Hacker News new | past | comments | ask | show | jobs | submit login
Apple cuts off Beeper Mini's access (techcrunch.com)
1365 points by coloneltcb on Dec 8, 2023 | hide | past | favorite | 1222 comments



Recent and related:

Show HN: Beeper Mini – iMessage client for Android - https://news.ycombinator.com/item?id=38531759 - Dec 2023 (863 comments)

iMessage, explained - https://news.ycombinator.com/item?id=38532167 - Dec 2023 (143 comments)


As usual, Gruber was right on the money. Via Threads yesterday:

"My prediction is that Apple will make changes—fixing bugs and/or closing loopholes—that break Beeper Mini. It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.

It’s a very nice app, remarkably clever, and for now works like a charm, but if Apple wanted an iMessage client for Android they’d release an iMessage client for Android. Seems irresponsible for Beeper to charge a subscription for an unsupported service."

https://www.threads.net/@gruber/post/C0k1VgyMGZN?hl=en


>It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.

I don't follow this logic at all. Shouldn't supporting thirdparty clients be desirable if security is a primary feature in the interest of transparency? Especially if the reference client is proprietary and undocumented.


We've really done one over on ourselves by adopting the mental model that only a vertically integrated corp can deliver privacy and security to users. This rigid tendency towards homogeneity is bound to suffer a tragic systemic failure before too long.

It would be healthier to assume multi-polarity and lean into it.


> We've really done one over on ourselves by adopting the mental model that only a vertically integrated corp can deliver privacy and security to users. This rigid tendency towards homogeneity is bound to suffer a tragic systemic failure before too long.

Look no further than the other news that came out this week re: government spying via push notifications. (https://www.reuters.com/technology/cybersecurity/governments...) Consumers rationally trust the few big companies which are incentive-aligned to protect their data and government then goes after those few big companies. I thought this was particularly galling:

> In a statement, Apple said that Wyden's letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.

> "In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."


I suspect there's more where that came from. The only reason we learned of this, is because the cat was let out of the bag, and Apple was able to talk about it (gag order).

People might want to think about how AirTags and Find My Phone work...


> People might want to think about how AirTags and Find My Phone work...

rotating BTLE identifiers controlled by a pseudorandom sequence derived from a key, and tunneled over end to end encryption?


With locations over time tied to personal identifiers stored in a database with no public audit controls


Isn’t that already what every standardly configured smartphone does?


> We've really done one over on ourselves by adopting the mental model that only a vertically integrated corp can deliver privacy and security to users.

Who is saying that? Certainly nobody anywhere in this HN thread. It is, however, fair to say that the only guarantor of privacy and security is a network of trust. There are plenty of examples where trust is partially decentralised, the most notable being the system of certificates used for establishing trust in HTTP over TLS.


> Who is saying that?

There is a quote in the top level comment of this thread that says that.

> It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.


That is not even remotely similar to the claim you made. Nowhere in that sentence is the claim that privacy and security cannot exist without a vertically integrated corporation.

All they're saying is that the existence of third party software compromises Apple's ability to make blanket statements about the security and privacy of this one specific platform. An unofficial third party client breaks an established network of trust — which is an objective fact. If you doubt this, then you really should use this Chromium fork I just developed. Use it to log into your internet banking. Don't be scared. There's nothing to worry about. See, there's a lock symbol in the address bar and everything.


Sure, but also recognize: web browsers constitute a mature, multi-polar ecosystem; we do not clutch pearls when a user chooses Firefox, or Safari, or Chrome (or myriad others) to transact on the web.

Can a bad actor slap a green lock on an insecure browser clone and harm users? Certainly. And yet, in a survey of the systemic threats to security and privacy on the open web, such attacks are relegated to the margins.

Apple encourages a popular narrative that centralization and control beget trust, and from there may enable privacy and security. Look no further than the comments on this HN post to see the narrative echoed!

It's fair to point out that it's not literally what Gruber wrote, but readers will fill in the negative space around his uncritically apologetic commentary. To state the implied message: trust in Apple's way, and remember that third parties (who are not accountable to Apple) will ultimately deprive you of privacy and security!


Having a system where trust is embodied in a single entity is one valid solution. It's also not the only solution and I haven't heard anyone claim that it is.


That is technically a remark I agree with, but you're skipping past the actual point of my comment: it may be a valid strategy on its face but it is fragile and makes users vulnerable to systemic exploitation.

The web browser ecosystem has its own (different) problems, but iMessage lacks requisite variety to back up its particular claims to privacy and security (see that Reuters article for a preview).


> you're skipping past the actual point

I skipped past that because that wasn't what I had expressed disagreement about. Though now you elucidate further I'll say I fundamentally disagree with your "actual point" as expressed. While I agree that systems of distributed trust are fundamentally healthier, they are an order of magnitude harder, and rely upon educating users. And some percentage of users will always be impervious to education — see the continued prevalence of phishing scams for example.

A system which relies upon trusting fewer entities is inherently less fragile and less vulnerable to exploitation. It's true that systems can be designed which rely on users trusting a large number of entities, and can sometimes result in a more educated user base, but they're much harder to implement and much, much, much, much rarer in the real world.


I think the difference here is whether we're considering the plausibility that there aren't any security violations versus the overall frequency and severity. Centralization significantly increases the chance that all the systems involved will be safe; that's what makes it so useful for individual organizations, where centralizing their operations wouldn't attract significantly more bad actors to try breaking their security than decentralizing.

But if we have centralization on the scale of a society, then anyone interested in any of the groups using that centralized source of secure data storage/transfer will be drawn to look for the flaws in that source. And there are always flaws, either technical, legal (as with the government spying mentioned elsewhere in the comments), or otherwise. And once any group manages to infiltrate that one source, they get access to everything dependent on it.

Sure, decentralized security is harder to get together, meaning we have an initially-high violation rate that decreases over time (though this can be supplemented by security-conscious users taking their own steps to protect their data). But centralized security at sufficiently large scales essentially guarantees a breach impacting everyone within its domain; and the kind of trust that would be required to sustain such centralization also anti-correlates with users independently adding additional layers of security to their systems.

This seems like a much greater risk than just accepting that users who are "impervious to education" will be vulnerable to certain social-side exploits, while everyone else will be reasonably safe.


Agree with all of that.


Plenty of people clutched pearls (rightly) about IE tho. And https by default. And much more.

That it’s not currently a problem is due to 25 years of strongly pushing for privacy & security.

We’re still not there (see Google & adblockers in chrome)


I don't remember anyone "clutching pearls" over https by default? Do you have any suggested references where I can find those? I do recall people really complaining that anything at all was allowed to be http, even sites that most people would consider "unimportant".


There were a lot of complaints that websites which never had to bother with certificates before now had to set one up (and pay for one). Though that's now largely solved by Lets Encrypt.


> All they're saying is that the existence of third party software compromises Apple's ability to make blanket statements about the security and privacy of this one specific platform.

We’ve also got examples of Apple making misleading statements about the security and privacy of their platform, as a result of government gag orders.

That recent disclosure makes me suspect that every vector that they do not disclose explicitly as being private, is very much not private. To that end, the platform is clearly neither private nor secure if you value privacy from the government.

…so I’m not particularly concerned about third party software being a cause for concern anymore.


> An unofficial third party client breaks an established network of trust

I think this is key. The problem is the security of iMessage as a protocol is dependent on trust between client (implementations). Which is actually not that great from a security perspective.

I don’t mean that there are necessarily vulnerabilities in the protocol (there very well may be), but that the protocol is not something that Apple is willing to depend upon to uphold their desired security guarantees.


What's untenable is that the third party software is unsanctioned. You can make the argument that it would be a good or better system with third party clients, or that Apple should open the system up, but it is ridiculous that anyone would trust a client/integration that depended on some kind of hack (regardless of the nature of that hack--such as whether it's decrypting and proxying or getting into the ecosystem in a "secure" way)


It's planning to make RCS blue bubble in 24.


They are planning RCS support. They've said nothing about how that will look in the app, it's not a given that will be in blue bubbles or fully feature complete with iMessage


They actually did say that it will be green: https://9to5mac.com/2023/11/16/apple-confirms-rcs-messages-w...


So, green=unencrypted (unsecured) and blue=encrypted (secured)? I don’t see a problem with that.


Even better, and not surprising at all. I was kind of surprised that everyone just assumed RCS would get the blue bubble treatment when Apple made their announcement.


This would be the case if it were a protocol designed to be opened up for use by 3rd party clients. As it stands, this was a clever hack which would undermine the integrity of the system if left in place. Within a few weeks we’d see 100 3rd party iMessage clients, and it would be luck of the draw if the one someone downloads is secure or not.


If the existence of a working unsanctioned client undermines the integrity of a system as prominent and security- and privacy-focused as iMessage proclaims to be, then that system has big problems.

Certainly this is not the first time some entity in the world has reverse-engineered iMessage; it's just the first time that it was publicized.


Every system has holes that get discovered in time. Leaving those holes open is a different thing.


This is also notable, because the technology that Beeper Mini is based on was public and available to potential attackers before Beeper Mini launched. Beeper didn't invent this, they contracted the developer and based the project off of their open Github repository.

Apple did leave the hole open; they left it open until it threatened their customer lock-in. Only at that point did they decide that it was a security risk.


How is using another client undermining the security of the whole system?


The system wasn't designed with those 3rd party clients, and security around them, in mind. Beeper Mini is spoofing/reusing device IDs, pretending to be some random person's Mac, for example. True support for 3rd party clients wouldn't not require this kind of thing.

From what I understand Beeper Mini is interfacing with iMessage on-device, what's to stop another clients from using a server and intercepting messages? While I don't have time to look it up again, I think there was also something on how Beeper Mini is handling the push notifications when the app isn't open. While that may not leak a lot of information, and there is also the news of Apple/Google sharing push info with some governments, that's something that can at least raise some eyebrows when it comes to how private it is.


> The system wasn't designed with those 3rd party clients, and security around them, in mind.

It sure as heck better have been designed with that in mind, because it sends SMS messages to uncontrolled 3rd party clients that could be stealing your information or spying on push notifications every single time you message an Android user.

I genuinely don't understand this argument. Do people think that SMS messages don't generate push notifications? Does Apple have a 1st-party SMS messenger available on Android that I'm not aware of? You're already communicating with 3rd-party clients that could be spying on you, and you're already receiving messages from those clients in the iMessage app. The biggest difference is that your messages with those clients today are fully unencrypted, so spying on them doesn't even require compromising an app.

It's weird for people to be so concerned about push notifications as if that's a decrease in security when the alternative system they're proposing is for iOS messages to be sent to Android devices fully unencrypted. Apple/Google can share all of that information with the government as well; if they're not being asked to it's only because the government can get it even more easily directly from the telcos.


There is no iMessage app. There is a Messages app that implements two systems: iMessage and SMS/MMS. iMessage is the system whose security model is being discussed here, and the security model of SMS/MMS is mostly irrelevant to it.


This is splitting straws; the overwhelming majority of Apple users don't make this distinction (if they even realize there is a distinction to make). For all practical purposes they use one app that lets them talk to their friends and some of the bubbles are green and some are blue. How many of those Apple users even realize that the green bubbles are unencrypted rather than just being a designation for Android contacts?

It also changes nothing about my comment, because you can call SMS a different system all you want, but your conversations with Android users are still being sent unencrypted and any malicious payloads you get from SMS phones are still being loaded into the same Messages app. If you're worried that a 3rd-party client on Android is going to let a company spy on conversations you're having with Android users, then I still have real bad news for you about how Apple sends messages to Android users.

Draw the lines however you want between Messages and iMessages, but the security implications of Apple's setup are exactly the same. When you write a message to an Android contact, Apple sends that message unencrypted to a 3rd-party client that could by spying on you, leaking your data, or sending malicious payloads to your iOS Messages app. It still makes no sense whatsoever to be this concerned about the security of the push notifications for your messages to Android users when the alternative being proposed is to throw security entirely out of the window for those conversations. It is still a clear security improvement for conversations between Apple and Android users to be E2EE rather than to be sent over SMS, because the risks being raised about 3rd-party messaging clients are already present within those conversations today.


Sure, but I don't think anyone can legitimately claim Gruber hasn't had some generally pro-Apple stance for decades.


Third party clients offer many more cases for average users to lose their security, because you can’t prevent malicious actors from releasing “SuperMessengerSecure” that just mirrors everything off to a server somewhere.


Yes 100% Security and privacy should be built into the protocol. Anything else is just protectionism and security theater.


Yeah but then that one Israeli company that spies on everybody will just pump these apps out.


How would third-party clients _increase_ security (other than indirectly, by people using SMS less)? On the contrary, third-party clients is a gigantic security hole, since Apple can't even know if a client app is spying on users.


> On the contrary, third-party clients is a gigantic security hole, since Apple can't even know if a client app is spying on users.

Security isn't about Apple knowing if an app is spying on users, but about THE USERS knowing that nobody is spying on them.

At best a third party iMessage client can only be as secure as iMessage itself because the back end is still closed and has no transparency, so it's the weakest link. If Apple (or a third party) is spying on the back end then no client can be safe.

> How would third-party clients _increase_ security (other than indirectly, by people using SMS less)?

They can increase security by breaking a single target into multiple targets, by increasing competition around security and privacy issues, by having more people use and work with the protocols and able to spot potential problems, by encouraging more transparency around issues when they arise, and by having alternatives readily available if one of the clients is found to be compromised or insecure.

And of course open source clients can be verified and validated by other developers and security professionals.


> They can increase security by breaking a single target into multiple targets, by increasing competition around security and privacy issues, by having more people use and work with the protocols and able to spot potential problems, by encouraging more transparency around issues when they arise, and by having alternatives readily available if one of the clients is found to be compromised or insecure.

I believe you are speaking to transparency, not third party clients.

Beeper Mini actually bundled binaries that they didn't understand to bootstrap registration. They could only attempt to be compatible with messages that they have received, and verify messages they send show up correctly - they cannot know they covered all available options.

I speak to this as someone who reverse engineered MSN Messenger back in the early 2000s for an XMPP gateway - you'd occasionally find an entirely new type of message (requiring an entirely new parsing code path for their undocumented/bespoke messaging protocol) because someone registered for a stock ticker or the like.

There was no fuzzing the official servers or clients to see if they were robust or secure - the goal was to have a salable product. In fact, we saw other messaging systems where we had significant concerns based on our understanding of the protocols through reverse engineering, and we saw one vendor exploit a security vulnerability in their own shipping product in order to verify authenticity and block third party clients (which worked for a period of time)

From what I saw of the iMessage system, third party support is not going to be feasible even with a documented protocol without partnership, because there is an assumption of attestation of real, unique hardware as part of registration to prevent mass abuse.


I don’t know a lot about how it works, so forgive me if this is a silly idea. I wonder if attestation could be done using real Apple devices, while leaving the private key on the user’s android. So similar to the old beeper to get the signed attestation, and send the result to the phone. Still could be secure since you can keep the private key used to encrypt messages local on the users device. I guess the issue might be a cat and mouse game if detecting beepers flock of Apple hardware to try and disable them all… (given many people would be using the same Apple devices)


I think iMessage is still using older attestations, but generally an attestation of this sort (App Attest, Play Protect API) represent a chain of the hardware, boot process, OS and application.

So iMessage is not going to be willing to hand out private keys or negotiate them for a third party application, and Beeper will not be trusted to register a private key itself.

Android iMessage support would be weird because there is no iMessage application - there is an application which lets you send SMS and to upgrade to MMS or iMessage when available. So, if there ever was an official Messages app for Android, I would somewhat expect it to also offer to take over being the default application for SMS/MMS.


> Security isn't about Apple knowing if an app is spying on users

Clearly, what matters to Apple is what _they_ believe is secure, and they of course trust themselves more than they trust Beeper.

> At best a third party iMessage client can only be as secure as iMessage itself

Exactly, they can never be safer, and given that Apple, or we as users, know very little about the company behind the client, third-party clients are much less secure.


> Security isn't about Apple knowing if an app is spying on users, but about THE USERS knowing that nobody is spying on them.

True, but Apple caters specifically to a consumer base that can't know this and does not want to think about this. Whether this is health or sustainable in the future is another matter.


Gruber is a shill, bribed with special access for his blog.

Everything you said is correct.


No. This is an entirely self-centred view. The only people that equate this sort of transparency with genuine security are computer nerds. These tend to be the sorts of people that don’t sit very highly on my internal list of “people who stand to benefit the most from increased privacy measures”. For…literally every other member of society, this sort of implementation detail doesn’t mean anything^. They hear some (from their perspective) very abstract words like ‘open’, and all that means is that they’re trusting some league of computer nerds to tell them that something is ‘secure’. This is somehow meant to be more convincing than Apple, who, to most people, is at the very least another mob of computer nerds, but in reality also happen to have a pretty good track record of making phones that seem to work alright for people.

Beyond optics, let’s just look at attack surface. The implication that the sort of security holes that “openness” would fix are anywhere near the top of the list is…where’s that xkcd about cryptography and crowbars? It’s very clearly in the realm of nerdy cosplay. You know what is* a much more realistic threat? Some stupid third-party client on the Play store that exfiltrates all messages sent and received. Apple has absolutely no control over that. No protocol security accounts for that.


> You know what is a much more realistic threat? Some stupid third-party client on the Play store that exfiltrates all messages sent and received.

One way to avoid that outcome would be to have a first-party client on the Play store.

Instead, Apple drops all message security entirely from cross-platform communications for iOS users, allowing anyone to read those messages whether or not they have a crowbar. This is security 101: users do dangerous crap when the secure options don't have affordances for their use-cases. Users are lazy. If an official 1st-party secure client exists that meets their needs, they won't install a 3rd-party client. Users resort to dangerous and unsupported options when the safe, obvious options either don't work or aren't available.

And thankfully, we now know that it would be entirely possible for Apple to fix that problem and to move its own users off of SMS for communication with Android contacts, and we know that because a 16 year-old high-schooler was able to build that support with zero documentation. Presumably Apple is capable of doing the work of a 16 year-old. We now know that it would in fact be entirely possible for Apple using a 1st-party controlled, proprietary client with a proprietary protocol, to encrypt virtually every message that Apple users send to every one of their contacts, rather than what Apple does today where it encrypts... some of them.

None of this requires Apple to Open Source anything or to document or make available any of their protocols. The only reason Apple is in this position right now of needing to deal with 3rd-party clients is because of a lack of support from their 1st-party client.


> Instead, Apple drops all message security entirely from cross-platform communications for iOS users, allowing anyone to read those messages whether or not they have a crowbar.

I think that's my biggest gripe with the situation. Or my second-biggest. My biggest gripe is that the only notification that your messages are now not end-to-end encrypted is the green bubble. They don't tell you anywhere that the green bubble (also) means that.


