing WhatsApp or Signal is near zero, just a minute of one’s time. And given that most everyone is using Meta’s other apps anyway, the privacy costs are moot. In fact, all of the people I asked have WhatsApp already, but mostly to remain in legacy group chats with older family.


Also in many countries Android is a sign of your social/economic class as many such headsets are super inexpensive compared to an iPhone.

If Apple started a new color "purple," that indicates sent via iPhone 15 Max well then that would be a further marketing boost for the multiple millions of ppl who care about social class & flaunt it. Apple overall is a luxury brand another one of their marketing strategies.


Whatsapp and signal don't load messages that were sent before joining a channel, a modern feature that slack has had since launch.