Apple Confirms It Closed the Mechanism Used by Beeper Mini ⇥ theverge.com

David Pierce, of the Verge, obtained a statement from Nadine Haija at Apple acknowledging it was responsible for shutting down Beeper Mini’s reverse-engineered iMessage app:

At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users.

Pierce:

This statement suggests a few things. First, that Apple did in fact shut down Beeper Mini, which uses a custom-built service to connect to iMessage through Apple’s own push notification service — all iMessage messages travel over this protocol, which Beeper effectively intercepts and delivers to your device. To do so, Beeper had to convince Apple’s servers that it was pinging the notification protocols from a genuine Apple device, when it obviously wasn’t. (These are the “fake credentials” Apple is talking about. Quinn Nelson at Snazzy Labs made a good video about how it all works.)

I am not surprised Apple leaned on privacy and security. Though I framed it as “shakier” than a business defence — since Beeper Mini apparently used the same standards as Apple’s own iMessage client — I did write that it would likely “treat this reverse engineering exercise as a security problem”, which is exactly what happened. Beeper Mini was a high-profile vulnerability proof-of-concept disguised as a neat new app.

Calling Nelson’s embargoed preview a “good video about how it all works” is a curious choice of words. I do not disagree that Nelson explained the mechanism successfully, but there is a whole chapter in it named “Apple isn’t likely to patch this ‘exploit'”. Nelson:

Needless to say, this doesn’t appear to be some easy thing that Apple can just turn off. It will require a complete redesign of their entire authentication and delivery strategy — not just for iMessage, but for Apple ID account access as a whole.

Maybe Apple really did redevelop its entire iMessage and Apple ID architecture in the three days between Beeper Mini’s public launch and when it was shut down — or, more charitably, between when the pypush demo was published in early August and now. But I do not think so; I think this was a relatively straightforward change. It seems like Nelson’s choice of language reflected Beeper’s overly confident explanation.

Pierce:

Since Apple cut off Beeper Mini, Beeper has been working feverishly to get it up and running again. On Saturday, the company said iMessage was working again in the original Beeper Cloud app, but Beeper Mini was still not functioning. Founder Eric Migicovsky said on Friday that he simply didn’t understand why Apple would block his app: “if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS?”

Migicovsky says now that his stance hasn’t changed, even after hearing Apple’s statement. He says he’d be happy to share Beeper’s code with Apple for a security review, so that it could be sure of Beeper’s security practices. Then he stops himself. “But I reject that entire premise! Because the position we’re starting from is that iPhone users can’t talk to Android users except through unencrypted messages.”

I am not falling for Migicovsky’s play-dumb act here and, I am certain, neither are you. Of course Apple does not want some random company piggybacking on its iMessage infrastructure with an unofficial client. What part of Apple’s history since about 1997 would indicate that it would look at a reverse-engineered client for a rival operating system and say geez, thanks for helping out?

There are plenty of end-to-end encrypted messaging apps available for iOS and Android, like Signal and WhatsApp, so the premise that “iPhone users can’t talk to Android users except through unencrypted messages” is also complete nonsense. This is basically a U.S. problem, and the most common reasons cited for cross-platform compatibility — media quality, group chats, and privacy — are resolved for everyone if we choose a different app. I think it would be great if iMessage were available universally as it has been stable and reliable for me; I would also like some way for any messaging client to securely communicate with others.¹ The reality is that iMessage is an Apple proprietary protocol and that is unlikely to change. Messaging is one area where there is no shortage of choice for users.

Update: Beeper says it is back, but only for users with an email address registered as an Apple ID, not phone numbers. Seems like a weird way to make another bug report.