No need for transparency here. Just know that no one has broken the encryption is all you need. Also you likely will not know if beeper sends a copy of your messages to their servers to sell, but who would you trust more won’t sell your info, beeper or Apple?


Beeper was acquired by Automattic about a month ago.


That was texts.com, not Beeper


Speaking of, how is Texts able to send iMessage messages (at least on their website, they have the Apple Messages app icon)?


They go through Apple. iMessage only works on MacOS, so they probably just hook into the regular stuff MacOS provides

https://texts.com/faq


I see. And that's fine for Apple? It's still not an official API right?


I'm trying to figure out if this post is sarcasm.

The first half definitely made me think sarcasm, then the second half... I mean I know some people actually believe this... Then I noticed you said "encryption" instead of "protocol". Breaking an encryption standard is obviously very hard, breaking a protocol is obviously not nearly so hard.

On the other hand, taking this stance would be insane given the post we're talking about. A company that actively circumvented apples security measures. So you must be being sarcastic. You just have to be.

Remember, on the internet it's kinda hard to tell. Make sure to throw in a /s unless you really REALLY sell it.


I wasn’t being sarcastic, I mean you do know there exist closed source for a reason whatever that is. For Apple to open their protocol would mean your messages sent to 3rd party clients, which means they could sell your messages for ad targeting or worse.


When Apple sends messages via SMS, they are sending your messages to 3rd party clients who could sell your messages for ad targeting or worse. Apple already does this. They already send your messages to random clients who could be spying on you.

It's just that in addition to sending your messages to 3rd party clients that could be stealing the data, Apple goes the extra step to make it even more insecure and also sends your messages completely unencrypted, so that everybody along the path from your device to the 3rd-party client can join in and also read your messages and can also use them for ad targeting or worse.

I'll make the argument that this is strictly worse for security than tolerating an encrypted 3rd-party client (or better, releasing their own 1st-party client rather than relying on SMS).


isn’t googles RCS encryption a proprietary non-standard that other companies have requested to interop against and been ignored?

yeah can’t imagine why apple doesn’t use it


Google's RCS standard is garbage.

But Apple doesn't have to use it. They could release a messaging app for Android that used their own encryption, and they could encourage Android users to switch. But they don't do that, because distinguishing between Android and iOS users is ultimately more important to Apple than securing the conversations that Apple users have.

If RCS is garbage (and it is) then it is extremely weird that Apple has committed to supporting RCS for cross-platform messages instead of encouraging adoption of what would be a superior form of encryption for those conversations.

What you have to ask is, if you are an Apple user, why isn't Apple trying to encrypt every message that you send? Why are they asking you to use a garbage protocol when you send messages to Android users?

> yeah can’t imagine why apple doesn’t use it

Really, this statement should be reversed, it's difficult to imagine why Apple is planning to use RCS. Why is Apple more willing to implement a garbage protocol than they are willing to release a messaging app for Android?


apple


His first sentence about privacy and security is nonsense, but his second sentence hits the nail on the head.

If the richest company in the world wanted their chat app to run on Android, it would by now.

It's strange Apple doesn't sell an iMessage Android app, but I'm sure they've had somebody do the math and found out that it's more money for Apple in the long run if they don't.


Completely agreed about the nonsensical first claim. We have many third-party clients for other messaging platforms where privacy and security are a primary feature. It's completely tenable, especially for a player like Apple.

Or put another way: If the privacy and security of imessage is compromised by someone building another client, I'd argue that you never had either to begin with.


> Completely agreed about the nonsensical first claim. We have many third-party clients for other messaging platforms where privacy and security are a primary feature.

I can't think of an any with independent implementations.

For instance, have a few third party Signal clients, which work by using the official libSignal . These are not third party clients, but third party GUIs. Use of libSignal on the official Signal network is also not supported or recommended.

Likewise, all the third-party Telegram clients I know of are forks using Telegram source.

This makes sense, because neither of these are stable systems. A third party has to stay up-to-date with features and changes made to the official servers and clients.

Do you know of a security and privacy focused messaging platform which is both:

1. documented

2. has multiple independent implementations of the networking and security protocols?


Does Matrix not qualify?


I suppose it is determined by where you set the bar, even more so with privacy which still varies person-to-person and can sometimes take a qualitative feel.

Security wise, there is interesting work adopting MLS (and I believe key transparency) under Matrix, see https://arewemlsyet.com for example.


> If the privacy and security of imessage is compromised by someone building another client, I'd argue that you never had either to begin with

That's like saying the internet protocol is neither private and secure because people willingly use random public Wi-Fi


Because there are people that buys iphone just to get a blue bubble, why would Apple want to stop that?


That’s a small subset of their customers in a single country. I don’t think they really care either way.


the american consumer punches far above its weight. apple cares and goes to great lengths to wall imessage. See the article linked in this post for instance


you’re talking to a forum that is probably 50% iPhone and has very good technical reasons to do so, this is insulting and it’s absurd that it’s so casually normalized to directly insult people in this fashion


How did you manage to take this as a personal insult? Some people buy an iPhone for the blue bubble, some have what they believe to be good technical reasons to buy one, some people like the aesthetics, some people buy one out of habit. Stating that each category exists is not an insult to those who fall outside it.


> How did you manage to take this as a personal insult?

years and years of "apple sheeple" variants tend to take their toll, you're just the latest in an endless parade of microaggressions even if you don't think your particular case was notable.

why is it so important for you to push on the idea apple users being thoughtless trend-followers? just don't do that, be better. you can do it. the next time you feel like posting that, simply take a deep breath and don't post it.

there is just no reason to go around posting that "[device that 50% of people own] users are all doing it for [trite/dismissive reason]" in the first place, let alone on a tech forum where everyone has very specific reasons for their tech purchases. and it's so completely normalized, android users do it so routinely and don't even think that what they are saying is offensive. it's literally the classic microaggression problem.


It's a socioeconomic indicator for high status, and it would be foolish to ignore that as part of Apple's strategy.

Android doesn't suffer from that kind of complaint because it's often perceived as the opposite: a socioeconomic indicator for low status. It's socially acceptable to mock people for choosing high socioeconomic indicators, but not low socioeconomic indicators.

"You only bought that because you're rich" has a very different ring than "you only bought that because you're poor".

That perception of low vs high indicators is somewhat wrong (high-end Android phones cost more than the latest iPhone, used iPhones are pretty affordable) but it is the perception.


You need to read the message again, they said nothing like that.


Do Apple devices not have a shift key?


> on a tech forum where everyone has very specific reasons for their tech purchases

Thats a very funny statement. From my experience tech people in general are the ones falling for vanity, fashion, dogmas etc. most often while claiming some "practical" reasons


he didn't say that though???


> It's strange Apple doesn't sell an iMessage Android app

Apple doesn’t sell apps they sell hardware and services. There’s no incentive for them to provide a free iMessage app for android, and I doubt many people would pay for one.


> I doubt many people would pay for one.

Enough people paid for one. Enough to make Apple scared and use engineer time to ban/block people anyway.


Do we know that and that it wasn’t e.g. a massive influx of messages coming from a single hardware ID triggering an anti-spam system.


Since we're not Apple, we don't know. But if we take their word [0] for it.

> We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage.

> We will continue to make updates in the future to protect our users.

[0]: https://techcrunch.com/2023/12/08/apple-cuts-off-beeper-mini...


Look no further than blackberry... Their days were always numbered as the only reason to keep it is the messaging (and a bit the keyboard).

Another theme here is BBM (Bloomberg Messaging). People/Companies pay BB five figures per year just to get BBM. Why would they ever release a messaging app outside of the terminal. They will die before this happens.


If an "unsanctioned" client can compromise iMessage security, then there was no actual security other than obscurity.


I didn't compromise the security of iMessage as a whole, it just exploited a way to get people into the system that was not planned.

Imagine there is a theme park that has normal ticket booths and some requirements there to get in. Then there comes a Beeper that finds a hole in the fence on the perimeter and sets up their ticket booths there. It's in theme park's best interest to close that hole and cut off the revenue stream of somebody pigging back on their theme park.


Except they charge a thousand dollars to enter and then let everyone else in for free but they have to wear a badge and the pictures they get from the roller coaster photo booth are 240p.


And no one is obligated to come to the Theme park. There's an entire world of people who never visit the theme park, mock the people who do, and couldn't care less about it. But some people want to be included as going to the park, when they don't. Some people are very judgy and don't want to talk to people who don't go to the park...

Okay, I've stretched the metaphor out enough.


Almost 60% of America is in the theme park.


> Except they charge a thousand dollars

A Lamborghini Urus costs $230k so I guess it's morally acceptable to break into a dealership and steal it.


Kind of, yeah. Once something is expensive enough it's no longer common theft, it's a heist.


Blackmail is such an ugly word. I prefer extortion. The "x" makes it sound cool.


The primary feature of iMessage is lock-in. Everything else is secondary.


> It’s untenable that there’s unsanctioned client software for a messaging platform for which privacy and security are a primary feature.

What a stupid take on the situation. At most it's untenable to Apples short term financial interests. A well designed protocol and implementation would be even better at protecting user privacy and security especially from a privileged attacker like the service provider and anyone able to put covert pressure on them.

The only way in which vendor lock-in helps the the existing users is that spammers and scammers have to invest additional money to acquire Apple devices to create new accounts instead of just phone numbers and a labor to create accounts.


On the money, but unsurprising. Gruber is an Apple fan-boy through and through and it doesn't take much of a guess to posit the exact "prediction" he made. It was clear Apple was never going to put up with this, but it was likely accelerated by all of the media attention.

Apple is, however, nothing for "privacy and security" beyond what they need to do to be marginally better, and that's a stretch these days. If Gruber really believes what he wrote he's full-on living in Apple's orchard behind the walled garden that Tim Cook splendidly gatekeeps. But because Apple puts marketing dollars behind ads that say "privacy" and "security" it must be so!

This is why it's always funny to me when the trope of the hour is the mass privacy failures of Signal through use of phone numbers. And then the author turns around and types out an iMessage to a blue-bubble friend. I really hope we can move beyond the Apple reality distortion machine and move to truly user focused platforms that aren't designed to steal user data or make the board richer.

Apple has become rotten.


this sounds like proof of stake to me

yes, you can indeed build a secure system on the basis of increasing the economic cost of attack beyond reasonable levels and by forcing attackers to repeatedly slash their stake to perform an attack


Easy to be right on the money here. This is the default MO. Regardless of if you are paying for it or are licensed or are doing it despite the tech giant whose toe you are tickling. Twitter API springs to mind.


Not sure that's worth much congratulation. Is there anyone that didn't think the exact same thing as soon as they saw the story?


I heard/saw quite a few people saying Apple either couldn't or wouldn't cut them off—and that even if they did, it would take a while. They were ridiculous takes, yes, but apparently made in earnest.


While it would ruin the experience in practice (not being able to receive any notifications), I don't see why someone couldn't perfectly reverse engineer the protocol.

Beeper made several design decisions that made the app super easy to use (i.e. using a single certificate that wasn't supplied by a user's phone), but if you extract the necessary source material from an old jailbroken iDevice, you could create an iMessage clone that Apple can't ban without either legal action or breaking compatibility with all easily jailbroken iOS devices.

Back in the days of AIM and MSN, even large companies used reverse engineering to get chat interoperability, and it was so successful that AIM left open an RCE vulnerability to push shellcode so that Microsoft couldn't chat through their service.


Any source/articles about the AIM RCE and it being left open? Would love to read about that


Here's a long writeup by someone who worked at Microsoft at the time: https://www.nplusonemag.com/issue-19/essays/chat-wars/


The "well duh" crowd says "well duh" no matter what happens.


Mmm, absolutes.


There were a lot! Usually taking the form of: 1. They’ll have to do a major update to iMessage, 2. But what about Hackintosh?, or 3. EU regulators will stop it


A good chunk of the posters on the release thread seemed to think otherwise.


It looks to me like there is an advantageous business relationship between Beeper and their customers. As a general rule, Apple is free to change their programs and how they work. However, I think there’s a plausible argument for tortious interference here if the sole purpose was to prevent interoperability.


There's a bunch of reasons why this is unlikely to be tortious interference, but one of the obvious ones is the contractual Terms & Conditions that apply between Apple and its users; I doubt Beeper is liable here, but if interference was a thing, my bet (not a lawyer!) is that the liability would point the other direction.


My read of GP's comment was that the claim of tortious interference would be by Beeper against Apple (for interfering with Beeper's relationship with Beeper's customers).


Apple is not preventing anyone from downloading beeper, or giving beeper money, or running beeper software. They are exercising control over their own servers.


My understanding of tortious interference is that it is broader than actually preventing others from using a service. Even just saying things to dissuade them from doing business with a company can qualify.


Really weird that a disinterested third party like Apple would even make loud public statements about Beeper.


Blocking interpretability could be illegal, especially as they near market dominance


Apple would claim that you pay for the iMessage service as part of the purchase price of hardware and software. From this perspective it's not blocking interoperability, it's blocking theft.

Whether that argument holds is for governments and courts to decide, ultimately.


iMessage is nowhere near market dominance. As evidenced by the ease of use and popularity of alternatives such as SMS/Whatsapp/Signal/Wechat/etc


I agree. The obsession with "blue bubbles" is something I only hear about from tech writers. No one I communicate with in the real world has ever mentioned it. Supposedly teenagers care about this, but that seems like a poor basis for anti-trust action.

At the same time, I miss the era of rich third party client ecosystems for things like AIM or MSN messenger. Blocking interoperability is a bummer for innovation.


>Supposedly teenagers care about this,

Android vs iPhone is definitely a thing people in their 20s and 30s even use to judge others. I have polled quite a few family/friends, and it is near unanimous that it is a dealbreaker in dating, mostly because they assume there is a higher likelihood they will not mesh with the type of person the non iPhone user is.

>but that seems like a poor basis for anti-trust action.

Correct.


Yes. And I'm saying, were this a live issue (I don't think it is), the graver liability might be for Beeper interfering with Apple's contracts with its users.


In what way would Beeper's action cause Apple's customers to breach a contract with Apple? I would think most of the people who would purchase a service like this would be Android users, not iPhone users. Some of them might own Macs, but what would be the contract that the user would be breaching that would result in damage to Apple?


If they're "just Android users", they don't have iMessage accounts.


So your thinking is that these end-users have signed some sort of agreement with Apple, and that agreement says they won't use any unauthorized services to connect to Apple servers, or some such thing?


That's not "my thinking" so much as it is a fact.


If it’s a fact then it should be no trouble to share the relevant provision.

I was sharing that theory as a conjecture, since I have no reason to believe such a provision exists.


There’s certainly a contract there, but it’s not obvious how a customers compliance the terms and obligations create a profit for Apple. I think most outside observers would generally assume that Apple‘s profits come from the payments the customers make to Apple, when purchasing devices or making subscriptions. After all, the only people subject to, and breaching the terms of service are Apple customers who did pay for their phones, etc..


In a California interference case, Apple would need to prove:

1. An enforceable contract existed (check!)

2. Beeper knew about the contract (check!)

3. Beeper's actions intentionally caused a breach of that contract (check!)

4. An actual breach of Apple's Terms & Conditions occurred

5. Apple had damages

None of those elements have much to do with profit.


Are you a lawyer because Apple stopping third parties from using their service being in any way illegal sounds extremely hard to believe


> The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means.

- From the National Association of Criminal Defense Lawyers

Other way around. If anything, it sounds to me like Beeper Mini was acting illegally by accessing Apple’s servers in a way they didn’t give permission for.

The CFAA is ripe for abuse. I’m not saying applying it here would be just or not, only that Apple likely wasn’t the one acting illegally.


I think that’s certainly an argument that Apple would make. However, it seems that this app was simply sending requests and receiving responses that there was no code injection or compromise of Apple servers, or of credentials, or anything of that sort.


Yes, they didn't violate the law as you think it ought to be written.

They may very well have violated the law as it is actually written.


It's also entirely possible that no law has been violated by anyone at all. What Beeper Mini did is probably not illegal. What Apple did in response is probably not illegal.


Not particularly relevant due to lawsuits involving game cheating, where the circumstances are very similar.

Beeper is lucky they weren't sued under the DMCA anti-circumvention clause, as they clearly were bypassing the technological measures Apple uses to prevent genuine devices from connecting to iMessage & Apple services.


The DMCA protects copyright, not APIs. If iMessage was a DVD then this would be a point.


I wonder if any of the encryption stuff Apple uses would give them an argument, like convincing their system to generate keys.

I think you’re likely right though. If they had such a claim I think their lawyers would have been on it instantly.

That’s why I mentioned the CFAA. Accessing servers without someone’s permission is the exact kind of thing people have gotten very stiff punishments for under the CFAA in the past. It’s basically the main reason I know the law exists, stories about peoples ridiculous punishments for relatively benign things.

Sure it’s useful for real things. I bet you can prosecute ransom under it. Or hacking to break into a rival company.

But it’s also great for when someone embarrasses a politician with stuff that they published on their own website and “something has to be done”.


Wouldn’t it be the users, rather than Beeper Mini, that are doing the accessing?


Beeper mini includes a hosted service to receive APNS notifications (meant for Apple software)

So I would summarize it as the corporate entity connecting to an Apple API and using it in undocumented ways that they reverse engineered, intercepting messages meant only for Apple software, doing so without prior permission, for purpose to selling access to services which would normally be covered by an Apple EULA.

It is not quite like a smaller word processor wanting to be able to import Word documents - without tying into Apple's service, Beeper Mini has zero value.


That’s fair, but compare it to SMS. What if Apple blocked SMS messages sent via cellular carriers, which are also using their services (software on phones, etc.) Then suppose it wasn’t malicious SMS or spam, but legitimate messages sent using a competitor’s product (e.g. from all Samsung phones).


How are you going to make a case for tortious interference when the would be interferee is profiting by using the interferer’s resources without payment?


From beepers website, there’s no use of apples servers when iMessages are sent from a beeper user to a beeper user. Rather, they only pass through Apple when sent to an iPhone user and in that case it’s the iPhone user that’s utilizing apples resources. And in that case there’s an Apple device owner, who is paid for the right to use iMessage servers.


Well, obviously, if those messages aren't using Apple's servers, then Apple hasn't stopped them, so there's no interference.


Wow that’s a hell of a stretch, but A+ for effort I guess. By that logic, they’re only stealing 50% of Apple’s iMessage resources for iPhone users.


Not sure why this is getting downvoted – IAAL and this is definitely something worth considering. This particular type of law varies from state to state, and can be quite broad. I've talked with other lawyers about it in the past, and my understanding is that it's frequently asserted when companies make counterclaims in business litigation.

That doesn't mean it's a sure winner, just that it's a live question until more info is known. I imagine Apple would say they need to tighten up any parts of their system that could allow for spoofing or other security issues, and that was their 'legitimate' reason to make these changes.


