Senator Warren calls out Apple for shutting down Beeper’s ‘iMessage to Android’ solution::U.S. Senator Elizabeth Warren (D-Mass.) is throwing her weight behind Beeper, the app that allowed Android users to message iPhone users via iMessage,

  • thejml@lemm.ee
    link
    fedilink
    English
    arrow-up
    28
    ·
    1 year ago

    Did Beeper clear its usage of the iMessage platform with Apple? Sign a contract? Get an SLA agreement with Apple in writing?

    I was under the impression that they found essentially a back door/work around to latch into the iMessage platform… in that case this is no different than Cisco patching some routers or MS fixing a security hole. If anything I’d be more annoyed that Apple didn’t patch it quicker.

    I’d love to be able to use iMessage with my android friends, but Beeper’s methods seemed sketchy as hell.

      • whofearsthenight@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        While it’s not mostly about security, and I generally agree that Apple’s dickitry with regard to iMessage should end (they’d be doing a solid in the US to just release an Android client and monetize via sticker packs or something like it) there is most certainly a security risk for Apple to allow a reverse-engineering of their spec to spoof real iPhones, which is how Beeper works.:

        pypush is a POC demo of my recent iMessage reverse-engineering. It can currently register as a new device on an Apple ID, set up encryption keys, and send and receive iMessages!

        Now, your quote and the others in this thread:

        Beeper didn’t find a security hole, nothing was compromised for Apple.

        They sure as fuck did, lol. iMessage isn’t public, it’s not intended to be used by anyone other than Apple, and the bandwidth and servers are not free. Its not as if every iMessage isn’t going through Apple’s servers, they’re paying for it. Though they didn’t find a technical hole like a zero day or compromise iMessage for customers, they absolutely found a security concern for Apple. If you walk in to your house, find your neighbor there grabbing a couple of eggs out of the fridge and they hand wave away and say “don’t worry I didn’t break a window, I just figured out you keep a spare key under the mat and also I’m going to use these to make cookies for the block party and I’m not going to charge a lot for them and only you have these eggs from your chicken you’re hogging them!” you’d kick them out in a hurry and probably call the cops.

        So two things:

        1. We can absolutely be mad at Apple for the lock in effect of iMessage, there were some leaked emails a while ago that confirm what we all know, this is just there to prevent buying your kid a cheap android phone. Personally, I think if Apple was serious about keeping their customers secure, they’d either release an Android client or better, just make sure that the minimum spec for RCS supports E2EE for wide adoption. They can still have a more robust platform with iMessage, and it’s still going to integrate with Apple shit in a way that only they could do.
        2. Anyone, anywhere, who thought that this was a viable business for Beeper has lost their fucking minds. Their model was basically “trust me bro, we’re going to socially pressure Apple and that’s going to totally work” and while it sounds like they’re back up for now, it will be extremely surprising if it stays that way longer than another week or two. It would be akin to someone launching a business being like “well, we didn’t hack Microsoft/Google/Facebook, but we’re planning on hosting a bajillion users on their backend for free without their approval.”
    • mosiacmango@lemm.ee
      link
      fedilink
      English
      arrow-up
      34
      ·
      edit-2
      1 year ago

      It was an exploit that mimicked the device as apple hardware, but it wasent sketchy. Everything was still e2ee, with beeper having no access to any data.

      It was the exact opposite of what the Nothing “middleman” did that was actually sketchy.

        • mosiacmango@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          It wasent a bug in software. As I understand it, they cloned an apple hardware ID.

          They basically put on an “Im an apple!” mask and then used iMessage as expected. While an “exploit” it is not inherently a security issue.

          Ah yes, businesses based on exploits. Very not sketchy.

          Enabling interoperability in purposely walled gardens for the overall greater good of the Internet? Sounds like some good ol’ hackers spirit to me. If they make a few bucks while they do it, even better.

          Yall realize youre on a tiny, open source network right now that employs the same kind of scrappy “do the right thing because it’s right” ethos, yeah? That at some point beeper might be a bridge to things like direct mastadon/iMessage/messenger/whatsapp/matrix compatibility?

          Im rooting for them to keep it up.

          • whofearsthenight@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            I think you’re conflating two different things when it comes to my comment. While I can agree in spirit, and were someone to release a FOSS version of this that did the same thing, I’d go right along with you on the whole “hacker spirit” thing (like the kid who wrote the original exploit and put it up for free on GitHub), but that’s not what is happening here. This:

            Enabling interoperability in purposely walled gardens for the overall greater good of the Internet?

            is not what’s happening, this is Beeper just trying to make money basically selling fake ID’s so you can get into the club, and the whole “uwu I’m a wittle startup don’t hurt me Apple” is just marketing spin for what I have to imagine was the rather insane assumption on the part of Beeper that they thought they found something that was unpatchable, and/or that they could somehow publicly pressure Apple to not sue them out of existence for what is potentially a crime (laws against hacking usually don’t give a shit about the method you use to breech a system, just whether that use is authorized which this is clearly not.) Apple has reasonable claim to financial damage as well, since Beeper is using Apple’s servers/bandwidth without approval or compensation. Charitably, Beeper might be hoping that this gets the attention of regulators and they’ll legislate opening it up, but that ship has sailed in the EU, and the legal argument for doing it in the states is “we don’t like green bubbles” so I wouldn’t hold my breath, and even then assuming there is a will in the legislature to do this, I have a hard time seeing how Beeper stays funded long enough to see that law pass.

