Apple maintains iMessage compatibility with devices that are long out of support, if Beeper Mini is sufficiently similar to the client in for example iOS 12 then it makes an Apple decision to break Beeper fairly expensive. Even if they do the work to publish iMessage updates for the old iOS versions it just buys a little time before the new version gets reverse engineered, and that at the cost of poor user experience for the people with those devices in a form they will directly blame on Apple. Given all that I suspect he's right.

> Even if they do the work to publish iMessage updates for the old iOS versions it just buys a little time before the new version gets reverse engineered

There's probably a cliff in complexity. Once Apple starts requesting signed attestations from the secure enclave on the devices that have one, it's game over.

They probably don't just yet, since still too many people use iMessage on first-party clients that don't have one, e.g. Intel laptops without a T1 or T2.

If Apple does start enforcing signed attestations, they will say that it's to reduce abuse. I have no doubt (being in the anti-abuse world) that spammers and phishing gangs will immediately begin using Beeper to spam iMessage users because this allows them to avoid buying an iOS device. With end-to-end encryption, Apple may also decide to roll out privacy-protecting client-side spam and phishing detection, which would IMHO be a really great thing.

The phone number registration https://blog.beeper.com/i/139416474/sending-and-receiving-me... will make it possible to enforce legal action against malicious and spammy messages.

Note that iPhones already receive SMS spam and fraud just like every other phone.

However, you are correct that the blue bubble is no longer a guarantee that the bad actor is using an iPhone.

> The phone number registration https://blog.beeper.com/i/139416474/sending-and-receiving-me... will make it possible to enforce legal action against malicious and spammy messages

Like the legal action that is currently protecting us from robocalls?

I don’t know if iMessage registration requires bidirectional SMS verification, though. If it does, that would be significantly harder to spoof than just caller IDs.

They do receive spam and fraud, but the numbers are orders of magnitude less than every one’s else BECAUSE it’s tied to hardware. I don’t know the details of how’s these guys got around it, but this is bad for the rest of us when phishing skyrockets.

I don't understand what you're talking about. I get far more SMS spam on iOS than I did on Android.

Whether the number uses iMessage or not is totally irrelevant.

How can you get more SMS spam on one platform than another? With SMS they're just blindly sending to your phone number, your SIM could be in any device. They don't know what platform you're receiving it on.

Android is much better at blocking it.

There were also differences in the platforms with how/when your phone number can leak to spammers and data aggregators, although I'm no longer deep enough into mobile OS or related CVEs to know current details.

Maybe Apple needs an even blue-r bubble to set apart the super attested users from the mere blue bubble peasants

they could call it "apple blue" and charge a few bucks a month for it. People love that stuff

They can desaturate the iPhone / MacBook Air users to disambiguate from the MacBook pro / iPhone pro / max users. Also device age in years will add hints of green hue. That way people know they're talking to someone who can afford to spend thousands of dollars on hardware every year.

wait is this where "green with envy" will come from?????

I’d pay for a blue Apple checkmark!

I imagine the next color being purple since that's a sign of royalty. Hail to the king baby!

> With end-to-end encryption, Apple may also decide to roll out privacy-protecting client-side spam and phishing detection, which would IMHO be a really great thing.

Spam protection should be on the recipient, rather than the sender.

As we’ve learned very clearly over the last 20 years of commercialization of spam, that never works. The only tractable way to fight fraud and abuse is to impose cost.

The massive prevalence of physical junk mail would refute your argument that even a significant per message cost would dissuade abuse.

Scope and scale is important here, the amount of junk mail from business interests outside of my immediate region is not very high. If physical mail were free and you could send it from anywhere in the world, junk mail would be so much worse than it is. You couldn't run a lot of internet scams at the costs of physical mail and be profitable.

Probably not because even if the postage is free the paper, printing, envelopes, etc. are not.

How many pieces of physical junk mail do you get per day? Now how many spam emails do you get per day? Include the stuff that lands in your spam folder, because we're talking about cost to send junk mail here.

I'm willing to bet the latter is much, much higher. It certainly is for me.

I disagree. Email has SPF and DKIM an what have you exactly because client side filtering doesn't work right. Mail gets dropped beforr the clients even get a chance to run filters.

That's not to say that requiring remote attestation or blocking third party clients entirely is proportional, but Apple should (and does) play a role in spam prevention.

