• GenderNeutralBro@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    180
    arrow-down
    1
    ·
    1 year ago

    They’ve stated that they are using Mac minis as relays. They claim that they do not store messages or credentials, but I don’t see how that’s possible if it relies on a Mac or iOS relay server that they control.

    • LWD@lemm.ee
      link
      fedilink
      English
      arrow-up
      113
      arrow-down
      1
      ·
      1 year ago

      The best they can do is pinkie-promise to not intercept your messages and send a copy to law enforcement. But Nothing Corp can only guarantee… Nothing.

      And yet, this article acts as if you’re using end-to-end encryption:

      messaging Android users will use encrypted RCS chats, while messaging iPhone users will use encrypted iMessage chats.

      • SHITPOSTING_ACCOUNT@feddit.de
        link
        fedilink
        English
        arrow-up
        19
        ·
        1 year ago

        They might be able to relay them in a way that the end to end encryption is actually handled on the phone and the relay only relays encrypted messages.

        That would likely still give them a capability to MitM but it’s plausible that they couldn’t passively intercept the messages.

        • LWD@lemm.ee
          link
          fedilink
          English
          arrow-up
          13
          arrow-down
          1
          ·
          1 year ago

          On second thought… Wouldn’t they have to reverse engineer at least part of the application, and at that point, would they even need Macs?

          • KairuByte@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            10
            ·
            1 year ago

            Absolutely. The iMessage network isn’t some unknowable beast, it “just” requires an Apple device be involved and activated to work. In order to spoof that far, you’d essentially need to emulate quite a bit on device.

            • LWD@lemm.ee
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              1
              ·
              1 year ago

              I have experimented a little bit with Intel Hackintoshes, and iMessage has been one of the more difficult components of the process. If they truly managed this reverse engineering, they’d really be opening Pandora’s Box with Apple… Maybe in a legal sense.

              I don’t think I would trust Nothing to develop this software and just hand it out for free on their hardware. “Software (Hardware?) as a Service” is bad enough, but this seems like it could be legally fraught.

        • infinitepcg@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          1 year ago

          You give them the credentials for your Apple account. The security concept is “trust me bro” and that’s really the best they can do unless Apple helps them (which they have no reason to)

          • realharo@lemm.ee
            link
            fedilink
            English
            arrow-up
            7
            ·
            edit-2
            1 year ago

            “Trust me bro” is always the security concept of any service where you don’t control the client - that includes regular iMessage (you have to trust Apple) and Google’s RCS (you have to trust Google). They can always instruct or update the client apps on people’s phones to start doing something they weren’t previously doing.

            That being said, I would not trust some random sketchy company with something so important. Even if you trust their intentions, you cannot trust their competence in preventing breaches. Stuff gets hacked and leaked all the time.

        • kirklennon@kbin.social
          link
          fedilink
          arrow-up
          6
          ·
          1 year ago

          They might be able to relay them in a way that the end to end encryption is actually handled on the phone and the relay only relays encrypted messages.

          They’d need to control the app on both phones in order to control what it’s encrypting/decrypting. Their system only works because they’ve got a device in the middle separately decrypting/re-encrypting each message. Google’s Messages app can’t read iMessages; Apple’s Messages app can’t read Google’s proprietary encrypted RCS messages.

          Of course if you want universally cross-platform messaging, complete with full-resolution photos and available with end-to-end encryption, there’s this crazy new technology called “email.” I feel like there’s a missed opportunity for making setting up S/MIME easier.

        • LWD@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          It’s true I am assuming, but I’m basing my assumptions on existing open source projects that allow you to “hack” iMessage texts onto Android by setting up your own Mac Mini.

          I can’t even start to imagine how they would use the Mac as only a partial relay that would be married to a particular Android device in order to only decrypt iMessages on it. Maybe they figured it out, but if they did, I would want it open source, with as many pairs of eyes on it as humanly possible!

      • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        If it’s anything like Beeper 's Matrix bridge then it’s E2EE Matrix encrypted between your device and the bridge server and then using Apple’s iMessage encryption between the bridge server and Apple/the other user.

        The weak point is always going to be the bridge software as by necessity the message must be decrypted there to re-encrypt for iMessage.

        At least in Beeper/Matrix the bridge software is open source and one can host their own bridge while continuing to use the existing Beeper/Matrix main server.

        Doing so gives you no-trust security since the Beeper/Matrix host cannot decrypt the messages between you and the bridge you control and rubbing your own bridge eliminates that weak point.