On Friday afternoon, Beeper Mini on Android stopped working and Apple confirmed today that it “took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage.”
In a statement to 9to5Mac, Apple said Beeper Mini’s “techniques posed significant risks to user security and privacy.” Beeper’s first app — now called “Beeper Cloud” — worked by routing iMessage through a Mac. Earlier this week, it introduced Beeper Mini as a new Android app that exploits iMessage directly. As we reported:
…the new app connects directly to Apple’s service. That means that you aren’t signing into your Apple ID on a remote Mac or through Beeper’s servers – you’re just signing in through Apple directly. From there, messages and media are similarly handed directly from your device to Apple. No Beeper servers (or anyone else’s) are in play here, the company says.
Apple this evening specifically cited the “potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.” While Beeper, which used the work of a security researcher that published the proof-of-concept on Github, is just providing iMessage for Android, the statement alludes to the potential of other parties with more nefarious intentions.
Additionally, Apple tells us that it cannot verify these faux-“iMessages” sent through Beeper are only accessible by the intended sender and recipient, or that they maintain end-to-end encryption.
Lastly, Apple says it “will continue to make updates in the future to protect our users,” with iOS 17.2 introducing iMessage Contact Key Verification.
Top comment by Skopin
Apple: "we care about privacy and security."
Also Apple: "any cross-platform communication will use the incredibly outdated and insecure SMS protocol."
As of Saturday morning, Beeper Cloud was re-enabled, but Beeper Mini is still down, though the company said it was continuing work on a fix. Beeper also took the step of deregistering Android phone numbers on behalf of its users, and extended the 7-day free trial another week so that users aren’t billed ($2 per month) while Beeper Mini is down.
Apple’s full statement is below:
At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users.
Beeper had the following to say after Apple’s statement:
We stand behind what we’ve built. Beeper Mini is keeps your messages private, and boosts security compared to unencrypted SMS. For anyone who claims otherwise, we’d be happy to give our entire source code to mutually agreed upon third party to evaluate the security of our app.
Updating…
FTC: We use income earning auto affiliate links. More.
Comments