SPF and DKIM are ways of signing a message, but it's still typically up to the recipient or the recipient's mail server to decide what to do with that signature. And they're only checkable on the recipient's mail server because email isn't properly end-to-end encrypted, and exposes metadata.

SPF and DKIM can be checked client side no problem, assuming your mail server doesn't mangle the received-from headers. We just generally only use them as server-side filtering.

That's a brief statement which makes me think I'm missing something obvious, but it doesn't seem obvious to me. Would you please expand on that?

I think it's a bad idea to lock out unattested clients, and as long as third-party clients are accepted, spam will always be sendable. If you're not doing end-to-end encryption, you can catch it at send time by having the server reject the client for sending spam. If you're doing end-to-end encryption, the only options are the sender or the recipient, and attempting to block it at the sender would require prohibiting interoperability.

While I love the principle of accepting third-party clients, Apple clearly doesn't which make this argument fairly non-compelling for them.

There’s also the registration process that could be locked down and/or hardened. There may or may not be additional metadata (including out of band) that could identify first-party clients.

I would think that’s the biggest issue right now. If spammers can register “real” iMessage accounts at scale without Apple hardware, Messages becomes less pleasant, very quickly.

Non-Apple devices could just lie

The GP comment was:

> Apple can break Beeper without relying on the secure enclave: If Apple devices just send their serial number

You have come full circle with the comment 4 posts up.

How does this address iMessages sent from non-iPhone devices?

If in the data sent across (via Apple servers) the IMEI and serial no of the device are also transmitted, then Apple can in that millisecond query on their various lists/inventories that this device is legit (activated device + IMEI + serial) and if all lights are green, proceed to deliver, otherwise drop it.

(perhaps different sets of data can be used, but it must be something that Apple already has, and the user has already provided (i.e. the iMessage email or the iMessage phone number, from the iPhone's enabled Settings)

As someone who once bought fake airpods on ebay, I can tell you that Apple can't do this.

I spent a number of days with them where they were trying to work out if they were fake. The serial number was real but they were fairly sure the number had been taken from a real product and reused, but were unable to say for sure.

I ended up just returning them (because of the ebay return window) but found it interesting that Apple couldn't easily check this, and was very aware of the issue.

you already have to do this to get certain apple services (including imessage) working on hackintoshes. turns out there's a really easy work-around: guess-and-check serial numbers on apple's web site until one works. they rate limit it a bit but you can usually find a working one without a terrible amount of hassle.

Do you mean that I now have a nice party trick - DoSing friends iPhone from sending iMessage? :)

If you have a FlipperZero, DoSing iPhone users with Bluetooth is a bit of fun!

I believe you can bruteforce/generate IMEIs somewhat easily. https://github.com/bstein/py-imei-generator

Looks like Apple figured out a way to identify Beeper clients: https://techcrunch.com/2023/12/08/apple-cuts-off-beeper-mini...

That would make sense: because Apple have deeply coupled iMessage to the OS they can’t simply roll out a new version of the app with protocol changes that would block Beeper, they’d have to release entire OS updates.

No matter the method it would be a scorched earth approach. I suspect the number of people actually using Beeper will be far below a rounding error for Apple.

Non-Apple legitimate users aren't the only concern for Apple: Once third-party clients are readily available, this makes spam much harder to filter.

Right now they can probably just ban known-spam-originating devices, which is much more effective than banning iCloud accounts since there is a much higher cost to the spammers.

You say this like Apple doesn't release OS updates. Why are you putting that as some arbitrary limiter to what Apple could do to protect its walled garden?

They don't usually remove features as important as iMessage from older iOS versions. I don't believe they push updates to the iPhone 7 and older anymore, so they'd be unable to use iMessage.

I have a 6sPlus, and messages work just fine, and it may not be iOS 17, but I recently-ish ran an update for its OS that Apple deliberately updated (which you just know must have been an important update). You can stop making stuff up now

Uptake for OS updates is very high on iOS though right? I heard a while back that it is like 90+% in 6 months. (could be totally wrong on that can someone confirm?)

Uptake of updates is, uptake of devices isn’t. Here I have 1st gen retina iPad from 2012 which is on the latest iOS available for it - 9.3.5 (from 2016, current version is 17.1.2). As of today FaceTime and iMessage still work perfectly fine.

That and reading the books is actually about the only thing it can do right now.