I think most or all states recognize that the defendant’s actions must not be justified or privileged. It’s hard to imagine how Beeper would meet that element on these facts.


I’m not a lawyer, but I do know how computers work. I’d bet the farm on the very safe assumption that any protocol change that blocks a third-party client at the very least can plausibly be claimed to be in service of security, and most likely be a legitimate claim in reality. It is probably being downvoted because it’s incredibly far-fetched.


I agree that this would be their argument. But as other commenters mention, this area could be a minefield for Apple due to their dominance in various markets. It's possible they wouldn't want to get sucked into a lawsuit about this, even if they thought they could win, since they might end up making statements that would have a larger detrimental effects in other cases/potential cases.


Maybe (or maybe not) plausible, but I think it's irrelevant, because there's no way a small company like Beeper could beat Apple's lawyers at this game. It will end up bankrupting Beeper long before it would even matter.


This is unfortunate, but not untrue. Even just going through discovery on this issue would be quite expensive — and would be critical to proving Beeper's case.


That's like getting upset after getting bad dating advice from a vending machine.


To be fair, that was an easy prediction.


> Seems irresponsible for Beeper to charge a subscription for an unsupported service.

Completely wrong. It's a job-seeking ad. “Look, I'm ruthless enough to fuck over users who buy this bogus subscription.” Which SV startup wouldn't pay millions for a crook of that caliber?


> "if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS?" - Eric Migicovsky

1. If Apple sees this as a gap, it is very obvious that they would address that themselves, rather than by allowing a hack to exploit loopholes in their architecture

2. Since Apple has no control over the Beeper mini client, they would not consider it safe, it could easily be spying on users without their knowledge.


Keep in mind that this is spin — Erik's statement is ridiculous, and he knows it. To think that Apple would somehow not treat Beeper like any other bad actor hacking iMessage protocols is delulu.


Sure, that's fair. But if he knows that, why spend the time to build this app in the first place? Is it a marketing play? It did buy them a whole lot of attention.


They didn't spend much time building this feature.

It was an acquihire involving a 16 year old who was doing it for fun.


Except they didn't hire him? He gave them some kind of info about the sms verifications, which they then had their devs implement.


The Github page for the iMessage hack said something about Beeper "acquiring" it. Not entirely sure what that means in practice since it was open source code on Github.


They contracted him


Continue to watch this space, remember - He created the pebble. The cost of this "Experiment", to put forward a point at a super simple level. reverse engineering architecture and providing a service on top of this would be a huge space, if it were allowed.


> It did buy them a whole lot of attention.

Ding ding ding! We have a winner!


But what kind of attention did it garner? Now, we all know that these folks are pretty delusional. They spent time developing an app that everyone except them knew was not long for the world. A rational company would realize that it wouldn't live long enough to recoup any money. Releasing such a still born product doesn't make me feel warm and fuzzy about it. Hell, Google releases products that live longer than this.


Besides the obvious attention play, he might be going for an acquisition play... "Why bother writing our own iMessage for Android when we can just buy this little company that's already done it?" There's obvious issues with that plan, but that doesn't keep delusional founders from being delusional.


Apple chose not to support Android on purpose. They know iMessage exclusivity drives hardware sales. The emails have come out proving as much.

It's the same reason they dragged their feet supporting RCS, until regulatory pressure started mounting.


I must be an idiot. Never even heard of iMessage before this debacle - I wouldnt even know I was using it.

On a more serious note regarding the Hardware sales- Apple inc does not make that much profit based on "what" they sell, its "who" they are selling to.


iMessage is the former name for Apple's Messages app on macOS and iOS. Some people still use the former name as it's a bit more distinct than the current name and/or it's what they're used to. See also iTunes/Music and iCalendar/Calendar, or people who still call macOS "Mac OSX/MacOS X/MACOS X" and so on.


iMessage is Apple's proprietary chat protocol. It's still named that -- for instance in iMessage apps and iMessage stickers. "Messages" is the current name of the user facing app that speaks both iMessage and SMS, which was formerly named "Text" when it just used SMS. I think you're thinking of the defunct iChat message client on macOS.


Ah, maybe I got my wires crossed. Was the app really never called iMessage or iMessages? My bad.


Actually not quite. iMessage is the protocol/service used by the Messages app to communicate between two iPhones. Conversely when you send a message between an iPhone and any other kind of device it uses SMS.

It’s possible that the GP is unfamiliar with iMessage because they don’t live in NA. I have neither sent nor received an iMessage for several years. I use the Messages app for receiving SMS OTP codes only and pretty much nothing else.


exclusivity is all Apple runs on after it's tech succeeds


As much is apparent to anyone who has used Xcode or has encountered the special appeals process behind the official appeals process behind the ostensibly fair and evenly-applied public AppStore review process.


> They know iMessage exclusivity drives hardware sales. The emails have come out proving as much.

I find this incredibly hard to believe. And just because the Apple marketing department believes something is true, doesn't make it so.

Maybe I run in a weird crowd, but I've never met anyone who cares whether "text messages" are delivered over SMS or iMessage. In general most messaging I do happens over Signal, WhatsApp, Discord, or (in a few unfortunate cases) Instagram messenger.


Hard for you perhaps. Disclosures from the Apple v Epic litigation indicate it's true.

https://www.thurrott.com/apple/248931/apple-didnt-bring-imes...


but the real problem some of use have with Apple's behavior is the real underlying reasons they're doing this

I am reasonably sure that their main driver is profit which really means exploitation of people;

I consider their public arguments lies made up to cover up the fact that what they account for as profit comes from what are in the end some really ugly historical and traditional imperialistic (colonial, neocolonial, and occulted) practices


> I am reasonably sure that their main driver is profit which really means exploitation of people

Just wondering if you've forgotten what site you're on.

This is YC which exists to build companies whose main driver will always be profit.


There are companies who have come out of YC who have main drivers other than profit.


Yeah. E.g. cashing out and leaving the business to bagholders.


that's not an example (exampli gratia)

that's the generalized pattern


Weird thing to comment on, especially as it definitely is an example of something that a company may be focused on, rather than making a profit.


> reasonably sure that their main driver is profit

As opposed to Beeper?


> I am reasonably sure that their main driver is profit which really means exploitation of people;

What phone do you use that does not have the same issue?


so buy/use something else?


I’m poorer for having read this unsubstantiated drivel.


Since apple has no control over your fire extinguisher, they sent a man to securely take it from your house and dispose of it. It could have been a bomb for all you know.


Do you really consider Apple's control over a proprietary protocol which they invented and maintain to be comparable to a scenario in which Apple "sends a man" to take "your fire extinguisher […] from your house"?

I've re-written this comment five or six times in an attempt to find the most charitable interpretation, but I just cannot comprehend how it made it through your filter and out onto the internet.


It's not a super serious comment, it's more about how ridiculous the tone of "We are doing this for YOUR protection" would be.

On a more serious note though, in the end Apple absolutely has the power of increasing everyone's capability and security by doing something like setting up a playbook of how iMessage could just use Signal protocol and how other actors could join in, or really anything else but doing this.


> It's not a super serious comment, it's more about how ridiculous the tone of "We are doing this for YOUR protection" would be.

Right now I can presume a basic level of device security across all iMessage threads I have. Beeper deranges that: E2EE is still there, but Beeper exposes my correspondence to device security weaknesses from other OEMs, malware, keyloggers, screen scrapers, etc. as a result of lax app marketplace security & privacy.

It seems to me to be entirely disingenuous to suggest that Beeper increases security: in fact, the opposite is true.

> in the end Apple absolutely has the power of increasing everyone's capability and security by doing something like setting up a playbook of how iMessage could just use Signal protocol and how other actors could join in, or really anything else but doing this.

I don't see why any company should be denigrated for not helping the users of another competing platform, particularly when doing so likely comes at the cost of increasing the risk to its own users.


> a basic level of device security across all iMessage threads I have

Is that really true though? Jailbroken phones, iMessage may still work. Any device security gets thrown out the window.

You also can't expect everyone to have an Apple device for security, which we've seen time and time again SS7 being weak - So is the requirement to remove SS7, for everyone to jump on the Apple train?

I see Beeper as doing Apple a service, not so much a competing platform, but a gateway to the iMessage ecosystem - 'Hey, this would be pretty cool to use without this app and have it native' vs the 'Only Apple devices can use this.'


> Is that really true though? Jailbroken phones, iMessage may still work. Any device security gets thrown out the window.

Apple closes exploits which allow jailbreaking, precludes it in the EULA. What more would you have them do?


> Apple closes exploits which allow jailbreaking, precludes it in the EULA. What more would you have them do?

Preventing jailbreaking is not a good thing, in part since that's what allows us to check on what Apple is doing on the device, in regards to privacy, security and e2e encryption. If nobody can check, do you suppose we just accept their statements about the device as fact?


The whole underlying point is that Apple will do anything to virtue signal when in reality they are making a decision on improving their profit regardless if it decreases security of its customers and other people. It is undeniable and silly to argue against.


> Apple will do anything to virtue signal

Subjective, speculative.

> when in reality

I think you mean "when in my opinion".

> they are making a decision on improving their profit

Speculative, and "improving their profit" is clumsy enough vocabulary that it's a red flag on continuing to discuss this with you.

> regardless if it decreases security of its customers and other people

The plurality of countervailing perspectives in this thread – which you have failed to address or refute, as far as I can tell – ought to indicate to you that it is arguable that Apple's decision in this case increases security of its customers.

> It is undeniable and silly to argue against.

I'll let others judge who seems silly here.


You know, one doesn't really even need to read the whole of your comment to know your way of "debating" is dead in the water. Take the argument as a whole. "Isolating" parts of it just makes you look like you're debating for flat earth or the like lol. "Red flag" rofl grammar police

My point stays exactly the same. You haven't said anything real against it.


Does Apple block imessage on rooted phones? If not, what level of device security do you really have?


In addition to explicitly prohibiting it as a violation of the iPhone EULA, Apple goes to extraordinary lengths to close the exploits which allow jailbreaking. Apple doesn't just block iMessage on rooted phones, it tries to prevent jailbreaking outright.


It being a violation of the EULA means absolutely nothing lol


If more users are sending encrypted messages over APNS instead of SMS (remember, SMS is effectively unencrypted plaintext), that sounds like the definition of "more security".

Hmmming and hawing over "OEMs... and ...lax app marketplace security" seems like quite a high bar to hold, a bar so high it ceases to be useful. Remember, iPhone users can disable passwords on their iPhone entirely; if that's not something you ever worry about, then worrying about a minority of OEM's seems like mere pretext to keep your comfy walled garden all to yourself.


> comes at the cost of increasing the risk to its own users.

iMessage using SMS to communicate with Android devices increases the risk to iOS users. Apple customers are still Apple customers when they communicate with Android users.

Every risk you describe is still present in the current implementation of iMessage when communicating with Android users, except the risks are much greater because SMS is much easier to exploit and intercept than an E2EE protocol would be.

A message platform that forces Apple users to use an insecure protocol when communicating with Android users decreases the security and privacy of Apple users.

So even an imperfect implementation of real E2EE between Apple and Android users, even with all the risks you describe above, is still an improvement in security over what we have right now: a situation where Apple forces iMessage users to use to what is quite possibly the least secure communication method possible when communicating with their friends and family in different ecosystems.

It's not necessarily about helping the users of another competing platform, Apple users who are using normal iPhones are sending unencrypted and unsecured messages to their friends and family members because Apple is more interested in vendor lock-in than it is interested in making sure that its customers are able to communicate securely with their contacts.

The idea that Apple users would suddenly stop caring about security or that they wouldn't want their conversations encrypted just because they're talking to someone else who's on an Android device is very strange to me -- it suggests that Apple is willing to sacrifice security for paying iOS users just to keep Android users from seeing any of the benefits of those security improvements.

Yes, there may exist reasons to distinguish between locked down vendor-controlled devices where users do not have the autonomy to change device settings that could damage encryption, and devices where users do have that autonomy. I understand that concern, even if I think it's usually disengenous. But there is really no reason and no excuse (especially now that we know how easy it would be for Apple to take its encryption multiple-platform) for going beyond distinguishing between those devices, and going so far as to actively drop all security measures and all encryption from those conversations. It's like saying that because a window can be broken we might as well take the door off of its hinges and put up a "burglars welcome" sign -- and, incredibly, it's claiming that anyone who tries to replace the door without permission is somehow decreasing security. Apple doesn't just distinguish between controlled and uncontrolled environments, it removes the door entirely by dropping its users into a messaging format with no end-to-end encryption at all. It's a bad policy that hurts Apple users and decreases their safety.


There's an open standard they're refusing to adopt that would be more secure than forcing users back to SMS.


If you mean RCS, end-to-end encryption is not part of the standard, it is a non-standard extension supported only by the google messages app https://support.google.com/messages/answer/10262381?hl=en


Does RCS need E2E to be better than SMS when it comes to privacy/security?


IMHO profiled RCS is notably worse than SMS for privacy, because the vast majority of RCS servers are hosted by Google.

SMS can be read but it is still at least somewhat decentralized. It isn't being funneled to a single party whose business model is profiling users.


Yes, it does. RCS without E2E is following the SMS model and putting your telco in charge. It uses transport encryption but that is basically meaningless when every relay sees the entire contents of the message.


Does that mean Stingrays and just regular old SDRs can still pick up RCS messages?


RCS uses transport encryption and I honestly have no idea if it uses cert pinning or server certs or the like. The bigger concern to me is that it puts your telco in charge, just like the old days of SMS. Without E2E they get to see all of the contents of messages and to share it with whoever they deem they want to share it with, which history has shown is too many people. Telcos were very willing partners in the development of RCS for a reason. And there's a reason the base spec doesn't include E2E. Telcos want a return to the good old days.

SMS is insecure and no one should use it. RCS isn't that much better and history is a lesson that it returns to a partner that isn't trustworthy.


Yeah anything that's not E2E encrypted is pretty useless for privacy/security these days. Might as well just use DMs on reddit, twitter, etc if you don't care about E2E


Apple is adopting RCS, but as far as I can tell your reply has nothing whatsoever to do with my comment.


Are you referring to the one that they're adopting?


i am just flabbergasted that we are living in a timeline where the phrase "proprietary protocol" is a real thing


Aren't most protocols proprietary? Every app builds their own on top of standard protocols like HTTP, TLS, and IP. Not all services are hostile to third party clients though


well, there's proprietary in the sense of "not a standard" and proprietary in the sense of "no one else can make software that uses this protocol". the latter is very weird if you think about it.


Eh not really that weird. Consider how Microsoft repeatedly reverse engineered AOL for compatibility reasons and AOL actively blocked their efforts with every update: https://youtu.be/w-7PjunSxLU

Stuff like this happens all the time and the internet has always been like this. I'm sure older users will remember even older examples


It's time that we as an industry push back against Apple and Google.

The smartphone is the single most important device for modern life and society. It's news, photos, communications with loved ones, work, entertainment, food, paying for practically everything...

And it's just two companies. Two companies with an iron grip over such a wide and diverse set of functionalities that, taken together, should be as inalienable as free speech.

- They control what you can put on the devices (or in the cases where they're open, they scare you or make it exceedingly difficult).

- They tax all innovation happening on the platform. Because web is second class. If you build an app, you have to pay for ads against your own brand. You can't have a customer relationship (yet Google and Apple get that). You have to keep up with their release cycles on their timeline. They can deny you or ban you at any point. They take 30% of your margin. You're forced to use their billing. In many cases, they actively develop software that competes with you.

- They're extremely user hostile. The devices aren't easily repairable, the batteries force upgrade cycles, and they do stupid things that make your kids want to buy the most expensive model for clout. Green and blue bubbles, etc.

- On top of this, they're gradually eating away at every related industry. The music industry. The credit cards and payments and finance industry. The film industry. It's all getting absorbed into the blob that is the locked down smartphone.

- They turn their devices into "CSAM detection dragnets" (read: five eyes, US, China, and every other entity that wants to surveil).

This is fucking absurd and it needs to stop.

We need more than two device and platform manufactures.

Apps should be at least one of: (1) portable, (2) freely installable from the web without scare tactics, (3) web should be first class / native

The device provider shouldn't be able to use their platform play to maintain dominance. The cost of switching should be zero until there are enough new peer-level competitors.

I could keep going... the status quo is a tax on the public, a tax on innovation, and a really overall unfortunate situation.


> They take 30% of your margin.

that would be nicer than the current situation where they take away 30% of your revenue


Agreed with all of this. I'm happy to see others who care about these issues- all too often on HN that's not the case :-\


The alternative phones outside the duopoly exist.

Sent from my Librem 5.


Have Purism solved the problem where it will randomly burn through an entire battery charge in an hour?

That basically makes it a non-option for the overwhelming majority of people, and it was still an issue 6 months ago.

I really want to like the Librem but it's hard to justify the price tag when you're going to have to carry another phone around with you anyway.


I use a Librem 5 as my daily driver without carrying a second phone around.

The battery thing is not an issue for me in practice. I carry a spare battery (they're swappable), but I never actually need it because there's USB-C chargers everywhere I go, and I made it a habit to plug it in whenever I can.


Look, no offense but it sounds like the battery thing is an issue for you in practice, as evidenced by the fact that you carry a spare battery and plug it into a charger multiple times per day.

A phone should adapt to your lifestyle. You should not have to adapt your lifestyle to your phone.


Linux phones can't benefit from 10 years of software optimizations for the battery life, so yes. However it's good enough for non-heavy usage already.


I don't have such issue. The battery is sufficient for one day unless I use the phone heavily.

Edit: Actually it did happen when I opened a Firefox tab with a heavy js and left it open with deactivated suspend, which you shouldn't do on any phone (and even then it's more than a couple of hours).


It's really not just two companies trying to pull this bullshit. Microsoft and Samsung also try to do the "ecosystem" bullshit. If you try to use a streaming music service other than Spotify, you'll eventually notice almost all social media has an exclusive connection with Spotify to do things like share "now playing" songs or your playlists or whatever. Retail companies tried to force everyone into their payment platform lol. Banks try to force you to only use iOS or locked-down android distros. (Some are even deprecating their desktop websites and forcing you to download the app now, apparently).

There's also the mountain of 'mobile first' (aka mobile-only) garbage out there, and stuff that is nerfed on mobile unless you download the app (so they can squeeze telemetry out of you).

Don't get me wrong, I'm not defending Apple or Google - far from it - but I'm saying there's a lot of real crap going on in tech right now.

To be fair, I am a curious person and use both android and iOS. I use onedrive and (sigh) icloud for storing photos. On my android phone, I can actually have it sync pictures to onedrive and nowhere else (and it'll free up the storage, even! I think...). On iOS it either fills your phone up and then nags you constantly to manually delete pictures, or you use iCloud. There's no other choice.


