Beeper reverse-engineered iMessage to bring blue bubble texts to Android users::The push to bring iMessage to Android users today adds a new contender. A startup called Beeper, which had been working on a multi-platform messaging

  • LWD@lemm.ee
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    1 year ago

    Notice how in the article they say “we’re not the middle man… Any more”? That’s because, up until now, Beeper has been working on a system where they operate as a middle man for your data.

    But to be fully trusted, Beeper Mini will need to be audited by a third party — something it has not yet done. In addition, Beeper uses certificate pinning, which makes network traffic analysis more difficult to perform in order to verify its claims.

    And until they release the source code for their new app, something they probably don’t have a huge incentive to do (it would open them up to competition, or people who don’t need to charge you a $2/mo subscription for something that has nothing to do with their servers) there’s basically nothing guaranteeing their product is secure, or private.

    • twix@infosec.pub
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      They do have to run servers in order to keep the service alive. If you want to run this stuff yourself on your own server that’s possible using PyPush. The reason they have to run those servers for you is to keep the notification service alive.

      • LWD@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Can you cite your sources? You appear to have confused Beeper Mini with Beeper…

        1. Mini only needs optional push servers to run.
        2. There’s no Beeper Mini source code
        3. You have to log in to Beeper Mini exclusively using a Google account
        • twix@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yeah, sorry, I got confused. Beeper mini does need servers to keep the notification service alive. And thus not crazy to ask for 2$ a month. Beeper cloud could indeed do without servers I guess, but I don’t know anything about that. I was just keeping up with the development of pypush (the python poc) and reverse engineering progress.

          I don’t understand your point of “you have to log in with a google account”. I understood that was a requirement to check subscription status (and as such limit fraudulent apk’s).

          But that seems to be a different story than “opensourcing this would mean a competitor could do it for free”.

          You can already do this for free with pypush. And if you want to use something else then python you could build something based on it with any language as pypush is completely open source.

          • BearOfaTime@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            Your Google account is required because it uses GCM for notifications on the phone. The Mini servers act as a middleman between GCM and ANP (Apples background notification protocol).

            They talk about this in the docs, they didn’t think it was realistic to try to reproduce ANP on Android, besides Android already has a service.

    • pitninja@lemmy.pit.ninja
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      By that logic, there’s nothing guaranteeing iMessage on iPhones is secure or private either because it’s closed source. If you don’t want to trust Beeper mini, you’ll be free to run their iMessage bridge on your own Matrix stack when they open source it at some point, which they’re promising to do (and you still won’t know that Apple isn’t scraping your messages on the iOS side). When I decide to trust a company, it’s because I look at what they’re transparently communicating to their end users. Every indication is that they are trying to get out of the middle of handling encrypted messages. Their first move to make this happen was allowing people to self host their own Beeper bridges (which you can still do with Beeper Cloud if you prefer and you will know that your messages are always encrypted within the Beeper infrastructure). They aren’t going to release the source for their client ever because that’s the only way they make any money.

      • LWD@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        I tend to trust actual open source projects over closed-source ones. Beeper Mini is closed source. And Beeper is a separate app not really relevant to this discussion.

        • BearOfaTime@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          You should read the docs. It’s impressive.

          I get where you’re coming from, but after readinhow badly security is implemented in iMessage frankly I trust the Beeper devs more than Apple.

          Get this, iMessage delivers the AES encrypted message in a package with the AES key, that package is encrypted with your RSA key.

          iMessage lacks forward secrecy. So if anyone ever got your RSA key, they could read all your messages, including past messages, because your RSA key never changes!

          • LWD@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I can’t trust Beeper more than Apple on one major technicality… Trusting them requires trusting Apple, at least for now. And I question why I had to sign in to their Mini apps with a Google account.

            I’m impressed by the reverse engineering, but hey maybe they could introduce some good encryption on the side for their potentially expanding user base. And probably integrate their two apps… Unless they already basically have.

    • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Notice how in the article they say “we’re not the middle man… Any more”? That’s because, up until now, Beeper has been working on a system where they operate as a middle man for your data.

      To be fair they never claimed otherwise and all of the code for the bridges are open-sourced and can be run on your own servers so that those servers you control (as opposed to Beeper-owned servers) act as a “middle man” and none of your messages need be trusted to a 3rd party.

      To put it simply: only the actual bridge on Beeper Cloud has access to unencrypted messages and you do have the option to run the bridge yourself while continuing to use the Beeper app. You can use as many or as few self-hosted bridges as you’d like.

      A few bridges are preconfigured for self-hosting with just a couple of clicks for free through fly.io here