            Anyway, I am not saying this because I personally don’t want to see iMessage on Android (realistically I’d like the RCS standards body to get their head out of their asses and relegate iMessage and the various Facebook messengers to irrelevance) what I am saying is that Beeper trying to pretend to be a real business is laughable. Like, this is the type of product I would expect to buy in an alternate App Store with bitcoin or something, not something I would expect a real business to release on purpose with all of the fanfare and 100k’s of downloads. It’s the technical equivalent of putting up a stand in front of Costco advertising that you’re going to print and sell fake cards so you can get into Costco, and you’re going to do that by plugging your printer setup into Costco’s power to do it. oh, and then when Costco cuts off power, you run an extension cord over to a different outlet. Like, you can argue that you think Costco should do away with membership, but we all see what an insane business plan that would be, right?

            edit: This is a really good article from the Verge on the whole thing, but I’m afraid it’s more nuanced than “Apple BAD!” so ymmv.

            • mythosync@lemm.ee
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              Finally, some sanity. Just because it’s apple, doesn’t mean it’s okay to build a business model on piggybacking off their service. I know “apple bad” but I don’t get why people are defending Beeper.

    • LilPappyWigwam@lemm.ee
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      I’ve only heard this particular stance from iPhone users.

      Apple has done a stellar job propagandizing their brand as the “Good guys… just looking out for their customer’s best interests, is all”.

      No evidence for this take whatsoever; it’s just naked, gullible brand loyalty.

      Kind of an amazing phenomenon, if it weren’t so sad.

      • thejml@lemm.ee
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        I’ve got both. iOS for work, android for personal use. I’m in DevSecOps and therefore tend to see everything from this sort of mindset. Apple didn’t make a deal with them, they don’t have an open standard. It’s proprietary, it’s locked down. Why would any company with that sort of a product allow another company to interface with their offerings without paying for it? Even if it’s nice and secure, this will add load to the iMessage servers that people aren’t paying Apple for. It could introduce errors/issues they never tested for because they have a closed ecosystem and only have to test with their own devices, a known quantity. It could even increase potential attack vectors.

        If you offered wifi to your friends via a guest network and then someone figured out how to connect their whole neighborhood to it, would you be fine with that?

        • LilPappyWigwam@lemm.ee
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          1 year ago

          Good points. But, and using your LAN comparison: if my wifi’s guest network used some custom method (let’s also consider it a proprietary method for the sake of comparison) to, A) impose an arbitrary limit of uploading files no larger than 100KB (and/or have the files heavily compressed to meet said limit) while B) offering no clear method of communication to the non-guest users why this limitation is occuring (or even exists)… I can imagine both guests and non-guests would quickly become irritated and start bickering among themselves as to whose fault this arbitrarily-imposed “local network file sharing problem” should be blamed on.

          I don’t think it’s the guests fault for being arbitrarily limited. And I wish the non-guests could be told why the limitations are imposed.

          Because no one behind a trillion dollar company should (in good faith, at least) concern themselves with restricting non-Apple, shareable files to be seen as “just slightly, technically accessible to Apple devices”.

          These constraints are clearly imposed on Apple users (by no one but Apple) to alienate “non-privileged, non-Apple customers” (them) from the “privileged Apple customers” (us).

          And Apple’s goal on “finding common ground” seems to be: do not negotiate with any proposed solutions as the division we are creating is intentional.

          • d3Xt3r@lemmy.nz
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            1 year ago

            Exactly. And this (community reverse engineering / interoperability / bridging etc), isn’t something new, it’s existed ever since a messaging protocol became popular - remember Trillian, Miranda, etc? Whether proprietary or not, it didn’t matter - people were going to find a way to bridge the gap sooner or later. So for Apple to think that this was somehow exclusive to just iPhone users - and that it will stay that way - is a bit shortsighted.

            If profit is what they were after, they could’ve just as easily made an official, secure API and charged for it. I’m sure there’s plenty of folks out there willing to pay for iMessage, given how many of them are buying used Mac Minis and iPhones to use as a relay. Apple’s shortsightedness is making them miss out on a business opportunity.

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      What’s the choice? Apple isn’t going to license it for all the tea in China.

    • helenslunch@feddit.nl
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      It’s entirely different in that it was not a vulnerability or exploit of any kind and actually improved the security of Apple’s users.