What? Does a fire extinguisher connect to Apple servers? Does a fire extinguisher secretly being a bomb affect the security of others? I don’t know if you could have come up with a worse metaphor.


If you think about it, blocking an app and stealing your fire extinguishers are both actions that a person or corporation could theoretically do. Since they are both actions, they are equivalent. Therefore blocking an app, burning down your house, baking a pie, writing a sonnet, doing a backflip are all the same thing.


Ahhh and to think all this time I thought I knew what a metaphor was. It’s literally any comparison! Silly me!


It’s spooky. If you think about it if Apple can block an app what is to stop them from breaking into your garage and modifying your car to talk like KITT from Knight Rider but instead of being helpful it makes mean remarks about your clothes that make you cry?? What if Apple filled your refrigerator with concrete? They could build a brick wall in front of your house and paint a replica of the outside on it so you run into it like a looney toon!


Shit. E2EE encrypting my refrigerator brb


Really, your comment is equivalent to a black hole or pomegranate, since they’re all things.


I didn’t even realize my mind could expand to this level.


It was always that level! Those are both things too!


Ok giving up software to become a monk now.


It does work as a metaphor because if Apple could force you to use their iExtinguisher and ban others they absolutely would, with the argument that they are improving fire safety.


It's a new more advanced fire extinguisher that is 'smart' and has a touchscreen and it smells really nice* and what's even better,

it's going to become illegal not to have one in california! so you better invest NOW!!!

go to double U double U double U blah blah blah dot yadda yadda yadda

*full disclaimer, this technology is patent pending**

**doubly full disclaimer, "patent pending" in the sense that the invention is still to be invented, the panel of experts said 20 (more) years!


Except that the iMessage system belongs to Apple, not to you

> The app doesn’t connect to any servers at Beeper itself, only to Apple servers, the way a “real” iMessage text would.

https://techcrunch.com/2023/12/05/beeper-reversed-engineered...


> 2. Since Apple has no control over the Beeper mini client, they would not consider it safe, it could easily be spying on users without their knowledge.

Since I have no control over iMessage, I would not consider it safe. It could easily be spying on me without my knowledge.


"they would not consider it safe" is from Apple's perspective, which is the only thing that matters when Apple is the steward of legally and technically enforcing who can use their APIs.


Sure. They have every right to do what they're doing. I'm just mocking Apple because I think their implication that they're the only trustworthy entity is ridiculous. We have no reason to trust them any more than we do Beeper or any other company.

If Apple actually cared about security they'd implement an open protocol that is provably secure. Imagine if they supported something like Matrix. But that's clearly not their primary concern here. It's just a convenient excuse to maintain their walled garden.


If you don’t trust Apple, then obviously you don’t use it. If you do, then it shouldn't be possible for a 3rd party client to break that trust. Users only see iMessage vs no-iMessage and have no other way to identify the client to decide for themselves whether to trust it.


> If you do, then it shouldn't be possible for a 3rd party client to break that trust.

A correctly implemented end-to-end encrypted protocol would be safe for all participating clients.

The only way to break that security is by copying messages outside the protocol in the app itself.

Neither of us knows whether iMessage or Beeper Mini does this. To bring up the possibility is to criticize both apps equally.


> A correctly implemented end-to-end encrypted protocol would be safe for all participating clients.

As long as the clients are closed source, this is a circular argument. The client itself is a vector. Not just for a good E2E implementation but for the 3rd party company to not outright steal everyone’s messages, create a backdoor, etc. You have to be willing to trust every client used in the thread.


That was my second point.

If we must be willing to distrust one closed source client, then we ought to distrust both.


This is tantamount to saying we should only trust open source software. If that’s your point, then you lost me. If not, then it’s obvious that some companies are more trustworthy than others. (P.S. the many active exploits found in core low level open source software after months or years because despite the source being open almost no one audits it because they’re cheap and/or assume someone else is doing it)


Well why in the world would I trust iMessage and distrust Beeper Mini?


Are you seriously asking why someone would trust Apple over a small generally unknown Android-only app company?


I don't actually think it's that unreasonable. Apple has broken people's trust many times and come out just fine in the end because they are a huge company with many products participating in many markets. A small company like Beeper is dependent on a small user base and a significant breach of trust could easily spell the end for them.

That said, I don't personally trust either of them. When it comes to matters of security, I prefer open protocols which can be proven to be secure over pinky swears from companies.


Trust is generally something you build and lose, rather than something you are given by default. That reputation can be a massive asset or liability.

The level of trust I currently give in Beeper is that identity verification happened such that someone could potentially be prosecuted for abuses after-the-fact.

They have not built up a reputation, and in the face of potential scams or privacy abuses their reputation may not be as valuable as the user information they can gain access to.

Small incidents can cause significant reputation harm to Apple, and those equate to billions of dollars lost in corporate value.

Even the recent notification monitoring announcement harms their reputation, where the government itself mandated non-transparency. (For this reason, I somewhat expect they are trying to design an oblivious notification system, where role separation prevents a single intermediary from knowing both where a notification is from and where it is going to.)


Apple has done plenty to lose my trust, and very little to build it. But that's not really the subject at hand, though I do see where word choice is misleading here.

You just brought up a better word: "liability". I'll go one step further: "attack surface".

When it comes to security in software, we don't need to work with many unknowns. The unknowns we do work with are the attack surface. By presenting a greater domain of unknown behavior, closed source software effectively presents me (the user) a larger attack surface. Sure, I could trust that the extra attack surface is actually covered; but I can't know. With open source, I don't have to trust, because I can know instead.

If I am to choose between open and closed source software, then I am choosing between knowledge and trust. That is a completely different position than choosing between closed and closed: trust vs. trust. So long as any securely-designed open-source messaging app exists, iMessage is at a disadvantage in end-user security. Even if Apple can know for certain that iMessage's attack surface is not larger than an open-source alternative, we the users can't. Closed source software will always present a higher demand for trust.


Not what he said. He said he doesn’t trust them (safe). The question you should be asking is why do you?


Because they’ve proven to be the most trustworthy and if you can’t trust the manufacturer of the device and OS you also can’t trust any app running on said hardware.


> Since I have no control over iMessage, I would not consider it safe.

Generally fair assumption. There's been some research (both positive and negative) around their E2EE claims, though AFAIK much of what's known about iMessage's E2EE guts has been learned through unofficial means. I think that for the vast majority of users, iMessage is probably safe enough.

As a user, you have the agency to choose a messenger app that better suits your privacy/convenience balance, though in fairness, I think even among users who care about privacy, many don't know how to judge privacy features and implementation details well.

Like others in this thread, I personally recommend Signal. It's widely available, easily usable, has been audited and researched a fair bit, and though it doesn't have a self-hosted option, it does have white papers out about its protocol which IMO are worth a read.


As pointed out below, "they" is Apple, but I would also assume that at least 99.9% (really) of users would trust Apple more than Beeper, i they had to choose.


Let’s add a few more 9s to that, just to make it even more realistic.


Which is why most people (should) opt to use a cross platform messenger, such as Signal.


If signal would officially allow third party clients, non-phone-number-bound users and maybe federation that'd be great.

It does not.


As very recently made evident, Signal spends a significant amount of money maintaining their phone-number-bound infrastructure, with an entirely plausible, reasonable, user-focused reason for doing so. As a Signal user, and donator, I’m 100% okay with the trade-off they’ve made, and would hate to see it reversed just to appeal to some nerdy pipe-dream for how services should work.


> As very recently made evident, Signal spends a significant amount of money maintaining their phone-number-bound infrastructure, with an entirely plausible, reasonable, user-focused reason for doing so.

If there is some recent revelation that makes phone numbers all of a sudden a secure, portable and censorship-resistant identifier please link me that.

Until then I'd prefer to not have my private communication determined by telephone companies that often have not cared for either security, censorship or privacy. Regardless of signals e2e encryption having my access to the network determined by a telephone company is not the right way to go.


I'll continue to restate the thing that made me immediately quit Signal forever - I made an account, and 10 minutes later, it had alerted someone I hadn't talked to in years that I had an account, simply because they had my phone number at some point in the past, and they messaged me.

For a nominally privacy focused app, for them to literally alert people to my new Signal account I'd gotten to securely message someone violated all trust I had in them. What's to stop someone from just adding a Contact for every single valid phone number on their phone and then getting an alert for any time anyone makes a Signal account? I may as well just use Facebook then.


Does iMessage allow third party clients? No? Then why the double standard?


I'm saying that if we hold something to a higher standard lets actually hold them to a higher standard.

Is signal better than iMessage? Probably. Should we ask for them to be better than they are? Yes.


It looks like we are comparing standards here, and that neither passes the bar.


Signal does allow third party clients, Beeper is one. I agree about other things, and would expand on the list.


They do not officially and discourage it. Moxie and the rest of the company has been extremely clear that all third party clients are not considered supported or allowed, regardless if they can and do interact with signal services.


Useful (though somewhat dispiriting) to know. I would feel a lot more forgiving toward Signal's UI shortcomings if I had a choice of alternative front-ends.


> Since I have no control over iMessage, I would not consider it safe.

I would trust iMessage about 95% less if I had written, or even implemented, the protocols myself, and I consider myself a pretty good developer.


If I'm expected to believe a messaging app is secure, the first thing I want is an open protocol. An open source client would be nice too, but honestly I'm fine with just the protocol.

I do not need to have had a hand in developing any of this. It's not my expertise and, like you, I'd feel more comfortable having it developed by the experts.


The basic assumption here is trusting Apple, provided that numerous security researchers have access to the platform. If you don't trust Apple, don't buy their products.


It’s a two party marketplace. Even if I don’t like Apple, the alternative is not great either.


Spam. Spam is the reason and the Beeper guys know it.


(1) is exactly what that quote is pointing out. If Apple actually cared about its users' security, they would see this as a gap, and would have addressed it already. The fact that they haven't means that, despite all their posturing about being a security-first platform, they care more about lock-in and marketing than they do about user security.


Putting aside that I count at least two glaring examples from this list[^1] in your reply, I suspect Apple would argue that it is in fact _solely_ preoccupied with its users' security: that's why iMessage is end to end encrypted and Apple does not offer 2FA / OTPs via SMS. Apple does not generally try to mitigate security issues which are beyond its control (e.g. non-Apple devices, protocols).

[^1]: https://en.wikipedia.org/wiki/List_of_fallacies


They do offer 2FA via SMS. This is AFAIK the ONLY option for Android/non-Mac users. Why are those users less deserving of decent security? Apple still sells and offers services outside their platforms, so they're still customers potentially with hundreds or thousands of dollars worth of purchases and CCs attached. FFS Nintendo has better 2FA options than Apple for non-Apple platforms.


> Why are those users less deserving of decent security?

Because they don't own an Apple device or have iMessage, which is the entire point of this discussion?


So Apple only cares about security for Apple platform users and not all users of Apple services? Such commitment to security...


This is like making a car where the airbags only deploy if you hit another car of the same brand.

Sure, if this car is super safe it may be better if both you and the other driver both had it. But it is clearly better to have airbags, even if the other car is less safe than it could be if it was from the first-party brand.

It is one thing to not try to mitigate security issues outside their control and another thing to remove possible security because you don't control it entirely.


> and Apple does not offer 2FA / OTPs via SMS

Last time I checked, Apple still used security questions any hacker can get answers to on Facebook. I'm not all that confident about Apple's approach to account security.

Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.

Apple chooses not to, and it's their choice, of course. It doesn't care about the privacy of it's non-users, and it doesn't care about the privacy of its users when they communicate with non-users. From what I can tell, it only cares if you stay within the Apple bubble.


> Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.

I'm surprised I haven't seen this mentioned more. They could even make a green (or whatever colour they wish) iMessage bubble to denote that it is not from an Apple device. Seems like it solves all the problems people present with E2EE/iMessage with Android interop. On the issue of spam, which I feel is just grasping at straws, You could allow blocking unknown non-Apple iMessages by default. Unless I am mistaken, this really only leaves the walled-garden as the thing that stops Apple from implementing something like this.

In fact, you could even only allow Android iMessage conversations that include at least one genuine Apple device. This combats the argument that they shouldn't have to give resources away to Android users for free. This would be added-value to their own customers by providing more streamlined messaging with their Android contacts. Such as situations where group chats are forced to swap to MMS for a single Android user, sending pictures/video to a friend, etc.


Those security questions are now very much optional. I made sure to lock down my Apple account. If I lose either my password or access to all my devices, the only thing that can unlock my account is a long printed code or permission from a trusted family member. My account no longer has security questions.

Apple is doing it optionally because they're trying to balance two opposing forces here: helping its users access a locked account, and giving users tightly locked accounts.


Last time I checked, Apple still used security questions any hacker can get answers to on Facebook.

Check again.

I recently reset a forgotten iTunes password. This required:

  - An email verification

  - An SMS verification 

  - A verification code sent to another device on the account

  - A ten-day wait

  - Another second device verification
That's 5FA authentication just to reset a password.

The days of answering personal trivia questions to reset passwords are long gone.


My points are narrowly related to the parent's assertion that Apple preventing Beeper Mini interoperability / allowing SMS is evidence of their convictions relating to privacy being hokum, but since you're not one of those 3 month old accounts I see making specious arguments…

> Last time I checked, Apple still used security questions any hacker can get answers to on Facebook.

Apple's default for a number of years has been to use trusted devices IIRC. Their kb article on resetting a forgotten Apple ID password even suggests that it's better to wait until you're back with a trusted device than to immediately try to reset without one, suggesting that the process is somewhat intensive and perhaps subject to human review? I just kicked it off online and the first question _is_ to confirm an obfuscated cell phone number, but I can't imagine that after that it's mother's maiden name dreck?

> Apple has the ability to control security issues on Android: they can release an Android app, like every other E2EE messenger out there.

Which would thus expose them to security weaknesses of a device and OS they do not control, and potentially expose iPhone and iOS customers to increased risk should an Android iMessage user's phone have malware, or screen scraping, or keylogging, etc.

> Apple chooses not to, and it's their choice, of course. It doesn't care about the privacy of it's non-users, and it doesn't care about the privacy of its users when they communicate with non-users. From what I can tell, it only cares if you stay within the Apple bubble.

Nail on the head, but I do think that folks overstate the simplicity with which Apple could provide a comparably secure iMessage experience on Android.


It's a pretty indirect gap, since it has nothing to do with Apple's infrastructure, it's about users choosing to interact with users of non-Apple platforms using insecure means. There are dozens of secure cross-platform messenger apps that they could be using, and SMS is a legacy technology.


A third party client in iMessage allows for spam attacks, and (worse) malicious payload attacks. It’s very much in the interests of security that Apple fence them out.


I don't think it's at all clear that the approach you describe is working: https://www.wired.com/story/imessage-interactionless-hacks-g... (2019), https://www.forbes.com/sites/daveywinder/2023/06/02/warning-... (2023)

Of course, this is a hard problem. I'm not saying Apple is bad at security, many good messaging platforms run into these kinds of problems. But the way you fix these problems (and the way Apple in fact did fix the bugs above) was through patching their own software, not by trying to control what attackers can send.

If security researches can send a malicious payload attack that compromises iMessage, the solution is not to make sure they can't send that payload (which would be impossible to guarantee anyway), the solution is to patch iMessage to no longer be vulnerable to that payload attack.

One hopes that the only thing preventing your iMessage client from being compromised is not whether or not the attacker has a spare $1,000 lying around.


The longer term solution is to stop using memory unsafe languages.


Regardless, when a buffer overflow happens, it's not reasonable to say, "well, we'll just make sure nobody sends us badly formatted or maliciously formatted data. As long as only iPhone users can send us data then we can trust it."

The actual solution is to make the client/server not be vulnerable to malicious payloads that would cause a buffer overflow. Whether you do that by patching bugs individually or switching to a memory safe language, or whatever strategy is used -- "don't send our messaging platform bad data" isn't a security fix.


On macOS iMessage is scriptable in various ways (both officially supported and unsupported), so the security argument doesn't hold water to me. It's a business decision.


An intentional gap? Or a bug that they've now fixed?


Fixing this bug leaves the gap intact.


My guess is Beeper calculated this was likely to happen eventually (maybe not this fast), but that they would get good press on the initial launch and on the shutdown announcement and that press would be worth the technical investment they made. They do have a different service they still offer and some percentage of people are looking at that now.


Agree. It shows off their technical chops and gets a lot of press attention and goodwill for their target market of Android users who mostly don’t like Apple.


I find this a bit confusing though. It seems like this was an inevitable outcome, but what do they gain from this technical investment aside from exposure. Their website doesn't steer users to anything other than the now cut-off Beeper mini?


Exposure is something. The fact the developer had the chops to do this is now on the public record. That could be very valuable for getting a job or a college scholarship (since they’re in HS).


I did something similar, built an entire app around an undocumented developer api, got a lot of users and then ended up in a good enough position to find out there was a "hidden" official api for sale and it opened a lot of doors as well even to the same site had gotten it from. For someone as young as that with nothing but time, I'm sure they knew the outcome and it blowing up was probably more than they could ask for.


Anyone who has paid any attention to Apple knew this was gonna happen relatively fast.

Doesn’t mean it wouldn’t be an awesome project to do. I don’t blame them one bit. It’s an awesome achievement.


Are you referring to the developer of the GitHub project they bought or the Beeper Mini devs?


Were they not the same person? You’re right that doesn’t make sense.

The GitHub developer I guess. Still his project got noticed because of all of this so it still sort of fits.


What do the Beeper investors get out of the kid having better job prospects? I don't think anyone is questioning that the whole situation has been great for the kid, the question is what the Beeper execs were thinking.


Who cares about the investors? Why is this an important question? Corporations and investors aren't the only people in the world with an ability to reap their rewards.


Beeper should care about their investors, since they are using their money. I think they raised something like 15m.


> from this technical investment

What technical investment? They bought an open-source project from a high-school student.

Beeper Mini is an app they would have built anyway. They simply implemented the bare minimum of iMessage functionality there. Which is a couple of days worth of work, maximum. Maybe a week. And some for testing.

I’m somewhat certain it cost them less than 5 figures. And if it did, what a great marketing campaign. I had no idea what Beeper even was before this whole fiasco.


More like a few weeks to months since there‘s also emoji support and endless scrolling etc, but yeah. I agree it’s doable by one developer and that’s quite affordable to do, considering the scale Beeper is at now.


I still have no idea what Beeper is, because beeper.com only talks about Beeper Mini. I'm getting from some people here on HN that there's another product... somewhere... but if the purpose of the whole exercise were to draw attention to that product shouldn't they be doing that somehow?

As is all I know about is the chat app whose primary sales pitch is the now-broken iMessage interop.


