Apple responds to the Beeper iMessage saga: ‘We took steps to protect our users’

A few days after the team at Beeper proudly announced a way for users to send blue-bubble iMessages directly from their Android devices without any weird relay servers, and about 24 hours after it became clear Apple had taken steps to shut that down, Apple has shared its take on the issue.

The company’s stance here is fairly predictable: it says it’s simply trying to do right by users, and protect the privacy and security of their iMessages. “We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage,” Apple senior PR manager Nadine Haija said in a statement.

Here’s the statement in full:

At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users. 

This statement suggests a few things. First, that Apple did in fact shut down Beeper Mini, which uses a custom-built service to connect to iMessage through Apple’s own push notification service — all iMessage messages travel over this protocol, which Beeper effectively intercepts and delivers to your device. To do so, Beeper had to convince Apple’s servers that it was pinging the notification protocols from a genuine Apple device, when it obviously wasn’t. (These are the “fake credentials” Apple is talking about. Quinn Nelson at Snazzy Labs made a good video about how it all works.)

Beeper says its process works with no compromise to your encryption or privacy; the company’s documentation says that no one can read the contents of your messages other than you. But Apple can’t verify that, and says it poses risks for users and the people they chat with.

Obviously there’s also a much bigger picture here, though. Apple has repeatedly made clear that it doesn’t want to bring iMessage to Android: “buy your mom an iPhone,” CEO Tim Cook told a questioner at the Code Conference who wanted a better way to message their Android-toting mother, and the company’s executives have debated Android versions in the past but decided it would cannibalize iPhone sales. Apple has recently said it will adopt the cross-platform RCS messaging protocol, but we don’t yet know exactly what that will look like — and you can bet that Apple will still seek to make life better for native iMessage users.

Apple’s statement comes at an interesting time. Beeper has been around for a couple of years, and its previous efforts to intercept iMessage were actually far more problematic, security-wise. Beeper and apps like Sunbird (which recently worked with Nothing on another way to bring iMessage to Android) were simply running your iMessage traffic through a Mac Mini in a server rack somewhere, which left your messages much more vulnerable. But Beeper Mini was exploiting the iMessage protocol directly, which clearly prompted Apple to tighten its security measures.

Since Apple cut off Beeper Mini, Beeper has been working feverishly to get it up and running again. On Saturday, the company said iMessage was working again in the original Beeper Cloud app, but Beeper Mini was still not functioning. Founder Eric Migicovsky said on Friday that he simply didn’t understand why Apple would block his app: “if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS?”

Migicovsky says now that his stance hasn’t changed, even after hearing Apple’s statement. He says he’d be happy to share Beeper’s code with Apple for a security review, so that it could be sure of Beeper’s security practices. Then he stops himself. “But I reject that entire premise! Because the position we’re starting from is that iPhone users can’t talk to Android users except through unencrypted messages.”

Beeper’s argument is that SMS is so fundamentally insecure that practically anything else would be an improvement. When I say that maybe Apple’s concern is that iPhone users are suddenly sending their supposedly Apple-only blue-bubble messages via a company — Beeper — they don’t know about, Migicovsky thinks about it for a second. “That’s fair,” he says, and offers a solution: maybe every message sent through Beeper should be prefaced with a pager emoji, so people know what’s what. If that’ll fix the problem, he says, it could be done in a few hours.

When I ask Migicovsky if he’s prepared to do battle with Apple’s security team for the foreseeable future, he says that the fact that Beeper Cloud is still working is a signal that Apple can’t or won’t keep it out forever. (He also says Beeper’s team has some ideas left for Beeper Mini.) Beyond that, he hopes the court of public opinion will eventually convince Apple to play nice anyway. “What we’ve built is good for the world,” he says. “It’s something we can almost all agree should exist.”

Within Apple, at least this argument seems likely to fall on deaf ears. The company has kept iMessage tightly controlled and carefully secured for years, and isn’t likely to loosen the reins now. And if Beeper does ever get Beeper Mini working again, it’s destined for a never-ending game of cat and mouse trying to stay one step ahead of Apple’s security. And Apple has made clear it intends to win that game, no matter how badly you want to send iMessages from an Android phone.

Update December 9th, 8:30PM: Added comment from Beeper’s Eric Migicovsky.