Archive for December 6, 2023

Wednesday, December 6, 2023

Standalone Beeper Mini Brings iMessage to Android

Beeper (Hacker News, MacRumors):

It’s our beautiful new Android app built specifically to send and receive blue bubble messages to friends with iPhones.


Full end-to-end encryption.

It’s a standalone Android app - no server, laptop, Mac or iPhone required.


The app connects directly to Apple servers to send and receive end-to-end encrypted messages. Encryption keys never leave your device. No Apple ID is required. Beeper does not have access to your Apple account.

With Beeper Mini, your Android phone number is registered on iMessage. You show up as a ‘blue bubble’ when iPhone friends text you, and can join real iMessage group chats. All chat features like typing status, read receipts, full resolution images/video, emoji reactions, voice notes, editing/unsending, stickers etc are supported.


To be honest, I am shocked that everyone is so shocked by the sheer existence of a 3rd party iMessage client. The internet has always had 3rd party clients! It’s almost like people have forgotten that iChat (the app that iMessage grew out of) was itself a multi-protocol chat app!


Don’t believe this is possible? Try the open-source Python proof of concept on your own computer to see for yourself. Security researchers are invited to verify all claims that we make, see appendix below.


This is now possible because the iMessage protocol and encryption have been reverse engineered by jjtech, a security researcher. Leveraging this research, Beeper Mini implements the iMessage protocol locally within the app.


Optionally, you may also sign in to your Apple ID to enable sending/receiving from your email address. This will also enable you to send and receive messages from other Apple devices like iPad or Macs.

Nick Heer:

This is all made possible by the frankly incredible work of the pypush project. Primarily, its author is “JJTech”, a high school student who reverse-engineered the way iMessage works[…]


Unlike the catastrophic launch of Nothing’s messaging client and all other predecessors, Beeper Mini is not proxying iMessages through Apple devices.


The people behind it — including “JJTech” — believe Apple could not end access for technical reasons, but it seems like Apple is prepared for ending access to services on older devices. The Verge’s Nilay Patel noted on Threads the P.R. risk of shutting it down, while Sarah Perez of TechCrunch points to current antitrust investigations and E.U. regulations.

Jacob Kastrenakes:

I’ve been using the app for the past few weeks, and I’ve been surprised at how smoothly it works. Messages sent from Beeper Mini on my Pixel 8 appear as blue bubbles on the iPhones of my friends and family members. Group chats I’m on automatically switched over to iMessage as soon as someone fired off a meme. Reactions, threads, photos, and videos (without the messy text message compression) all came through. The best thing I can say about Beeper Mini is that almost no one noticed I was using it: blue bubbles just started appearing — no lost messages to speak of.


At launch, the service will cost $2 per month and only offer access to iMessage. Migicovsky says Beeper Mini will eventually drop the “Mini” branding and integrate all the other chat services offered on Beeper’s main app — WhatsApp, Messenger, Signal, and so on, all hacked together to work inside a single convenient interface. My biggest complaint at the moment is that Beeper Mini doesn’t support SMS and RCS, so this one-day all-in-one app is currently dividing my texting experience in two. Migicovsky says bundling in SMS and RCS is coming, too. All those extra services might just cost a little more, though.

Even with RCS coming to iMessage, Migicovsky thinks there’s still an important role for Beeper. “The long-term vision is one app that you can use to chat with anyone in the world,” he says.


Update (2023-12-08): Jason Snell:

Quinn Nelson has an excellent explanation video and Jacob Kastrenakes at the Verge has an article about it.


In a time when Apple’s being assailed by multiple regulators for uncompetitive behavior, it would not look great if the company were to crush Beeper, even if it could do so easily. Instead, it might take a months- or years-long overhaul of its authentication systems to do so. And would it be worth it? Beeper is making a calculated gamble that Apple will let this go.

See also: Accidental Tech Podcast.

Governments Using Push Notifications to Surveil Users

Tim Hardwick (Hacker News):

Senator Ron Wyden said foreign officials were demanding the data from the tech giants to track smartphones. The traffic flowing from apps that send push notifications put the companies “in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden said.


In a statement given to Reuters, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.


Apple advises developers not to include sensitive data in notifications and to encrypt any data before adding it to a notification payload. However, this requires action on the developers’ part. Likewise, metadata (like which apps are sending notifications and how often) is not encrypted, potentially giving anyone with access to the information insight into users’ app usage.


