When Beeper first released its iMessage-on-Android solution back in August, I was quite skeptical. While the dream of being able to turn those dreaded green bubbles blue was more than appealing, the way Beeper and other companies were doing it just wasn’t secure enough.
The main issue had to do with how these messages were relayed from Android to iPhone. In order for your messages to appear as iMessages on your friends’ iOS devices, you needed to sign into your Apple ID on a Mac mini in Beeper’s server farm. While Beeper didn’t have access to your messages, it would only take one bad hack for your Apple ID token to be stolen, exposing your Apple account to whoever wanted to steal it.
The company Nothing tried to do something similar last month, teaming up with Sunbird to offer iMessage on Android via its Nothing Chats app. Same process, same security concerns. In fact, Nothing Chats was almost immediately pulled from the Play Store, as researchers discovered the app was storing credentials in plain text. Hackers could literally read your messages alongside code should they gain access to the servers. So much for end-to-end encryption.
With all this drama afoot, the promise of sending iMessages from Android devices seemed misleading. So when Beeper announced it had a new approach to the issue, one that eliminated all previous security concerns, I had my doubts. I still have my doubts, but I have to say: this looks promising.
Table of Contents
On Tuesday, Beeper announced “Beeper Mini,” its new approach to sending and receiving iMessages on Android devices. However, unlike the original Beeper app, Beeper Mini doesn’t rely on a Mac relay to pass iMessages through Apple servers. Instead, the app connects and sends messages to Apple’s servers directly, mimicking the same interaction an iPhone has with Apple to power iMessage.
This is quite the feat. Beeper purchased the findings of a researcher who goes by jjtech, who reverse engineered how Apple’s iMessage protocol works, and partnered with them to create Mini. With it, Beeper Mini is able to take a message you send from your Android, push it to Apple, then forward the message along to its destination. It works because Apple “thinks” your Android is an iPhone. Using a valid Apple serial number, Beeper registers your phone number with Apple’s servers, so the iMessage protocol sees you as a “blue bubble.” From then on, Apple sees you as part of its own and will happily take your encrypted messages and relay them wherever they need to go.
Encryption isn’t affected here, either: Your private keys (the tech needed to encrypt and decrypt your messages) stay on your device, and are never transferred to either Beeper or Apple. When you hit “Send,” Beeper Mini encrypts your message. It won’t be decrypted until it reaches it proper recipient, just as true iMessage does between iPhones.
Beeper is proud of this achievement, and invites scrutiny from security researchers. To that point, they encourage anyone to try out the tech for themselves: You can try an open-source Python proof-of-concept on your computer that does exactly what Beeper Mini does. You can see this in action in Snazzy Lab’s walkthrough of the service. It’s kind of wild to see that anyone can essentially run iMessage in Python, when Apple has kept the tech within their walled garden since its inception.
Once you’re up and running, you’ll find that many iMessage features work as they should. Of course, you can send and receive messages, edit and unsend messages, join group chats without issue, and send high-res media to other iPhones. Certain specific features, like location sharing, FaceTime integration, and iMessage effects and games aren’t available, but I imagine most people using this app won’t care. They’ll just be happy to not “wreck the group chat.”
Are there security concerns?
I have to hand it to Beeper: This is promising. Neither Beeper nor Apple have access to your messages, all encryption happens on-device, and you don’t need to sign into a strange Mac in a faraway server farm. That’s a huge upgrade.
There are some quirks to the service that are worth keeping an eye on, however. Because Android doesn’t have support for Apple Push Notification (APN) service, Beeper Mini technically cannot notify you of new messages without you actively using it. To get around this, Beeper created what it calls Beeper Push Notification (BPN), which talks to Apple’s servers on your behalf to see if you have new messages. While this starts to ring some alarm bells, according to Beeper, BPN is a safe service: Apple allows Beeper to look for new messages without needing to have the encryption keys necessary to read them.
That means all BPNs can do is see if you have new messages to decrypt. It cannot read them. If it detects new messages, it disconnects from APN and alerts the Beeper Mini app. Now that the app is awake, it can pull new messages as if you had opened it yourself, and presto—Android sends you a push notification for new iMessages. Beeper knows this feature might raise eyebrows with some security sensitive folk, so they offer the option to disable it, so long as you’re okay opening Beeper Mini manually every time you want to check for new messages.
Another quirk comes if you want to send and receive messages on an Apple device like iPad or Mac. Your phone number is only required if you’re sticking to phones, but in order to rope Apple’s other devices in on the fun, you’ll need to log into your Apple ID. This is a bit tricky, since I love how Beeper Mini doesn’t require any Apple ID sign in in order to function initially. However, it is the only way to connect your Beeper Mini phone number to an iPad and/or Mac, so if you want to bridge all devices together, you’ll need to connect your Apple ID. I’m not sure I’d recommend it, though.
In general, I’m still a bit wary of connecting a service like iMessage through a third-party. Not that Apple is perfect by any means, but they do run a tight ship. As you mess with the boundaries of that situation, you risk running into security trouble. However, from the outset, Beeper’s new app is a lot more secure than before. Beeper made its tech open source, so security researchers can tear it apart looking for vulnerabilities.
As for me, I may wait for their initial findings before jumping into this service myself. But I’m impressed. This is, for lack of a better word, really cool.
Plus, there’s the argument that Beeper Mini makes it more secure to text between iPhone and Android. SMS is a wildly insecure messaging protocol, and Beeper Mini offers you end-to-end encryption. They have a lot going for them right now.
Will Beeper Mini make it?
Beeper Mini also faces some potential challenges: Apple will not like it, as it relies on reverse-engineered iMessage code. (Props to you, jjtech.) Whether they will do anything about it remains to be seen. Apple does have plans to make texting between iPhone and Android devices much smoother, too: RCS support is coming late next year, which puts Beeper Mini in a weird place. Sure, it’s great to have an iMessage solution on Android in 2023, but what happens when “green bubbles” aren’t so bad in 2024? If people can essentially have an iMessage-quality experience texting between phones, no matter what phone you have, will people still want to pay to turn their bubbles blue?
The green bubble stigma is bad enough in the US today where that answer may be yes. But as it becomes far less obstructive to be an Android user in an iPhone group chat, that stigma may fade away, and with it, the need for something like Beeper Mini.
But, as it stands, Apple doesn’t support RCS yet. So, right now, this might be your best bet for secure, convenient messaging between your Android device and your iPhone friends.
Beeper Mini costs $1.99 per month, following a 7-day free trial. You can download it from the Play Store today.