Bottom of the page, click Beeper Cloud. They signalled that they want to move all of Beeper Cloud's features to Mini eventually and just call it Beeper.

https://www.beeper.com/cloud


They have another product, Beeper Cloud, does the same thing + includes a bunch of other messaging services but (as the name implies) runs in the "Cloud"


Wait, how do they run cloud with iMessage?


They send your Apple credentials to a machine (possibly virtual) that runs macOS, which sends and receives messages. Those messages get relayed through Beeper.


Why? Because they could!


That seems like a possibility. But if I was a user (and I am admittedly not), I would be _less_ likely to continue with their services after something like this. This experience would not instill confidence in me that any of their services would be stable.


Yah, this is a great runway to launch a chat app with real encryption.


They already sell a wide ecosystem based on Matrix. The whole point of this app was to connect without relying on Matrix bridges.


This was the obvious outcome. People were being willfully blind about how this "hack" works.

Using an exfiltrated binary they used its blackbox functions to perform a sort of device attestation using ripped Apple device identifiers. Clearly Apple simply needs to blacklist any device attestation that this service uses, which is obviously trivial. These aren't just RNGs they're fabricating, they're sets of legitimate Apple device data that isn't plainly evident to any random user-mode app.

Why would they block it? Every service has some sort of gate on who can message or it will be overrun by bad actors and spammers. Signal, Telegram and others make you validate your cell phone number -- there's a finite number of those, and they can blacklist them as necessary. Online services make you validate an email, do bot checks, etc. Beeper, and more importantly the technique they used, offers none of those gates. It was a plainly problematic free for all that was guaranteed to be closed.


This should have been obvious to anyone who saw the code where it simply contained the raw literal string `FAIRPLAY_PRIVATE_KEY = b64decode(“…”)`. I suppose now we’ll see how accurate the commenter’s claim “if this becomes a problem, I know how to generate new keys” is.

https://github.com/JJTech0130/pypush/blob/main/albert.py#L16


What's the link between this repo and Beeper?


> What's the link between this repo and Beeper?

https://news.ycombinator.com/item?id=38531759


I might be missing it but still don’t see how that answers the question about how that repo is related to beeper mini. Did they use this directly or the same methodology?


In https://news.ycombinator.com/item?id=38531759 its OP states "A team member has published an open source Python iMessage protocol PoC on Github: https://github.com/JJTech0130/pypush."


Maybe there’s an easy way to just read all their replies but I see now that in the linked blog post it links https://blog.beeper.com/p/how-beeper-mini-works which goes over the technical details and mentions the python repo. Thanks


Oh, it wasn't lost among all their replies, it was in the 4th paragraph of the header text section of that Show HN post.


Beeper Mini's implementation was built on top of this repo. I'm sure it was cleaned up and modified for the production release, but the gist is largely still the same.


Thanks I see that mentioned here https://blog.beeper.com/p/how-beeper-mini-works


[flagged]


In this case it makes sense, the key is a "private key" in the cryptographic sense, but it's not "private" in regards to the pypush app, it's needed for the app to work, so it needs to be public information or else the app would be useless for anyone who didn't have that key.


Because "private" here is regarding the cryptography and not regarding the disclosure? How are users supposed to obtain this key to use the service without it being published?


“How can people get into my locked door if I don’t tape a key to it for them to use?”

If the private key is public, it does nothing by definition and it may as well not exist!

Just use plain text, HTTP, or whatever and stop fooling yourself.

It’s like calling an open field a “secure facility”.

The name is not the thing, the map is not the territory.

Private keys are only private if they’re not public.


You're not sharing the key to your house, you're sharing the key to one of the biggest skyscrapers in the world.


And now everyone is up in arms that they changed the locks.

Get it? Get it?


Can you please not post in the flamewar style? It's not what we're going for here, and you can make your substantive points without that.

https://news.ycombinator.com/newsguidelines.html

Edit: it looks like we've had to warn you about this multiple times before:

https://news.ycombinator.com/item?id=32039759 (July 2022)

https://news.ycombinator.com/item?id=27225044 (May 2021)

https://news.ycombinator.com/item?id=22938445 (April 2020)

https://news.ycombinator.com/item?id=21808005 (Dec 2019)

We have to eventually ban accounts that keep breaking the rules like this. I don't want to ban you, so if you'd please review them and stick to them from now on, we'd appreciate it.


This is a private key to access Apple's service for a proof of concept. How is someone without access to an Apple device going to obtain such a key without it being distributed somehow?

Nobody is surprised that Apple is able to revoke this key, by the way.


Please make your substantive points without swipes (like "What are you talking about" and "your schtick"), no matter how bad another comment is or you feel it is.

https://news.ycombinator.com/newsguidelines.html


Edited.


This isn't about taping a key to _your_ front door—you're taping a key to Apple's.


Yea, and like anyone who found out that someone taped the key to their door to their door, they changed the locks, and now everyone's mad at them.


In fairness the dev is a 16 year old. It’s still bad practice but this is a minor mistake all things considered compared to most programming projects by people of that age


Perfectly understandable, at that age I only had the vaguest notion of how cryptography works.

Unfortunately, nobody else seems to either, which is why my comment is getting downvoted.

"Why is this a problem?" say people when the publishing of a private key is inherently the wrong thing to do, and will always lead to a bad consequence.

It doesn't matter who's key it is, how it was generated, how it was obtained, etc...

The purpose of private keys is to be kept secret. A published private key by definition is worthless. That will have a consequence. Either it'll be make-believe fairytale security, or someone else getting into your product, or what happened here: the third party who's keys were stolen changed the locks.

Meanwhile I'm at -4 and clocking down because people struggle to understand how keys and locks work, never mind cryptography.


I believe users are downvoting your comments because they are breaking the site guidelines. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and posting more in the intended spirit, we'd appreciate it, and your comments should get fewer downvotes too. See also https://news.ycombinator.com/item?id=38579013.


The repo is a proof of concept. The key provided is used for illustration purposes and worked for the proof of concept. Nobody believes Apple would not revoke that key. But you don't need to talk down to the author for their age like this when they've made clear this is a proof of concept.


Your understanding in of cryptography appears to be "private means private"

> A published private key by definition is worthless.

If I publish the AACS _private_ key, is it now worthless?


Yes! It becomes worthless for copy protection.

Public-private key pairs only work if the private key is secret. If it’s not secret it doesn’t work.

This is a simple fact of how cryptography works. Or passwords, keys, or any secret like an API key, etc…

If you publish such things on GitHub, they instantly become “not what you’ve labelled it as”.


> It becomes worthless for...

So you admit it's not completely worthless at that point only for specific use cases.


Sure, it has uses: it can be printed on a T-shirt to teach big media a lesson about the futility of copy protection, etc…


Plus it lets people decrypt media encrypted by that key that they might otherwise have been unable to.

So we've established that a "private key" that is no longer private may still have uses to some people, it is not wholly "worthless."

Do you want to revise your earlier statement about the private key in the repo in question? Is it "worthless"? Is it a security problem? Do you know what that key is being used for?


The private key is that of the operating system, unknown to the user. It is not the private key of the project.


> how publishing a private key makes the slightest bit of sense.

From what I gather, the private key was private until it was leaked to / stolen by the team who published it for this use case.

I don't have enough context to say, because I have to admit that once published, the keypair corresponding to the private key is likely to be revoked/discarded.


> the keypair corresponding to the private key is likely to be revoked/discarded.

That's precisely it! Publishing a private key -- anyone's -- invalidates the security of the private-public key pair, making it worthless as security.

There's going to be some consequence to this, such as the third party "changing the locks" and locking out you, or your users.

Similarly, it might allow hackers to intercept the comms, break into your code, or whatever.

The essential, fundamental point I'm trying to get across here is that it never ever makes sense to publish a private key, and then rely on it for any purpose.


I think I'm on board with your POV here.

I guess it would have been more difficult for Apple to find the key/device ID used in this scheme had these not been available on the first few pages linked by a lot of articles claiming iMessage is broken.

Had this not been publicly posted, someone would've been forced to at least open a log file.


Yes, totally understandable that this would be blocked within our legal system... but its a proof of concept that it would not be burdensome for apple to enable interoperability. We should be demanding support for open standards for messaging from mono/duopolists like Apple/Google.


Also WhatsApp, Facebook Messenger, WeChat, Telegram, LINE, and a handful of others with more than a half-billion users. Are those heptopolists or septopolists?

The word "monopolist" in 2023 seems to mean "a company whose corporate values are different than my personal ones and/or whose pricing and packaging don't match my consumption function and/or who has a lot of money and of whom I am jealous".


I think you might be mistaking what monopoly/duopoly is being mentioned here. Those companies aren't phone manufacturers and they don't make phone texting apps. The distinction might not matter to you, but it's clearly the meaning of the GP.

You can say iMessage isn't a texting app because iMessage functionally (as in, the technical details) works like a non-texting app, but it is the only texting app on those phones and is the way normal texting is done. Perhaps it would be different if iMessage was just installable from the app store.


You are aware that iPhones have many alternative messaging apps right? The second part of your comment is simply not true.


Yet you cannot set a new default messaging app...


Do you mean a default "carrier SMS service" app?

In everyday iPhone usage, you would either run an app directly, use sharing intents, or use a messaging service specific identifier (eg custom URI scheme) to converse with someone. The social graph is either in the messaging app itself or in individual contact entries. There's no expectation of a Trillian/Adium style app that consolidates all information and messaging options.


The confusion is that there is only one texting app on iPhone. Chat apps are done "over the top" and can be whatever you want. You or I can make one. There is only one texting app on iOS and most users in the US only use their phone's texting app. This is why Apple's iMessage is genius, insidious, and diabolical- because they took SMS which had universal adoption in the US and had it invisibly and transparently extended into a component of their walled garden. They didn't need to convince everyone to move from SMS to their own messaging app, because if you used SMS on an iPhone, iMessage just happened.


The point is, if someone has an iPhone and I have an iPhone, I simply cannot send them a text. For anyone who has moved from iPhone can attest to, it is quite effing annoying, especially if your workplace gives you a Mac that you are logged into.

There’s no choice not to use iMessage or their iMessage app to send a text, except if the other person is registered to iMessage, it will use that instead.

It’s really annoying. They either need to disable iMessage or open it up as a separate app you get from the App Store.


"Default messaging app" is a creation of Android, necessitated because every cell phone manufacturer wanted its own messaging app. It somehow later became a feature people needed because those pre-installed apps were often dreadful adware junk. This was never a problem on iPhones. No one wants to set a "default messaging app". It mixes up where messages go. I want my Signal messages in the Signal app. I want my LINE messages in the LINE app. Putting them in random different places doesn't make sense and confuses where they're coming from. I don't want my contacts showing up half a dozen times repeatedly for every messaging app they're using.

I don't see anyone on Android wanting to put their SMS messages in the Discord app.


Weird take. Default apps for certain file types and links (email, video, etc) are a precedent across multiple operatings systems.

> No one wants

Quite the assumption. I had Google Hangouts set as my default SMS app for a time.. this seems quite similar to your Discord example?

It hurts nobody to have the _choice_. If you don't want to change the default that's totally OK.


On Android there is no such thing as a default messaging app. There is such a thing as a default SMS app, but my point is that messaging and texting represent two different things (texting is a subset of messaging) which has an extremely material impact on the dynamics of what is happening in the US, and why iMessage, RCS, and interoperability is a very big deal to users who use a texting app.


Texting is a feature of a phone. You cannot, without elaborate workarounds, text from a consumer computer, tablet or other device as if it was a phone. Texting requires a phone number and a phone plan.

I understand that the distinction might seem slight, but in the eyes of most US consumers, texting is distinct from a chat app that you download from an app store even if it uses your phone number.

The absolute one way that everyone with a phone has to send a textual message to another person is to text them with their phone number.

In the US, where adoption of Signal, Whatsapp, Discord, or insert hundreds of other apps is very small, the percentage of your real world contacts using a particular app is also extremely small. Convincing all of them to use Signal would certainly be great, but in reality you will be using all of those apps if you are trying to escape the interoperability nightmare that is currently texting.

Given that everyone has a phone and they are all texting already, it would be awfully nice if we could just use texting without these interoperability problems without having to manage all of the apps, and without having to remember who prefers which one.

Group texting is also hugely popular in the US. If no single third party messaging app covers the set of friends you want to group text, what do you do? You text them. Because everyone has it. Let's say when you started your group everyone was on Whatsapp. Phenomenal! Start the group on Whatsapp. Then you meet Joe, and Joe is very cool and you definitely want him in the group chat. Joe doesn't trust Meta products and doesn't want to use Whatsapp. Should Joe capitulate, install another chat app used only for a single group chat, and grant access to their device to a Meta app? Should a negotiation occur amongst the rest of the group where they select a new common app to run the group on and split the conversation history, while also adding an app that they only use for that group chat?

Let's say they choose to switch to Signal, but Josh keeps forgetting (dammit Josh) and keeps messaging the group on Whatsapp. And instead of yell at Josh that the group is on Signal now, folks reply! Because Josh's joke was super funny. Conversation also continues on Signal. Someone on Signal now does a reference to Josh's joke on Whatsapp. Joe is confused, but everyone else gets the joke. Someone realizes what happens and sends a screenshot of the joke and ensuing replies from within Whatsapp so Joe can catch up, but the messages around the joke are longer than one phone screen so there's a lot more context that he misses. Joe is annoyed but he gets over it.

A few months pass and Sandra seems to have a bug where Signal is chewing through her battery life. Since only one of her group conversations is on Signal (she uses Whatsapp mostly) and she is fine not getting the work related banter that is often the topic of the group chat. But then she finds an article that's super interesting and she wants to share it with the group. She remembers that the group moved to Signal, but who cares, that Whatsapp group still exists and there's only, like, one person that isn't in it. She sends the link in the WhatsApp group instead. This leads organically to the group wanting to get together for a holiday. They plan out that July 12th would be a perfect weekend, and since they want to do a potluck, they all choose what part of the meal they'll bring.

A few days before the potluck, someone mentions on the Signal chat that they are excited to see everyone at the potluck. Joe is very confused and asks what they mean. They realize that this was in the WhatsApp group chat and explain what everyone is bringing. Unfortunately Joe is working that weekend, and can't come.

Should the group chat reschedule?


> You cannot, without elaborate workarounds, text from a consumer computer, tablet or other device as if it was a phone. Texting requires a phone number and a phone plan.

Nitpick, but I can text from my Mac laptop using the messages app. I haven't looked into exactly how exactly it works but I think it's somehow proxying/mirroring the messages through my iPhone. It's very smooth and "just works" though.

> interoperability nightmare that is currently texting.

How about calling it an open competitive market? Centralizing everything on a single format would be a bad thing for the industry and for consumers. Having separate independent networks with drastically different feature sets is a good thing. Trying to find the intersection feature set of Discord, LINE and Signal would result in three applications drastically hampered in their features. LINE for example has an extensive independent industry of artists selling "stamps" that you can buy.


> Nitpick, but I can text from my Mac laptop using the messages app. I haven't looked into exactly how exactly it works but I think it's somehow proxying/mirroring the messages through my iPhone. It's very smooth and "just works" though.

Yes, SMS from iMessage on your non-iPhone (Mac, iPad) proxy through your iPhone. iMessages do not require your phone to be on, since Apple can deliver it directly without using SMS.

However, without a phone you cannot send an SMS message, and most people use phone numbers as contacts in iMessage, which requires an SMS based registration done transparently by your phone.

But all of this is just the technicals of how it works, to the end users it is just texting. The only reason non-technical users are even aware of, or care about, the distinction is because of how iMessage breaks group texting as soon as there's a non-iMessage user involved.


> > You cannot, without elaborate workarounds, text from a consumer computer, tablet or other device as if it was a phone. Texting requires a phone number and a phone plan.

> Nitpick, but I can text from my Mac laptop using the messages app. I haven't looked into exactly how exactly it works but I think it's somehow proxying/mirroring the messages through my iPhone. It's very smooth and "just works" though.

Correct. I think the GP’s remark meant to say “…as if it was a phone, without a phone as well”.

If you’re sending or receiving an SMS from your Mac through the messages app, it absolutely depends on your phone being powered up and online, to route the message through.


Just to explain - some people may think different because they have different experience.

Personally, I don't use default texting, like, at all. Except for those notification/2FA SMSes and couple of contacts, I don't ever open it. For me, mentally, chatting with people (with 2 exceptions) is done through different apps, not the built-in one. And this forms a view that default app is just "one rarely used messenger, of many".

But then, even though I'm in the US, most of my chats are international.


So adding another protocol into the mix solves, what? Answer: nothing, it solves nothing.

Bob has a hardon for mastadon so then another subgroup is created. Joan finds out that her Google Fi service is incompatible with RCS so she decides to create an email list. Joe finds a bug with Beeper and then decides that really everyone needs to move to ICQ. Marley decides maybe everyone should just try MMS again except that nobody can fall back on that because everyone except Joan has opted into RCS.

Apple's not going to solve your social problems (nor will any other company).


> So adding another protocol into the mix solves, what? Answer: nothing, it solves nothing.

Another protocol like RCS? RCS simply solves the problems of SMS/MMS. It doesn't add another protocol, it ultimately replaces two of them.

> Bob has a hardon for mastadon so then another subgroup is created.

Good for Bob. I don't think Mastodon supports group chatting and its DM support is super nascent, its weird choice but I wish him the best.

> Joan finds out that her Google Fi service is incompatible with RCS

Even though Google Fi is definitely compatible with RCS, we can assume it isn't supported for the scenario.

> so she decides to create an email list.

Joan doesn't know what RCS is and doesn't care. Joan makes a group of people on Messages. It works fine, as it falls back to MMS automatically.

> Joe finds a bug with Beeper and then decides that really everyone needs to move to ICQ.

Wait why is anyone using Beeper here. So the user used a unifying client and ran into a bug and blamed something about the underlying messaging system?

> Marley decides maybe everyone should just try MMS again except that nobody can fall back on that because everyone except Joan has opted into RCS.

Everyone on RCS can fall back to MMS just fine, just like iMessage can. The only difference is one of these is a standard that Apple can implement and the other is a proprietary protocol that Google cannot.


If this is true:

  It doesn't add another protocol, it ultimately replaces two of them.
How does this work (assuming your carrier supports MMS, and not all do):

  Everyone on RCS can fall back to MMS just fine
As for this:

  Even though Google Fi is definitely compatible with RCS
https://old.reddit.com/r/GoogleFi/comments/l1czwh/google_fi_...

More recently it looks like Google added some half assed support for RCS and broke other stuff in the process:

https://old.reddit.com/r/GoogleFi/comments/12b8k2p/reminder_...


> Everyone on RCS can fall back to MMS just fine

My cell carrier provides SMS for free, both sending and receiving. My cell carrier charges for MMS, both sending and receiving, so I have MMS disabled. My cell carrier doesn’t support RCS, and would probably charge if it did.