We at the Home Assistant Companion for iOS team have been wanting to implement end to end encryption for our push notifications for a while now but Apple has denied our request for the entitlement multiple times. Wondering if with today’s news we could apply again and get it.


Update (2023-12-08): Ashley Belanger:

Apple has since confirmed in a statement provided to Ars that the US federal government “prohibited” the company “from sharing any information,” but now that Wyden has outed the feds, Apple has updated its transparency reporting and will “detail these kinds of requests” in a separate section on push notifications in its next report. Ars verified that Apple’s law enforcement guidelines now notes that push notification records “may be obtained with a subpoena or greater legal process.”


A source familiar with Wyden’s probe told Reuters that “both foreign and US government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.” The source could not confirm how long agencies had been sending the requests and would only describe the foreign governments as “democracies allied” to the US.

Nick Heer:

This is an entire category of stuff the U.S. government has apparently prohibited Apple and Google from disclosing and it is a good reminder that their transparency reports exist at the behest of governments, with their limitations imposed. But, also, Apple specifically blames the “federal government” — I take that to mean the U.S. federal government. Why would they be able to prevent Apple from disclosing this category of law enforcement requests from other countries?

Joseph Cox of 404 Media reviewed one warrant which mentioned push notifications in the case of an Ohio researcher, questioning whether it “is boilerplate language that has been included in the search warrant application”.

Update (2023-12-11): John Gruber:

Law enforcement agents can issue subpoenas on their own, so there’s no oversight here. Google, on the other hand, requires a court order[…]

Tim Hardwick:

Apple has updated its Legal Process Guidelines to reflect the company's legal obligation to comply with law enforcement requests for Apple ID information associated with its push notification service.

Tuta (via Hacker News):

When we redesigned the Tuta client back in 2017, we strictly focused on our mission to liberate everyone from being forced to use Google’s services. New evidence now shows this was an excellent move as Google and Apple monitor all your push notifications. But not so with Tuta: We offer one of the very few email apps available without Google’s push notification service. Technically, this was a true challenge; so let's explain how we succeeded!

See also: Bruce Schneier.

Update (2023-12-19): Raphael Satter (via Hacker News):

Apple has said it now requires a judge’s order to hand over information about its customers’ push notification to law enforcement, putting the iPhone maker’s policy in line with rival Google and raising the hurdle officials must clear to get app data about users.

iCloud Advanced Data Protection Uptake

John Gruber:

Back in August I ran a poll on Mastodon, asking my followers if they have iCloud Advanced Data Protection enabled. iCloud Advanced Data Protection was announced two years ago this week, alongside support for security keys (e.g. Yubico).

I’m in the last group, too. I still use some older devices that would be dropped from iCloud if I enabled it.


Update (2024-01-09): Pierre Igot:

I’ve got to say that, when you are trying to activate the “Advanced Data Protection” safety feature in #macOS #Sonoma, the level of attention to detail on the part of Apple’s software engineers is really confidence inspiring. I mean, wouldn’t YOU trust those guys with the safety of your data?

(And let’s just not mention the couple of times where System Settings just conked out on me when I was in the middle of typing important information.)

His System Settings screenshots look awful, with text clipped and a bare URL that isn’t clickable. Of course, Advanced Data Protection was probably implemented by an entirely separate team than the one that seems to be learning SwiftUI and incorporating Web technologies while redoing the System Settings app. But gone are the days where the company seemed to have an attention to detail and polish top to bottom.


Vladislav Smolyanoy:

I got locked out of my iCloud in December because their Advanced Data Protection somehow broke my iCloud.

After 9 hours on the phone with Apple support and me couple gray hairs richer they finally called in internal Apple iCloud engineers to personally fix it.

It was a crazy story where I almost lost most of my digital life (passwords, pictures, documents, 2fa, mail and so much more)

Misinformation About NameDrop

Juli Clover:

As noted by The Washington Post, there have been warnings about NameDrop popping up on FaceTime. Police departments in Pennsylvania, Oklahoma, Ohio, and other states have been suggesting that contact information can be shared “just by bringing your phones close together.”


While it’s true that NameDrop is turned on by default, the way that it functions is more nuanced than simply putting two iPhones near each other.


Contact information is not shared automatically, and it is a user-initiated process that requires both people exchanging information to accept the transfer. While an accidental exchange could occur, it would require a user to unlock their device and accept the sharing prompt for that to occur.

