Beeper Mini for Android sends and receives iMessages, no Mac server required

Photo of author

By Sedoso Feb


Beeper Mini for Android sends and receives iMessages, no Mac server required
Enlarge / A Pixel 3, messaging a savvy iPhone owner, one with the kinds of concerns Beeper hopes to resolve for its customers.
Kevin Purdy

In the past week, I have sent an iMessage to one friend from a command-line Python app and to another from a Pixel 3 Android phone.

Sending an iMessage without an Apple device isn’t entirely new, but this way of doing it is. I didn’t hand over my Apple credentials or log in with my Apple ID on a Mac server on some far-away rack. I put my primary SIM card in the Pixel, I installed Beeper Mini, and it sent a text message to register my number with Apple. I never gave Beeper Mini my Apple ID.

From then on, my iPhone-toting friends who sent messages to my Pixel 3 saw them as other-iPhone blue, not noticeably distracting green. We could all access the typing, delivered/read receipts, emoji reactions, and most other iPhone-to-iPhone message features. Even if I had no active Apple devices, it seems, I could have chosen to meet Apple users where they were and gain end-to-end encryption by doing so.

Powered by a teenager’s reverse-engineering discovery

Eric Migicovsky, co-founder of the all-in-one messaging service Beeper, says Beeper Mini (which should be available now) can do this because iMessage has been reverse-engineered. In an interview, Migicovsky said that Beeper was contacted last summer by a security researcher, one who had a Python script proof-of-concept repository to prove his discovery. The Beeper team was initially hesitant, having “talked to every person on Earth, it seems, who said they’d cracked it, but really only partially reversed [iMessage].”

But the script worked (and worked for me, too, as of last week), so Beeper hired the researcher and, over the last three months, completely rewrote their client into this new Mini app. It’s offered as a seven-day free trial, then costs $2 per month.

It may or may not surprise you to learn that the security researcher is a high school student. “We couldn’t convince him to drop out,” Migicovsky messaged, adding a smile emoji.

Beeper Mini is launching less than a month after Nothing and Sunbird made headlines for promising iMessage on Android, then unraveling at lightning speed as the scheme was revealed to be “a security catastrophe.” So Beeper has written up how iMessage and the company’s app work and interact on its blog, and offered a bunch of pledges up front:

  • Messages are end-to-end encrypted before sending, and neither Beeper nor Apple can see them
  • The encryption keys necessary for iMessage do not leave your device
  • No server sits between Beeper Mini and iMessage servers
  • Your Apple ID is not required
  • Your contact list remains on your device

At the moment, Beeper Mini supports group chats, high-resolution images and video and voice messages, stickers and GIFs, reply threads, and sent/delivered/read/typing status. Location-sharing, message effects (like confetti falling), Facetime, and iMessage-based games are not yet supported (and the games likely never will be).

Beeper Mini's System Architecture flowchart.
Beeper Mini’s System Architecture flowchart.
Beeper

How Beeper Mini works

If you want to know exactly how iMessage could be used without an Apple device initiating a connection, Beeper’s blog post explains it, and JJTech’s blog post explains it even more. A brief version is that Beeper Mini sends an SMS message from your phone to “Apple’s ‘Gateway’ service,” which sends back an SMS, and data from that SMS is then sent back again to register your phone number with Apple as iMessage-capable. The app then generates encryption keys to encrypt your messages with others, sending the public key to Apple servers and stashing the private key on your local storage.

That’s the setup, anyway. To keep Beeper Mini running, Beeper uses a Beeper Push Notification (BPN) service to connect to Apple’s servers and notify you of new messages. That doesn’t mean Beeper sends and receives your messages, however; the Apple Push Notification (APN) service separates its notification credentials from its content encryption keys, according to Beeper. “BPN can only tell when a new message is waiting for you—it does not have credentials to see or do anything else,” Beeper’s post states.

A user with an Android phone can use Beeper Mini without an Apple ID and still send and receive encrypted iMessages. If you have a MacBook or iPad that you want your messages to show up on, too, you’ll need to sign in to your Apple ID in Beeper Mini. Beeper notes that it sends those to Apple over an encrypted HTTPS request.

Beeper's illustration of how iMessage works and looks in its app.
Beeper’s illustration of how iMessage works and looks in its app.
Beeper

OK, so how long until Apple moves to block this?

I have asked Migicovsky the same general question in perhaps a half-dozen ways since he first told me about Beeper Mini in late November: What happens when Apple sees this app? This app, for now at least, does one specific thing: promises Android users access to the walled garden, the one that Apple has been seen in court documents as acknowledging and appreciating.

Migicovsky had a few different answers. The broadest one, regarding the tech behind the app, is that reverse-engineering for interoperability is legal—a fair use exemption to the Digital Millennium Copyright Act’s restrictions against circumventing encryption or other protections. The app also goes out of its way to avoid trademarks like iMessage, referring instead to “blue bubbles” and the like, and the rest might be considered nominative fair use.

Yesterday, after confirming the app was still working, and working without an Apple ID, I asked Migicovsky if the check-in and registration the app does via SMS could be a pain point for the app, should Apple somehow change that server or find a way to block Beeper’s access to it. “It’s the same thing iPhones do,” he responded.

Then there’s the larger, public-facing defense of what it looks like if Apple tries to stamp out a way for Android and iPhone users to keep their messages encrypted. “Our viewpoint starts from how Apple is forcing iPhone users to send unencrypted messages to Android users,” Migicovsky said. “For a company that prides themselves so much on security, sending unencrypted messages to 50 percent of the population is pretty insecure.”

Governments, in Europe and the US, are “taking a very keen interest in this space,” Migicovsky said. Apple recently softened its stance on interoperability slightly by allowing for some RCS improvements to Android-to-iPhone messaging, but not, notably, encryption. That move was widely seen as owing a fair amount to pressure from the European Union, spurred on by Google.

I still can’t imagine Apple letting an app enroll non-iPhones onto its own messaging service and handing off notifications about new messages without pushback, and I told Migicovsky as much. He admitted that he comes at the issue from a stance of optimism, perhaps dating back to an earlier era of the Internet. iChat, he noted, once allowed for AIM, Jabber, and Google Talk accounts. He was, he wrote, “[S]hocked that everyone is so shocked by the sheer existence of a third-party iMessage client.”

Beeper Mini is just iMessage on Android for now, but Migicovsky sees it as the future of Beeper, generally. Beeper, the existing app that puts many chat and DM services into one inbox (including the older, Mac-server-based iMessage offering), will be renamed Beeper Cloud. Other secure messaging services, like RCS, Signal, and WhatsApp, should eventually arrive on Beeper Mini, Migicovsky said.

If it works (and, presumably, avoids Cupertino-based stoppage), Beeper Mini’s business model is “a viral loop,” Migicovsky said. “iPhone owners might be the ones doing the most work for us, telling their friends to get this app.”

Source

Leave a Comment