Thankfully, nobody I know tries to send me pictures using SMS/MMS/RCS, and uses WhatsApp / Signal / iMessage instead.

> Another protocol like RCS? RCS simply solves the problems of SMS/MMS. It doesn't add another protocol, it ultimately replaces two of them.

Experience tells me this is false, and that nothing ever dies, nothing ever gets replaced, and augmentation always happens, in IT.


> in the eyes of most US consumers, texting is distinct from a chat app that you download from an app store even if it uses your phone number. (...) In the US, where adoption of Signal, Whatsapp, Discord, or insert hundreds of other apps is very small

But do we know why that is? In Europe everyone's on WhatsApp, and while I'm not especially fan of it, the one feature that I like is that it can be used from any browser on any device, including desktops, including a work laptop where one doesn't have admin rights to install anything, etc.

I can leave my phone away in my pocket all day and still message anyone I please. I would hate it any other way. Why don't people in the US want that?


> In Europe everyone's on WhatsApp

Or FB messenger, or actually mainly use SMS/iMessage. Europe is not as homogeneous as some people here might be implying. WhatsApp is not even the most popular messaging app in quite a few countries (Messenger is).

Also in Scandinavia, Britain and Switzerland iOS is about as popular as in the US while in some other countries it’s closer to 10%.


I'm in France with friends in the UK and Germany, and have never been asked to join a group on anything else other than WhatsApp. Not once.

(Well, at some point a year or two ago there was some controversy around WhatsApp, and some groups tried to migrate to Signal, but that all died out within a month -- never quite started, actually).

Believe it or not, I had almost never heard about iMessage and its specific quirks before the Beeper story (and still don't understand why the colors of the messages in green or blue matter).


Well.. I’m further north east and my experience is somewhat different. My only point was that Europe is not as homogenous as some people keep implying (most people still primarily communicate in their native language which creates a lot of more or less isolated bubbles)

> and still don't understand why the colors of the messages in green or blue matter

Because it indicates a fallback to standard SMS/text messaging which means all the more advanced features (which everyone expect messaging apps to have these days) stop working if you get a text from an Android device.


Thanks for this- perhaps it's all too easy for both sides of the pond to look across and generalize that the other's problems aren't happening in their backyard. Because what you describe sounds quite complicated. Wouldn't everyone just prefer a secure, modern texting app that could message literally anyone with a phone number? Without having them download a specific app? Then we could all text together without the headaches.


> Wouldn't everyone just prefer..

Sure, but I don’t think personal preferences matter that much in this case, most people just end up using what everyone else is whether they like it or not, which makes perfect sense.

But yeah, I think in most of Europe (not all, they were free/almost free since the late 2000s where I am) this started because SMS messages very relatively very expensive back when smartphones were becoming widespread.

Now WhatsApp, Messenger, Telegram, Viber and whatever else there is are quite entrenched so even if Apple and Google get serious about properly supporting RCS it might get tricky to get users to switch back to the default client

Popular non open-source 3rd party messaging apps don’t really have much interest in supporting interoperability due to obvious reasons.

> ..modern texting app that could message literally anyone with a phone number? Without having them download a specific app?

Well on this thread it seems that WhatsApp might be exactly that from the perspective of some people (to the extent that they don’t even believe that anyone in Europe could be using anything else)


All this is fair and your accounting of the reasons for the situation around Europe match my research so far.

I do want to say I've seen some others in this HN story contradict that Europe is as homogenous as your representing here though.

Still though, I looked at Germany's Whatsapp numbers and it's like 68% of the population, ignoring the fact that 1 account is not necessarily 1 person.

That's super dominant compared to the US which is somewhere around 22% with the same account assumption.


> That's super dominant

True. But it’s hard to say to what extent. Many/most people probably have multiple apps installed and use them somewhat regularly in addition to texting/iMessages.


> Wouldn't everyone just prefer a secure, modern texting app that could message literally anyone with a phone number? Without having them download a specific app? Then we could all text together without the headaches.

https://m.xkcd.com/927/

I’m not sure what messaging standard you propose gets adopted, because the flavour du jour of most non-iMessage users is RCS, which as an open standard, is unencrypted and insecure.


I like the separation that different messaging platforms offer.


> I can leave my phone away in my pocket all day and still message anyone I please. I would hate it any other way. Why don't people in the US want that?

I have that already via Google Messages, and iMessage already has that as well.

In the case of Google Messages, it's just a web app, you don't need to install it. You visit messages.google.com and scan a QR code from your phone and the devices are linked.


In my experience, incoming SMS are mostly spam, and other low trust notifications, while incoming iMessages, even if unknown to me, are likely to be real people. Buying an Apple device is an expensive signal, and Apple will quickly shut down abusers, maintaining that relatively high bar.

Letting (actual) Android users use iMessage probably wouldn’t affect that, but the open source hack/reversing of it opened the door to iMessage spam that Apple, for the sake of reputation, and customer satisfaction, is obliged to close.

Anyway, I guess my point is that there are some “burdens” that are less obvious than others.


Apple's statement: "At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users."


Who is talking about SMS? Not I.


I mention SMS as a natural contrast to iMessage and to illustrate the annoyances which may burden iMessage if opened up blindly to any bot — a different variety of burdensome.


Huh, I used to receive spam on iMessage with blue bubbles. In fact the only blue bubbles I receive are spam.


[flagged]


This isn't a useful comment, you're just assuming your experience is valid and others who disagree aren't, and using it to sling accusations of dishonesty.

If spam is really the problem Apple is worried about, then isn't it conceivable that it happens and that Apple has to work to keep spam low so you have a good experience? Such work is ongoing and sometimes spam gets through anyway. I don't think we should assume Apple's protections on occasional spam are perfect.


[flagged]


I’m not lying. Also not sure why I’m downvoted. I occasionally receive spam messages from iMessage users, not conventional SMS. I do not know how these spammers manage to send them, but the senders are always identified with an email in the app, that’s how I could tell it apart from conventional SMS.


I guess (based on the skeptical reactions) your experience is atypical now-a-days, but based on your comment, I did find a 2014 wired article saying that while previously unheard of, iMessage now [then] accounted for 30% of spam, from email addresses like you described. I had no idea. Somehow I avoided that. I didn’t find anything more recent, though, so maybe it’s less of a problem now?

https://www.wired.com/2014/08/apples-imessage-is-being-taken...

I do know first hand that Apple will turn off (starting at several days) an Apple user’s ability to use iMessage if they get even several reports, though.


The GP is using a euphemism popular in the US. Indeed, the sent messages are colored not the received ones, but the euphemism labels the cause of the color, not the person receiving the text. If you are not from the US I'm sure this is weird.


Wait, what? Android user here so I might just be confused, but my impression always was that it's the received messages that are different, hence the whole blue/green bubble debacle, and Android users being bullied for having green bubble texts.


Received messages are always grey. It's sent messgaes that change colors. So a message from an Android, iPhone, windows phone, feature phone, etc. will always appear with a grey bubble. A sent imessage message to an iPhone user will be blue. A sent SMS text message to a iphone, android phone, feature phone, etc. will be in a green bubble.


See my sibling comment for an explanation.


Yearly reminder that a long time ago, chat services used XMPP and we were on the verge of having GChat interoperability with FB messages and I think Yahoo or something similar at the time. None of them really wanted to do it for business reasons, so they could “add value” (and charge for it)….same reason RSS has fallen out of favor (no good way to inject ads and tracking). IRC and Matrix still exist.


On the Google side the XMPP federation got killed when Google Hangouts and Google+ became the core strategy. The company wanted to focus on "social" (but their own social network) and didn't care about other chat. Back then I worked on the App Engine team which had a XMPP Chat API. When GChat killed XMPP Federation that API lost the majority of target users as a result. I tried to make the case for maintaining XMPP support - taking it up with some VP of Engineering. Alas, nobody cared about the opinion of this random guy in developer support (~2012, early days of Google Cloud)


You forget that Google was worried about other XMPP services stealing user data. If I remember right, some services (maybe it was FB) was not sending out all data to Google in the federation system (I forget if it was names or friends lists or something). So it would allow other services to ingest data Google was sharing, but the sharing wasn't reciprocal.


Can we make XMPP popular again? We really could need an universal internet standard for IM.


There is hope. The European Union's Digital Markets Act allows new messaging platforms to demand interoperability with the existing walled gardens. All it takes is for other jurisdictions to follow suit.


You can't use regulations to change physics, and (demands or no) it is unclear what sort of interoperability is really possible.

What will really happen is that there will be some subpar common denominator. An existing "walled garden" (WeChat?) would add support for this as well.

But this would wind up being rather insecure, because messaging services tend to use email addresses they don't control or phone numbers they don't control as identifiers. We'd have to wait for carriers and email providers to be regulated with the burden of solving this mess (for markets they aren't in).


Yeah and how did that work out for google? Hangouts was their most popular product and most of my friends were using it. Incredibly stupid management decisions right there.


The EU will soon require interoperability between messaging apps! Real Freedom!

(for the users, not for the companies)


iMessage seemingly was found exempt because too few Europeans use iMessage for business.

Although to be fair, I have a hard time imagining a world where this ever happens. So large companies have to proactively share information on all their users with all the other large companies, and vice versa? Or do I become skygazer@iMessage and everyone on instagram has to know that? This just seems like an absurd thing to mandate.


And Apple didn't even need to block any device identifiers, just the IPs Beeper Mini was using to connect to the APN service.

This could have been blocked in minutes. The delay was likely to get approval from Legal.


Only BPNs used Beeper hosted services, and this is an optional component of the app (which enables push notifications when Mini is not running).

Otherwise the IP Apple sees is those of the individual handsets on whatever network they are on.

It's pretty likely that they blocked Mini based on the IDS (Identity Service) which requires the device to pass it's hardware model, serial number, and disk UUID as described elsewhere.


I think you've got Beeper Mini mixed up with other iMessage bridges. The whole thing with Beeper Mini (vs other iMessage bridges) was that it was entirely client side on the phone, no server to block. So the "IPs Beeper Mini was using to connect to the APN service", those IPs were just the IP addresses of every individual phone with Beeper Mini installed on it, no centralized place to block.


No, the BPN server is a server side service that persistently recieves APNs to forward to the phone (that don't contain the message data) since unlike iPhones, Android phones can't persistently check for APNs (at least that's what I understood from the announcement article). AIUI that's what you're paying for. But that wouldn't explain why sending is broken.


The How It Works article is clear that BPNs is only used to serve push to your phone when the app isn't running. Disabling it would not cause send/receive failures.


If you check the How it Works post, they do show the Beeper Push Notification Service running in the cloud [1] to intercept 'new message available' APNs and then notify the Android device a new message is available.

[1] https://blog.beeper.com/p/how-beeper-mini-works


Only required when Mini isn't running.


If it were purely client based, why did I leave to log in with Google to something then?


> just the IPs Beeper Mini was using to connect to the APN service.

Hmm, wouldn't blocking IPs be overly broad and risked affecting regular users? Considering that IPs are scarce and constantly recycled by ISPs etc. Blocking device identifiers sounds more targeted and, for that reason, realistic.


If you take a look at their How it Works post [1] this is not an entirety client side implementation, so there would presumably be a small number of IPs that would need to be blocked.

[1] https://blog.beeper.com/p/how-beeper-mini-works


Are you referring to the step where Beeper's servers make a persistent connection with Apple's APN service to listen to new messages ?

So your point is Apple can presumably distinguish between an actual iOS connection and Beeper's connection by looking at "how many connections per IP"? Still seems prone to false positives to me, unless there is something else I missed.

(Upon re-reading the post, I realized that the phone number registration is actually done by Apple. Wonder if this might provide another basis to block Beeper, i.e. all this SMS infrastructure is not cheap to maintain and Beeper's integration is arguably using it in an "unauthorized" way.)


Yes. An Apple sysadmin could just install Beeper, watch what IP their APN requests are coming from and block it. Then repeat the process occasionally.

They don't need to break it completely. If Beeper is unreliable, nobody is going to pay for it.


In that very article they mention you can turn BPNs off, it is just used to listen to APNs when the app is not running. If that's what they blocked, Beeper Mini would still work while the app is running, or at least when that setting is turned off.


I can’t speak for Cupertino et al., but I would take that risk, even if it weren’t IP-based but instead UDID/serial-based.

The amount of legitimate users it would affect would be trivial and can be taken care of by customer support.

The benefit of that is that I can then, at that point, verify if we’re dealing with a legitimate device or not. Geniuses at Apple Stores can obviously do this physically, and remote support has the option to run remote diagnostics and even share screens.


Not disagreeing, but I do not think Beeper Mini used the binary method for registering accounts. I think that was the way to do it for non-mobile devices that couldn't receive SMS, but there is also a way to register an account using SMS which I believe Beeper Mini uses.


I believe that you are correct: https://blog.beeper.com/p/how-beeper-mini-works


Interestingly enough, there are companies out there making a business of doing this with WhatsApp! I have no idea why Meta isn’t cracking down in it, it seems absolutely insane

https://www.telemessage.com/mobile-archiver/whatsapp-archive...

It’s literally a hacked WhatsApp binary (that logs all your messages) that they sell to corporate clients…


https://twitter.com/LiamCottle/status/1406616490783117322

Snapchat as a service is no more. But there may be other options:

https://github.com/rhunk/SnapEnhance


And there was major hubris from the makers. They were arguing that because it was all totally above board Apple wouldn’t be able to block the service without impairing iMessage entirely.

Wrong


> because it was all totally above board

What do you mean by above board? What they claimed is that there is no way of telling Beeper Mini clients from an old iPhone, therefore Apple wouldn't be able to block one without blocking the other.

Clearly Apple managed to find a way, and who knows if there will be some more cat and mouse happening here. In theory though, I don't see why it wouldn't be possible to have a service that's indistinguishable from an old iPhone.

Newer devices can use device attestation, but old iPhones don't have secure enclave.


Why was everyone here acting like Apple suddenly found a way to kill of Beeper? They released a temporary patch that only temporarily stopped Beeper. It's not going to be this easy, especially when people are being paid to reverse engineer iMessage.

It's only a matter of time until that "black box" gets manually deobfuscated. Apple should waste less time on this and instead focus on algorithms that detect and stop spammers.


They had a cloud of Apple devices that they already used for their relay service, and could easily generate keys using several devices. From my understanding, the best vector for Apple was to actually block their "BPN", the push server.


This is actually a great point I didn’t originally consider. People could easily infiltrate the iMessage fort with spam and other stuff which at the moment requires a genuine Apple device.


Still need a valid phone number with a SIM that can do the special SMS needed for this, so it's hardly going to produce a big spam farm too fast.


Better to kill it early. I get spam calls on WhatsApp (an app which I absolutely loathe)


It’s completely trivial to get a real number for sms these days thanks to scum like twilio. You can use your legitimate Apple device identifiers to run something like a hackintosh and then use iMessage that way, or use the script linked last week.


Wouldn't your iPhone still receive spam SMS text messages with Apple Messages? And isn't Apple Messages commonly exploited by NSO Group (Zero-clicks)? Maybe I'm wrong, but this does not appear to be very fort-like.


Yes. I believe people are just saying that they assume unknown-contact SMS is spam and that sort of sounds like Apple's SMS spam filtering isn't very good.


For iPhone there are two tiers - the carrier provided SMS spam filtering, and apps written to provide such filtering[1].

1: https://developer.apple.com/documentation/sms_and_call_repor...


Oh, so there's no builtin message filtering at all??

This explains some things. Why wouldn't they just add a spam filter. Is there still iCloud email addresses? Do they have spam filtering?


I'm pretty sure some of the spam I am getting was using this vector. Hopefully it kills it now.


that's one of the reasons they're doing this

but I don't think it's their main reason, if anything I see that argument as convenient posturing which aids in covering the uglier underlying reasons


Can you say more about how Beeper is doing device attestation using ripped Apple device identifiers, or where you discovered that? Device attestation can be extremely user hostile, and if this is a true workaround it will be useful in other applications.


> Signal, Telegram and others make you validate your cell phone number

For what it's worth Beeper Mini did support using Apple's iMessage registration system to use your phone number.


This was why I never shared my iMessage for Windows: https://neosmart.net/blog/imessage-for-windows/

They’d block an account out of spite without a second thought.


This is amazing. Truly a labor of love. Kudos to you for accomplishing this, and then polishing it to perfection. Good on you to withhold it, as proved again today. I’m so glad that I finally left the Apple ecosystem.


Your article was the first I thought of when Beeper Mini was released. I knew it had already been done by you and never saw the light of day for a reason!


Does it still work?


Still using it daily.


Love this. Congrats and thank you for the writeup!


Loved your post, thanks for sharing!


> Reached for comment, Beeper CEO Eric Migicovsky did not deny that Apple has successfully blocked Beeper Mini. “If it’s Apple, then I think the biggest question is... if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS? With their announcement of RCS support, it’s clear that Apple knows they have a gaping hole here. Beeper Mini is here today and works great. Why force iPhone users back to sending unencrypted SMS when they chat with friends on Android?”

Does it come down to The Law of Leaky Abstractions?

>> https://www.joelonsoftware.com/2002/11/11/the-law-of-leaky-a...

Which means that if Apple wants to change something eventually, then they will possibly break downstream abstractions and then people will complain and the downstream abstraction will say "Well Apple changed their API, it is their fault". Letting someone do it from square one would be enabling that future scenario, as it isn't "if" it changes, it is "when".

If it was an open source API that would be different, but Apple's is closed source, that is Apple's philosophy at the core. It is a closed API yah? Not even an open spec right?


I agree. There are already third party E2E messaging apps that work across platforms. Anyone who decided to build a business on unauthorized use of another company's servers was just setting themselves up for disappointment. I have a hard time understanding how anyone thought Apple would not cut this off.


Is like saying if they care about privacy why do Apple allow users to buy android? Why not give your iPhone away for free so they don’t get to use it.


The good thing though is that Apple finally announced RCS support >

https://9to5mac.com/2023/11/16/apple-rcs-coming-to-iphone/


Good? RCS isn't universal. Am I gonna be sending and receiving Google, Verizon, TMobile, or Samsung messages? It's not universally encrypted either. No way am I turning it on.


RCS Universal Profile.

Vendors are going to have to actually work on improving the standard (and Apple has committed to working within GSMA on an appropriate multi-vendor E2EE mechanism)

In the absence of interoperable standards through GSMA, there will likely still be quite a bit of broken behavior, e.g. when it's not a Google RCS Server and all Google clients.


They don't have to, as they haven't for over a decade. It will suck and I doubt anyone will use it unless they're forced to (for 2fa). This is too little too late, if not iMessage, they'd use Snapchat, Facebook messenger, or IG before switching over to texting.

There is zero benefit for apple to make it good and no commercial reason for these vendors to make it good for multi vendors.