Nick Heer:

I cannot imagine how someone could surreptitiously activate this feature, but I can see how someone might get confused if they only watched a demo. In Apple’s support video, it almost looks as though the recipient will see the contact card as soon as the two devices are touched, perhaps because of the animation. But that is not how the feature works. When two devices are brought in close proximity, each person first sees their own contact card; from there, they can choose whether they want to share the card.

Jason Snell:

I’m glad that so many sources are rushing to correct the original police department posts, but if you really want to get depressed, visit one and read the comments from all the people who are grateful for the misinformation. You’ll have to laugh to keep from crying.

See also: TidBITS.

NSFileManager’s File Copy Error Messages Lie

Jeff Johnson:

The error says that the source file InstallHistory.plist doesn’t exist, but the file does exist! The true reason for the copy failure is that the destination directory /Users/Shared/nonexistent/ doesn’t exist. Sigh.

I tested my command-line tool all the way back to macOS 10.13 High Sierra, and the behavior is the same! This is an old bug in NSFileManager. And note that the bug is not restricted to path-based API: it also affects NSFileManager URL-based API.

This is a really old bug, and it affects other types of failures, not just NSFileNoSuchFileError. I first encountered it when working on the SpamSieve installer for Apple Mail. I would ask NSBundle for the copy of the plug-in that was built into the app and then try to copy it to a protected folder, but the error message would say that it didn’t have permission to read the source path that was in the app itself.

Emergency SOS via Satellite Pricing

Adam Chandler:

Garmin had a few benefits Apple’s hardware did not thanks to a larger antenna and dedicated hardware. My InReach could be tracked by my wife anywhere. She could see my location instantly by going to a special web page and entering a passcode. I could also text anything I wanted to any phone number made easier by the InReach app where I could type on a smartphone keyboard instead of the old thumb pad input on the InReach. Finally, InReach had topographic maps for the entire USA. I could open it up anywhere and relate myself to the surroundings, use the compass and know how to find water or civilization.

Of course, all of this came for a high price and now, FindMy, Basic texting to my wife and emergency SOS were built in to my iPhone 14.


In fact, SOS may be a wake up call to some people that could graduate to owning a real PLB when they have an emergency and see how slow and cumbersome Apple’s SOS is compared to a dedicated device with its one-week battery life and easier use along with being hooked to their clothes via a clip than stuck in a backpack. This could grow the amount of people using a dedicated PLB who never knew those products existed.


I think SOS will be $49 a year or $5 a month to convert 2 million people to their SOS service and, because bundling, it will be included with AppleOne because what’s better than people paying $5 a month? Well, it’s getting them to pay $30 a month and subscribe to everything Apple has to offer.


One year ago today, Apple’s groundbreaking safety service Emergency SOS via satellite became available on all iPhone 14 models in the U.S. and Canada. Now also available on the iPhone 15 lineup in 16 countries and regions, this innovative technology — which enables users to text with emergency services while outside of cellular and Wi-Fi coverage — has already made a significant impact, contributing to many lives being saved. Apple today announced it is extending free access to Emergency SOS via satellite for an additional year for existing iPhone 14 users.

John Gruber:

My hunch on this is that Apple would like to make this available free of charge in perpetuity, but wasn’t sure how much it would actually get used, and thus how much it would actually cost. If they come right out and say it’s free forever, then it needs to be free forever. It’s safer to just do what they’ve done here: make it free for an extra year one year at a time, and see how it goes as more and more iPhones that support the feature remain in active use.

Kyle Melnick:

After Shepherd frantically called 911, investigators contacted Volkswagen’s Car-Net service, which can track the location of the manufacturer’s vehicles. They hoped to locate Isaiah.

But a customer service representative said that wouldn’t be possible because Shepherd’s subscription to the satellite service had expired, according to a new lawsuit. The employee said he couldn’t help until a $150 payment was made, the complaint said.

Via John Gruber:

This perfectly illustrates the perils of Apple eventually charging for Emergency SOS satellite service. If Apple someday cuts off free service for compatible iPhones, eventually there’s going to be someone who dies because they chose not to pay to continue service. No one wants that.

Dan Moren:

I was pretty confident Apple would kick this can down the road, and now they have. My guess is that it might (next year or the year after) introduce a paid tier that lets you do more with satellite connectivity—non-emergency messaging, for example—and use a charge for that to essentially subsidize free emergency functionality for all users.