So instead of being possibly unencrypted RCS when sending outside iMessage, you'd rather guarantee it be unencrypted?


The only texts I get are unwanted spam or some confirmation codes and no it is not worth it to use RCS with the amount of unsent messages it keeps having problems with, maybe for some "possible encryption". It is trash all the way around.


It will end up like home IoT crap. Zigbee, Zwave, Matter, ten other shits… GL with this


Apples cares about the privacy and security of iPhones as a differentiator.


Apple employees also care deeply about the privacy and security of iPhones.


lol that is such a reach from Eric


One thing which is really confusing is why are Android users obsessed with iMessage? Android users can send text messages to iPhones, the can call iPhone users, and they can use third party messaging apps to communicate with iPhone users.

It really isn’t clear to me why so many people are so angry they cannot use iMessage on Android.


An android user in an otherwise iMessage only group chat tends to mess things up. Those Apple users tend to get frustrated by it and group chat exclusion is a real thing.

It’s less about a specific feature set and more about inclusion and acceptance from/by peers.

This is especially prevalent among the younger crowd. Think high school group dynamics playing out with phones.

And then on top of that, photos/videos are terrible quality.


Are these iMessage group chat really a thing?

In my part of the world Whatsapp is the defacto standard for group chat and even for things like scheduling anpointment to a doctor/dentist/hairdresser.

And that is because it is available on android, apple devices and even those cheap kaios halfsmartphones.


At least in the US, it's very common. The iPhone has ~60% market share here, skewed even higher if you limit to higher income individuals. Text messaging is still the lingua franca of communication here, likely due to the lack of a single dominant messaging app. For those iPhone users, the UX of texting someone on an iPhone with iMessage is vastly superior to texting via MMS with Android users.


In my family they are. I am in Australia and almost everyone I text has their phone number come up in blue, signifying iMessage/iPhone

For example, when RSVPing to a kid's birthday party, other parents' numbers are inevitably blue. When selling and buying items, the contacts for those sales have always been blue numbers, it's rare to encounter a number that doesn't "turn blue" when I enter it into the "to" field

I would say maybe 5% of the people I know and text use Android. For one of those people I use Signal, one other has asked me to use Facebook Messenger, one has asked me to use WhatsApp, and the remaining few use SMS. It's a pain to use three separate apps to message just these three people!

One of my cousins switched to an Android phone. This broke our long-standing group message in iMessage, so she was no longer able to be included in it. After two years of this her siblings simply ordered her a new iPhone and she is back in the group chat

Getting everyone to move their default messaging behaviour for one person is a huge ask. It was easier for one person to just relay the group chat info instead, but when this became annoying, it was even easier to buy her a new phone


It's highly dependent on the demographic I think. I'd guess that I'm younger than you based on your comment about having kids, and everyone in my social circles use Facebook messenger or instagram.


Interesting, my kids all have 20+ large iMessage groups for their friends at school. They play Minecraft and Among Us while on FaceTime calls. They are in the 8 - 11 year range. So it is certainly down to demographics, but perhaps not age


My daughter's parents group is all iMessage. The group is too large to even downgrade to SMS. I am excluded entirely unless I figure out methods to get into that group.

It is very annoying and quite real.


> Are these iMessage group chat really a thing?

For some, but everyone knows and has the capacity to download WhatsApp.

The root issue is there is a lot of judgment about Android users, hence wanting to restrict chats to iMessage. It’s a signal that you are part of the in group vs out group.

Although, it is objectively convenient to have a group of all iMessage users at events, because any pics/video get shared at high quality with no extra work.


Walled garden development practices sold under the guise of privacy and security. It's a very tired and old playbook that has real societal damage. So. Tired. Of. It.


There’s a reason why robocalls and spam emails and spam paper mail are a nearly universal thing and iMessage spam is not.


Ironically in the initial beep announcement some people mentionned in the comments that imessage spam was already a thing.


The US is odd that way that unified chat apps haven't made as much of a headway. iMessage way more dominant in the US and is the leader.


I realised this the other day, a friend send me a video via mms (I'm on android) and the quality was super poor (like 90s gif like quality). I though she must have some issue with her camera or so, no next time I saw her we looked at her phone (which is an iPhone), perfectly fine video. It's just apple degrading the performance for who is not on an iPhone.

I mean just imagine they'd degrade sound to nearly noise if you'd call a non-iPhone.


> It's just apple degrading the performance for who is not on an iPhone.

The reason the video looks like ass is because MMS messages aren't meant to be very large. While (iirc) there isn't a hard limit, the recommended maximum message size is ~600KB. The only way to fit a video into that range is to compress the hell out of it.


That's the technical reason.

Apple knows of such limitations and does nothing to improve the situation. In fact they ban those who try. FTA.


> Apple knows of such limitations and does nothing to improve the situation.

Why would they? It's not their problem, nor does it seem to be a big deal for their customers because they're not clamoring for a fix.

> In fact they ban those who try. FTA.

They don't, thiugh. The App Store has tons of photo and video sharing services, email, and other messaging services; I'm sure any number of them would let your iPhone-using friends and family easily send you a non-mangled videos. This is a solved, dozens of times over.

iMessage, on the other hand, is a service Apple provides for Apple customers. They get to set the terms under which it's used, and Beeper did not abide by those terms.


Apple announced RCS support in 2024, so they’re doing more than nothing. Don’t think we know yet how fully they’ll support it though.


I think they don't like being spit on and excluded by iphone users. Iphone users don't like when there are android users in group chats.

The reason the iphone users don't like it is because Apple specifically and artificially makes the experience annoying and shitty in several different ways, for the iphone users not just for the Android users.


Good grief! No one is spitting on people with Android phones. If you really feel this way you need to put your screen down and spend time talking to people in real life. No one is persecuting you.


Yes in fact they are. I have the amazing ability to recognize a problem even if I don't have it myself*. If you really can't do that, perhaps you should try.

* Android user in the US where this dynamic primarily exists, but I just don't care because I'm not 20 any more. I only very occasionally need to send a video or picture to anyone, and in those cases, I know enough to use email or a google photos link or something, which probably annoys the recipient a little and makes me weird to them, but I'm just ok with that since I know where the blame really lies. Similarly in the occasional times I txt with family members or friends, we're not in high school and so they don't care about my green bubble, and I just accept the annoying stupid extra txts I get that say "x smiled" or whatever. That ux don't bother me in the sense that I don't spend any time thinking and caring about it, but that doesn't make it not utterly stupid and ridiculous, and especially so when you know it's a deliberate act and not an honest technical limitation. Astonishingly it's possible to both recognize that something is not worth investing much care over, and recognize that it's wrong and that it's a deliberate wrong commited by someone and not just the weather. Amazing!


[flagged]


I can anecdotally confirm this is real. And not only that, I'm actually surprised you've never seen this or heard of this. Maybe you aren't in the US? Surely you're not arguing in bad faith.


They’re just asking for actual evidence that iOS users think down on Android users. There are multiple articles that talk about this in the social circle of teens, and likely exist in various adult circles as well. What I can say is that it is extremely frustrating that texts don’t just work between users of different platforms. Some Android users don’t want to use WhatsApp, Signal, etc. and that’s totally fine. This feels like a closed wall two party system debate, it shouldn’t just be one or the other they should just work together.

As an iOS user I do not look down on Android users, I have separate reasons for not using Android. That said I think it’s dumb that we need to use a different app to communicate effectively in a group setting, and I’m willing to use other apps, but not everyone is. So we end up with the current state where sometimes new groups are created when someone responds from a different device, or a different experience occurs when someone reacts to a message in a group thread.


> They’re just asking for actual evidence that iOS users think down on Android users.

From their reply after you commented, no. That user is asking for actual evidence that iOS users throw saliva from their mouth at Android users. Not a figure of speech, real liquid saliva.


Which is absurd. "To spit upon" is a common figure of speech, and the person using it was clearly being metaphorical. Even iMessage doesn't support saliva transfer among iPhones ... as of 2023-12.


I have literally never, ever, ever in my entire life heard people say "I was spit upon" as a figure of speech. Ever. Please don't accuse me of being absurd just because I have not had the same life experience as you.


The context should be clear in their comments. If not a web search usually helps me clear up any such misunderstandings before any doubling down.


People literally spit on you for having an Android phone? Like they literally hacked up a glob of saliva and spat on you as if you were doing a lunch counter sit in during the civil rights movement?


> > Surely you're not arguing in bad faith.

> People literally spit on you for having an Android phone? Like they literally hacked up a glob of saliva and spat on you?

Soooo, you're arguing in bad faith. Could have saved people some time and said so.


No. "Spit on" is a serious accusation with real life historical analogs. I have literally never, ever, ever in my entire life heard people say "I was spit upon" as a figure of speech. Ever. It's not a figure of speech I would personally ever use because of the implications.

Please don't accuse people of arguing in bad faith just because they haven't had the same life experiences you have had. You are spitting in me when you do so.


Took 5 seconds to search and copy first link:

https://www.wsj.com/articles/why-apples-imessage-is-winning-...


No one in that article mentions spitting. By your and the OP's definition, everyone downvoting me is literally[0] spitting on me and the WSJ locking the article behind a paywall is also literally[0] spitting on me.

This is of, of course, silly. The OP could have just said they didn't like being excluded and doesn't like what Apple is doing. That's fine. But spitting? That isn't something that is happening. The language of "spitting" is far to strong a description for what is effectively console war, consumer electronic purchase fandom BS. Some of use face actual prejudice you know!

[0]metaphorically


Go on /r/tinder and the like and you see posts like this all the time: https://www.reddit.com/r/Tinder/comments/v7a7s3/your_phone_s...


“You’re in for a treat buddy” is a weird response and probably confirmed her biases.


Are you really this obtuse?


No one is literally spitting, but Apple intentionally creates enough friction that Android users really do regularly get excluded from group chats in the US where iMessage is the convention for group chats.


Chat app friction is not being spat on which is what the OP literally said. Perceived inconvenience is not persecution.


You may not have ever experienced this yourself, but it's a known cultural phenonemon. Here's a New York Times article: https://www.nytimes.com/2023/11/29/technology/personaltech/a...

> Over time, the annoyance and frustration that built up between blue and green bubbles evolved into more than a tech problem. It created a deeper sociological divide between people who judged one another by their phones. The color of a bubble became a symbol that some believe reflects status and wealth, given a perception that only wealthy people buy iPhones.

...

> On dating apps, green-bubble users are often rejected by the blues. Adults with iPhones have been known to privately snicker to one another when a green bubble taints a group chat. In schools, a green bubble is an invitation for mockery and exclusion by children with iPhones, according to Common Sense Media, a nonprofit that focuses on technology’s impact on families.

> “This green-versus-blue issue is a form of cyberbullying,” said Jim Steyer, the chief executive of Common Sense, which works with thousands of schools that have shared stories about tensions among children using messaging apps.


That's very unfortunate and all, but, again, it's not spitting. I don't think it's correct or good to say you were spat on by iphone users for having an android phone as if you were being persecuted for your religious beliefs or race, especially if it literally never happened. You can just factually describe events. The OP doesn't need to lie or grossly exaggerate.


[flagged]


Holy shit you really are this obtuse. The last time you were in a meeting and someone said "well my hands are tied..." did you boggle and demand of the room to explain the invisible rope?

No. I would calmly listen to what they were telling me. What I did not do was swear and declare they were being really obtuse. And I would certainly not claim they were literally spitting on me just because I got an answer I didn't like or that was inconvenient to me.


But their hands aren't literally tied! I mean, they literally said their hands were tied! And there was no rope! They were a fucking liar!

Look, either you have a basic understanding of how human communication includes metaphore, analogy, imagery, equation, in which case you deserve to be derided mercilessly for wasting everyone's time with a bad faith argument, or you don't, in which case I apologize for picking on someone handicapped. I don't like kicking puppies.

You can pick! I'm super generous that way!

And, since this needs explaining, I know that you are not literally a puppy. I would not literally kick you, or a puppy. You see, the word "puppy" in this context is just a stand-in to express the concept of something helpless and innocent and powerless and good-natured on top of all that.


Fo someone who doesn't like being metaphorically spit upon, you sure do like swearing at me and calling me names.


What a great way to prove how you didn't deserve this terribly unjust ridicule.

Please quote where I said I felt spit on and didn't like it.


I think the main thing with all the cringeworthy talk about green bubbles is about android being perceived as less glamorous - on average android users have less money, and/or are ideologically motivated - like some linux users.

In a word, android would be considered just as uncool even if they had access to imessage.


I recently switched from Android to iOS just for iMessage. SMS is quite unreliable even in 2023. SMS messages don't have the same delivery guarantees as IP-based messaging services. And often I have internet access, but spotty cellular service. The thing that pushed me over the edge was that my carrier happened to block all my SMS for a day. I only found out about it later in the day, after I had missed many (unrecoverable) messages. To avoid this, I could either blindly trust some other carrier, or use IP-based messaging. In my area, all my friends use iMessage. Ideally, people would use Telegram, WhatsApp, or even Matrix, but they don't. It's not uncommon to leave someone out of a group chat just because they don't have iMessage--the alternative is a subpar MMS experience. At some point, I'll probably buy a cheap Mac Mini and run BlueBubbles, but for now it's nice to not have to worry about messaging reliability, and I get the added bonus of being able to Facetime my family members, who all use iOS.


I don't get why Americans cling so dearly to SMS.


This thread basically sums it up:

* Apple is really popular in the US

* Apple users tend to rely heavily on Apple's default applications

* Apple's messaging app is the default, and works fine with other Apple devices, but sends shitty SMS or MMS to non-Apple devices

SMS would disappear tomorrow if Apple adopts RCS.

And if they allowed iMessage clients on other platforms, they could corner the entire messaging market.


As a European living in the US, it's been baffling to me. Everywhere else in the world people use WhatsApp, Telegram, Signal, etc. This iMessage green/blue bubble nonsense just isn't a thing outside the US.


My understanding is that unlimited SMS text messages have basically been included free with cellphone plans in the US for a very long time while that's generally still not the case in Europe. So there hasn't been a need to find a cheaper way to send messages.


Apple has 56% of the US market compared to just 36% in the EU, afaik the number gets even higher as you go younger so the clique-iness is a lot stronger.


I mean, isn't this just trading one bad monopoly for another? It's weird to me that everyone's like "oh, the backwards US where they gave in to the Apple monopoly. We enlightened rest of the world use Facebook's Whatsapp like real free people".


Yes, but at least you get the same experience on every device with the other monopolies.


WhatsApp doesn't pressure people to buy another phone. Also, encryption is important.


FaceTime is the real lock-in service for me. I use it for all my video and most of my audio calls, it’s second to none in terms of reliability and quality. I wish that was accessible from my work laptop!


I don't understand, why don't you force them to use Whatsapp (or Signal, or whatever) to contact you? Get an app that rejects by default SMSes coming from certain numbers. They want to text you at all? They need to use Whatsapp, otherwise they can go fuck themselves. (It worked for me when a friend wanted to force me to contact him on Telegram rather than Whatsapp- I resisted for weeks but at the end I gave in).

Once you automatically reject SMSes from those contacts, such that you don’t even know they're trying to contact you, the ball is entirely in their park to take action.


Is this a legitimate question? No one is going to download an app and use it to message one guy.


Yes, it's a legitimate question. If you wanted to keep up with a friend from Japan, would you not install LINE to talk to them (or them installing Whatsapp or Discord, or whatever you are using)?

And it's not like there' some gigantic combinatorial explosion of apps you have to install. The vast majority of messaging around the world is about 5 apps. Facebook's Messager, Wechat, Instagram, Whatsapp, Discord. Between these, you'll reach the vast majority of the world's population somehow. And then you'll need one or two more locally-used ones like LINE or KakaoTalk depending who you're talking to.


No one? I did. Normal, if you really care about that guy. In any case, the app is free, what does it cost you? Plus, the more people do it, the easier is for everyone to move to an app that works for everyone.


I don't use SMS myself but in this case it sounds like I'd be better off just not being your friend.


Sounds like you'd prefer to keep inflicting to me and to yourself a degraded experience rather than making the tiny, one-time effort of installing a free app. Because that's the whole point of this issue: the fact that you can still get what you want (reaching me) is what prevents you from making the smallest effort to make both our lives better and easier. And I also don't expect my friends to behave like that.


The iPhone user experience for messaging with Android users (especially MMS) is awful and the Android users in the group chat get blamed for it. Having blue text bubbles show up when someone texts you can be seen in some circles as a status symbol.


Let’s be clear here: Apple not yet implementing RCS aside, the experience is horrible because SMS/MMS are horrible.


I can send the same mms from Android to Android and Apple recipients and they receive the same media. Yet sending from Apple to both the Apple users get good quality and Android Apple deliberately sends pixelated rubbish.


Apple to Apple is not MMS.


From Google themselves: https://www.android.com/get-the-message/

Apple is arbitrarily and intentionally making it a worse experience than it needs to be.


It's just become a meme among tech enthusiasts (on Reddit, HN, etc) and tech journalists that "blue bubbles" are a real social problem. The origin of the meme was this amusing post by Paul Ford 8 years ago [1]. They took it and ran with it for their own purposes. For some it was to explain away the iPhone's success versus Android and for some interested actors like Epic it was part of their antitrust campaigning to illustrate the "lock in" effects. It however was never a social problem in the real world (more than, say, young people feeling depressed about seeing their peers' manicured lives on Instagram) or the reason why iPhones sell well (you only had to look to China, or now India, to see the success of the iPhone in places where iMessage wasn't the dominant messenger).

[1] https://archive.ph/OcDaO


Even if this was a meme at some point in the past, it’s a very real issue now.

I know multiple people who have switched to iPhone just for iMessage. And the kids these days won’t accept anything but the blue bubble. This is no longer a meme. Or if it is, it’s also real.


I switched because people think android users are poor and I don't want to signal to others that I am poor.


It's a self fulfilling prophecy. Once everyone has an iPhone to not be perceived as poor, the only people still using Android will actually not be able to afford an iPhone.

At least it sounds like that's what happens across the ocean.


Even the bottom income quintile in the US uses iPhones, especially young people. They are not that expensive.

Knowing someone has an iPhone tells you nothing about their wealth/power.

What people think it does tell them is where someone is on the cool / weird spectrum. See:

https://news.ycombinator.com/item?id=38578103


You've heard from plenty of others on this thread, but here's another anecdotal data point:

I'm in my early 30's and have been told to my face by friends I'm hanging out with that they excluded me from group chats because I have an Android phone. Sometimes there'll be two group chats where the second one is just the iPhone users subset. Some photos only get shared in that second group chat. Some messages get sent giving people a heads up about things and the sender sometimes forgets that a few people are being left out of the loop. There are real social segregation issues that happen.


Because I want the pictures and videos my iPhone-using parents send me to not be crunched to shit, and I'm not going through the effort of teaching non-technical users to use a different messaging client. Same with the group chats that my partner's extended family keep including me in.


Apple announced RCS support. That will provide what you want.


Right, but that's likely not coming out for another year yet, and requires everyone involved to update their phones (yet another hassle for non-technical users, they will put updates off for as long as they can). As the quote in the article says, Apple clearly recognizes the issue, and beeper mini fixes it now, not "at some point in the future".


Getting someone to update their iPhone is a matter of them not actively dismissing iOS’s repeated attempts at updating itself. This isn’t a good-faith argument.


I've personally found Apple users are some of the quickest to install updates/upgrades in bulk/mass.

I think one of the key reasons, other than apple sending push notifications that it's going to automatically install overnight, is they bundle candy/goodies to entice users to update asap - Want the new emojis so your friends stop sending you scary black boxes with an x over it? Update now.


Because iMessage users won't let you join iMessage group chats. They don't want to lose features. So your choice is to just not be friends anymore or have an iphone device.

I have an ipad just to chat with people who refuse to use anything other than imessage.

I don't want anything to do with iMessage, but I have to.


This is the first time I've heard that people who put features above friendship are called friends.

Well, the time has come.


I use features of programs with people who can use it. I don't want to call friends that have bad audio quality as often and I'm not as comfortable on unencrypted services. I prefer facetime for the quality. We all use something Android users can use when we want to include them, but it degrades the experience.

Most people don't talk to people they don't communicate as well with.


Because Apple deliberately screws with messages to non Apple users. Every video my family sends to me is low res heavily pixelated trash, to the point that you can't even recognise faces.


That's cellphone carriers. MMS messages generally have to fit within 300-600KB[0] so they are horribly, horribly compressed.

https://m.gsmarena.com/glossary.php3?term=mms


sending MMS in 2023 is a crime. what next, WAP?


have them send an icloud link


My whole family uses iMessage because it is the default client on their iphones. I'd love to partake in the family group chat.

For those technically savvy enough to download an additional client like Meta's Whatsapp or Messenger... it's no problem, but for the less technically inclined (like my mother) they will just use the default client.


I have a group chat with mainly female iPhone users. One of the users switched to Android. They created a new group without her. Bizarre but real.


My mother sends me videos from her phone and I literally can't see what she's trying to show me.


Green bubbles means you won't be called back for a second date.


That's a feature, not a bug. Anyone who does that would be a miserable significant other.


No, the holier-than-thou attitude of typical Android users shitting on the Apple Sheep is why they don’t get called back.


You know that’s a great question. I’ve never thought to ask that but boy does it seem to come up a lot.


it's the other way around


Fashion statement


This is what Snazzy Labs said about Beeper Mini... hilarious:

> This doesn't appear to be some easy thing Apple can just turn off.

> It will require a complete redesign of their entire authentication and delivery strategy for not just iMessage but Apple ID account access as a whole.


This is why people shouldn’t listen to tech YouTubers who don’t actually work in tech as engineers.

They’re tech fans, not experts but act like they know the domain space enough to make strong authoritative claims since that’s what gives them an audience.


There were a number of similar comments on HN when they announced. The real lesson? The internet is a shit show.


I don’t know about you, but I’ve worked with plenty of “engineers” who can’t even properly read a stack trace. Not meaning to offend, most software developers are unable to reason about a system even as straightforward as a messaging client with accuracy, especially a closed source one.


This is true, we see it anytime a discussion around email comes up.


True, but there’s a difference in seeing a random anonymous account parroting things and someone with a following pushing it.

Honestly many people here, myself too probably at points, tend to just repeat what they’ve heard elsewhere as fact. You can see it if you try and notice phrasing patterns repeating.

My real lesson is less that the internet is a shit show (it is though), and more that people like to take a very strong opinion as fact, over a more nuanced opinion that requires understanding of a topic.


To be fair, this could be a heuristic based ban which wouldn’t be too hard to bypass.

It’ll be interesting if beeper mini ends up bypassing it.


The bar for 'tech journalist' is... none. There is no bar.


Or for any kind of journalist.


The guy is a fine youtuber but i think he was talking about stuff outside of his area of competence wrt to this specific matter.


Usually the correct course of action is to just... say nothing then ? Or at least take some caution. But hey, it makes for a less sensationalist headline. The thing is that trustworthiness is typically something you look for in a reviewer, clearly not something that can be found there.


Say nothing? They can't do that, what else are they going to talk about in the next video that they have to release to appease the Youtube Algorithm?!

/s obviously!


> Usually the correct course of action is to just... say nothing then ?

literally yes, that is the correct course of action.

the issue is that you cannot publish videos and make money if you refrain from talking about stuff you don't really understand.

which is one of the problems with modern society, in general.


I'm guessing the binary they use from Apple (IMDAppleServices) to generate part of the registration information probably adds metadata to the "validation blob" that gets sent to apple when registering beeper mini as an iMessage device.

If the metadata includes the OS version, Apple probably blacklisted any new devices registered in the past few days with validation blobs generated from that binary.

(The binary was sourced from OS X 10.8 which is ~11 years old now)


My suspicion is this is going to be a cat-mouse situation for a while.

Apple would've found some easy way to identify these users and Beeper will likely release a patch to fix it.


Agreed. I think Apple wins easily though. If they can break it once a month for a day or two, I think that makes it inconvenient for beeper mini users.

Maybe not though, who knows


It doesn't look like that binary is used for Beeper Mini, unlike pypush: https://blog.beeper.com/p/how-beeper-mini-works


I wouldn't be surprised if whatever they reverse engineered from the binary had similar behavior


What if they create a version of Beeper Mini that spoofs an apple device you own? For example: I don't want to own an iPhone, but I do have a MacBook. So rather than use a randomly generated device that tricks Apple's servers to allow me to connect, I can just use a device a legitimately own (and just trick apple to think my phone is my laptop).

I know this won't work for everyone (especially folks that don't have an Apple device). But this might be better than losing the app all together ¯\_(ツ)_/¯

(PS - I don't know much about how Beeper Mini's reverse engineering worked. Just going off what I believe I understood)


This already exists!

https://airmessage.org


not quite what the parent comment was referring to - AirMessage is cool but needs a server Mac to run 24/7.

parent is asking if it’s possible to spoof the secure identifiers from the Mac in Beeper - extracting the secure IDs, inputting them into Beeper - at which point Beeper can communicate directly with Apple as if it is that Mac.

a clever workaround!


Precisely! Would be a cool workaround & I would be completely happy with this approach (vs losing access all together).

But I wonder if that’d even be possible. I hope someone from the Beeper team sees this!


I was using this before beeper and switched to beeper since I could also use WhatsApp on my iPad. Worked just fine on an old otherwise unused MacBook Air I keep in my garage. I only used airmessage for iMessage on windows


As someone in tech, I think it's awesome they were able to find a way into iMessage.

As an iPhone user, I hate the idea that spammers can now use iMessage, and I'm glad the service was taken down.

Both things can be true at once.


Spam is not really an issue. For me, it just goes to the "Unknown Senders" tab. No notification, so I am not bothered. Occasionally check it if I am expecting a message from a random number.


Not really an issue for you. There are plenty of people for whom this is not viable.


Won't spammers just continue using the macos bridged other services instead of the direct to Apple way ?


If they have to use real Apple hardware, and those devices are blocklisted by Apple when the spam is reported, spamming stays cost prohibitive.


With how many "rent a mac mini stuffed in a datacenter" services are out there, I wonder how cost-prohibitive blacklisting specific devices really is.


If a serial number of the mac mini is blacklisted by apple from registering for example with apple updates or any other apple connected services, then probably it's in datacenters' best interest to keep spammers out of them.


Cutting anyone off from security updates is a step too far.


I also assume there are iMessage rate limits in place, that if exceeded, trigger some analysis. If that's true, then hardware costs would also be proportional to rate.

I suspect there's some dark market for broken iPhones, and perhaps some rate limit for activations within a city block/building. The last time I had iMessage spam was years ago, so maybe it's not so practical.


The first time I received iMessage spam was Aug 22, 2023 from +1 626 453 4929. And the second time was Oct 11, 2023 from edgardonikko@gmail.com trying to get me to click a link to malware.


What do you mean? There are no services bridged to iMessage.


He refers to Mac apps like AirMessage that relay information from iMessage’s SQLite database or control the screen, and are connected to a messages app on Android.


Beeper Cloud, their other product, does exactly this...

https://help.beeper.com/en_US/chat-networks/imessage


but... Spammers can still message you via SMS? In either case, they just need to get your phone number. SMS vs iMessage doesn't make much of a difference.


The difference is that spam is so rare on iMessage that the blue color message has the trait of being more trustworthy. In 15 years, I have only received 2 blue message, both within the last few months.


For those arguing that this is a privacy or security response: the first pypush commit was in April, with the first working demo commit at the beginning of May. If it's a security or privacy issue, that means it's been exploited for over 6 months without Apple taking action. How many other iMessage conversations have already ended up in non-Apple clients? Why didn't Apple notice until there was a big public splash about it?

(edit: typo)


An open source client for iMessage is going to be used for fraud and spam. Before this, a device being blocked by Apple because it was used for fraud or spam would increase the cost of business for fraudsters and spammers. But now it's a matter of picking a new phone number. Of course Apple would try hard to stop this.


Is spam a good reason for Apple to keep their iMessage garden exclusive? SMS is also widely used for spam.


I am not in the position to judge that. But reducing spam on iMessage is beneficial for Apple customers, and as a customer, I want Apple to be able to do that.


I’m in Asia, my phone number has been with me for almost a decade. I haven’t received spam in a blue bubble, only on SMS (green). Just want to give you a perspective in the other part of the world.

This are not just spam but most are sms phishing with links. We have poor, inadequate cyber laws, so we are glad Apple is doing its part sealing this off.


Yes - As an iPhone users, I am not really interested in getting more SPAM.


Yes. It exists but (for me) is non-existent. I know others do get it.

I’ve never thought about it but that would be a huge black mark and could end up pushing a lot of people to WhatsApp/FaceBook Messenger/whatever.


[flagged]


Beeper doesn't give you iMessage. It just makes you appear as a "blue bubble" to people who are on iMessage.


> It just makes you appear as a "blue bubble" to people who are on iMessage.

Received messages on iPhones show up as neither blue nor green. They always have a gray background. The blue and green bubbles are the colors of the messages sent by the iPhone users on their own phones. Recipients, on other iPhones, will see messages with a gray background regardless of whether it was sent with iMessage or SMS/MMS.


So basically it helps make it harder to sort out if something is spam.. All my SMS spam is green bubbles.


A blue bubble = iMessage. If it's green, you're not on iMessage.


That’s what blue bubble means. You’re talking through the iMessage service.


This is exactly why Signal closed their source code: if you allow access to your network, you're only accepting spam. For their users' security, it's essential that they must guard access to their network as much as possible.


I feel the need to get a bit pedantic here. I'm not trying to pick a fight; I truly hope it helps clear up a few things.

Signal is open source. It's a fair argument that they make it difficult to use servers other than theirs, and we can't be sure exactly what they run server-side, but their code is possible to fork and all that. Their licensing is clear. Even the choice of AGPL is significant here: they must provide the source for exactly what they run on their server.

Network access is orthogonal to source availability/openness. Closing source as a means to limit access is security through obscurity. Not to say that it wouldn't work, but we certainly wouldn't expect the Signal Foundation to take this approach.

The most significant measure Signal uses to manage access to their network has to do with the phone number requirement. That's an intentional choice on their part (arguably controversial, but I don't have an opinion about it).

I've never received a spam message from another Signal user... is this common for you (or anyone)? I think in all the years I've used Signal I've only received less than 5 spammy "message requests" that are quite obvious/easy to decline because I don't already have their phone number in my contacts. I've always had to first ask someone "hey, can we use Signal?" so I'm already expecting legitimate message requests when they arrive.


I was hoping the /s wasn't necessary, but just to be clear: my comment was entirely sarcastic. Signal has had its issues in terms of open source-ness (like that time they stopped publishing their code for quite some time) but the client and server are open source, and while they're not huge fans of alternative clients, they have designed their protocol so that it's practically impossible for them to refuse alternative clients, purely out of privacy considerations.

Now that Signal has usernames you can share, rather than phone numbers, I think the phone number decision is a lot less problematic.

Strangely enough, I did receive spam this week. Or at least I think I did, an account I didn't recognise with a profile picture of a woman I didn't recognise sent me "hi". This coincided with my first SMS spam of the year and spam on an email address I used for one specific company, so I guess they've been hacked and had their database dumped. Maybe I'm just lucky, but spam just isn't a problem for me.


> if you allow access to your network, you're only accepting spam.

Well no; spam yes, only spam no.


Every sentence in your comment is factually incorrect.


I thought people would catch on to the sarcasm because of that. Too late to edit a /s in now.


The EU should, like they did years ago with PC operating systems, mandate a default browser selection screen. And a default messenger selection screen. And a default app store selection screen.

Not that we'd get it in the US but it would help reduce Apple/Google market capture efforts.


'Nobody' in the EU uses iMessage, even on iPhones. Everyone here already uses Whatsapp. This demonstrates a lack of a monopoly and how competition can flourish.

Honestly - and EU-regulation that Apple faces over iMessage would just be collateral damage from EU targeting Whatsapp.


These assertions need those quotes around 'nobody' because I work with a bunch of apple device owners across Europe and they certainly do use Apple messages.

At scale yes, signal, telegram and whatsapp are perhaps more significant than the apple ecology and the ratio of android to apple outside the USA and canada probably shows why.


Yes, I'm sure that there is at least one person who uses iMessage in all of Europe.


10 if you count my family, parents and siblings ;)


I know some that use it in Portugal, but most of my relatives use Facebook Messenger first, then WhatsApp, then SMS or iMessage.


Is anyone aware of actual statistics on this?


It’s surprisingly difficult to measure.

“Installs” are muddied by the fact that everyone with a Facebook account has a Messenger capability, and every Apple user has an iMessage app downloaded.

“Messages received” is distorted by group chat dynamics and commercial messages.

“Messages sent” is distorted by the unequal value of relationships.

For example, I generally communicate with FB marketplace sellers & acquaintances from high school on Messenger, but use WhatsApp for talking with overseas family members.

More generally, there are social dynamics which make messenger apps radically different from one another. Even when the feature sets of the applications are very similar.


Beeper had a good approximation


I'm aware almost no one uses iMessage in Europe. Most would choose WhatsApp in Europe. And if we had the choice most would choose iMessage in the US.

But it gives normal users a choice if they want it. Maybe it would get some to think oh maybe I should try Signal. That's how some people found out about Firefox - unimaginable I know.


But Whatsapp's popularity on iOS already shows that "normal" (whatever that means) users already have a choice. The market is not being constrained by Apple.


Not by Apple anyway. But it'll save them having to search WhatsApp :)


WhatsApp and Telegram (varies by country)


I mean, if everyone is using Whatsapp, that is effectively a monopoly. I am curious as to what the runner ups are in the EU however.

Meanwhile, wait until Mr. Zuckerberg looks for new ideas to monetize their messaging ecosystem.


What do you think why suckerberg didn't done that until now? Facebook knows exactly that they need to be extremely cautiones to don't lose all their users to threema, signal or telegram.

Thats the reason why until now they only added non intrusive monetizing ideas than company accounts and so on. And when you ask me, they found a way to make whatsapp better. I can now order sushi via whatsapp. Here in Germany I know no other messenger that makes this possile.


Both Telegram and Signal. Threema is a distant 3rd ime.


There's no monopoly. Messengers hardly have any lock-in and there's plenty of competition available. Entire continents will switch messengers essentially overnight once the current market leader becomes too enshittified and there's something better. Remember how AOL, ICQ, MSN, Skype, etc. died?

WhatsApp is the current leader because it's no-nonsense and works everywhere. The moment Facebook fucks that up even a little bit, people will have moved on to the next thing.


There is major lock-in. If I want to move Signal but everybody I message uses WhatsApp then I can't message them unless they switch.


I can use multiple messengers in parallel without issue, as I did each time in those transitional periods.

The last messages on a dying messenger are always instructions on how to move on to the next thing. In skype, my status and most recent messages are just informing people of my discord handle. I accept that I may not be the norm, because generally I don't reach out to people and don't initiate contact, meaning that the onus is on them to use the appropriate channel to reach me.

Maybe it's worse for people who voluntarily stay in contact with many others using different messengers, but I don't see the problem with just having multiple messaging apps, especially since modern phones just consolidate all messaging services's contacts into your contacts app (at least on Android). You don't even need to remember who is reachable where.


>Maybe it's worse for people who voluntarily stay in contact with many others using different messengers

This is the problem I was expressing. If I want to contact Joe I have to use Signal, if I want to contact Sarah it is WhatsApp. Sam is SMS. Its hard to remember who is using which app.

> but I don't see the problem with just having multiple messaging apps, especially since modern phones just consolidate all messaging services's contacts into your contacts app (at least on Android). You don't even need to remember who is reachable where.

That is easy enough if you use the contacts app. I usually go straight to the app I want. Regardless, it doesn't solve the core problem because people use multiple apps. How am I supposed to remember which app they prefer? I could message them on their non-prefered app, but I don't like doing that if I can avoid it.


Your view is clearly not representative for the whole of EU.

Most of my family, friends and colleagues are on iMessage. I often need to explain why facetime will not work.

Whatsapp is also common, but different as it does not as easily replace SMS.


God I really wish we Americans would get on whatsapp


No thanks, iMessage is much better and not owned by Facebook.


It's owned by Apple. Thats not better. Same shit, other asshole.


My sense is that zeitgeist has shifted on this in the last year no?


In what way?


How is iMessage better? WhatsApp is a great app.


Apple's business model is predicated on me buying things from them.

Facebook's business model is predicated on being able to sell access to me to third parties.

I can control the first one directly.


That is not related to how the app works though


Damn Straight.


So I can give my data to Meta? No thanks.


It felt like most of the US was on whatsapp and then everyone moved to signal and telegram


I don't consider any of these as a viable option.


Why? What is so great about it? It seems practically identical to signal and, if everyone is already on iOS, strictly worse than iMessage.


Runs on android, windows, web, macOS, iOS.


So does signal.


Sure, and telegram does too. I was responding to someone talking about iMessage


I can’t really tell the difference between signal telegram teams discord et al.

But messages falls back to sms and that I can notice.


Tried it in the early days where Whatsapp was buyed by facebook. Signal lost messages in group chats, Signal lost messages in normal chats.

Thats was the way to my blacklist. Droped Signal caused by unreliability.

Additionally, same as now iMessage, close out of other clients. Other asshole, same shit.


> Tried it in the early days where Whatsapp was buyed by facebook.

Wasn't that in 2014, so literally 9 years ago? Things are pretty different now.