There’s a ton of devices out there unable to upgrade to the latest iOS. Obviously you can release point upgrades for old versions but I do wonder what the uptake of those is like. I’d wager there are a ton of very old iOS devices out there. At the very least many more than there are potential users of Beeper.

anecdote of 1, but i have a 6S+ that is kept up with any updates it receives which is 15.8. there maybe some devs that have older devices that they intentionally keep at even older versions, but if someone is using an old iDevice as a daily driver, they're probably still more likely to run the updates. at least, that's my reaches up and grabs for an opinion

I'm not that familiar with ios apps, can they not push out updates to individual apps?

On iOS many of the individual apps e.g. Mail, Notes you can delete and then re-download from the App Store.

And as part of Security Updates they have patched vulnerabilities just in the relevant apps.

So there is nothing technical stopping them. It's just been customary to treat iOS as a product where all features ship together.

I don’t think this actually physically deletes the app, given that it’s back once you reset the phone. It’s most likely just hidden/deactivated until you “reinstall it from the app store”.

Actual updates require the app binary/bundle to be mutable.

Apple never patches security vulnerabilities in individual apps except for Safari, and they’ve stopped doing that too.

Not the OS-included ones, afaik. Some Apple apps are through the AppStore normally, which can be updated independently (i.e. TestFlight, despite its deep hooks).

Why did google break out Google Play Services as a separate app, was that when they started integrating more with third-party android phone suppliers, and they didn't want to have to wait for OS upgrade cycles from slower-moving companies?

Probably they originally did it because Android has high-assurance embedded use-cases (compare/contrast: Windows IoT Core) where you want to strip out everything possible from the attack surface.

But mainly it's because base Android (AOSP) can be arbitrarily modified by the OEM; and Google doesn't want to have to trust installations of Google Play Services that have been arbitrarily modified by OEMs.

(Especially because those versions would likely all act differently-enough from one-another that they would be forced to loosen their server-side, network-traffic-fingerprint-based "authentic Android device" detection that allows them to ignore/block bots pretending to be Android devices.)

By shipping Google Play Services through the store, they can ensure that, on devices that run it, it's exactly the same code for every device that runs it, with no OEM alterations. (And they can also include various checks to reject devices that would try to alter that code at load time. This is the real reason why e.g. Huawei devices are blocked from using Google Play Services — they try to patch unspecified parts of the Play Services code while loading it, "breaking the integrity of the platform" from Google's perspective.)

Man, that's contrived. Really its simple: Google seperates out Play Services so they can harvest user data from virtually all Andoid devices. It lets them market Android as OSS while still reaping the benefits of closed source data scraping.

Google can harvest data from "virtually all Android devices" just by offering Chrome, Google Search, and Gmail as apps. Almost every Android user has at least one of those apps installed. They don't need Play Services itself to spy on you on top of that.

derefr cited one reason but there's another that's relevant to this thread: updates. In the Android model handset manufacturers and carriers decide when (or if) to ship updates. Google distributing their apps through the store gives them a way to roll out new features to a reasonable portion of their user base.

will iMessage Contact Key Verification coming in iOS 17.2 break Beeper — or just make it super annoying like the “not a genuine Apple part” warning when replacing a screen or battery

> There is nothing stopping them releasing it on the App Store similar to Mail.

In the sense that the app is just a wrapper around a system framework, sure. But changing that framework would be an OS release.

Mail is also deeply coupled to the OS. The app itself does very little.

I’m talking about the iPhone.

Messages is the same on OSX and iOS.

It's not deeply integrated into the iOS by any normal definition. It's just shipped together.

Messages has a bunch of special privileges on iOS, which is why they had to add the whole Blastdoor protection framework and why it's such a juicy target for sandbox escape exploits.

Nope. It just happens to be on everyone’s device and usually enabled

Yes, and when it's enabled it has more privileges than most other apps, doesn't it? But yeah you can still remove the app.

Btw, maybe related, on iOS I have "app privacy report" enabled, to show me a list of apps and the recent entitlements they used. Every Apple app, even those that don't need access to them, is shown as having recently accessed my Contacts. I find this weird. Anyone know why they do that? e.g. I've never even used the Health app and yet it's accessing my Contacts for some reason.

It’s basically the same as any other app, there are some special permissions it has to integrate with the OS a bit better but nothing too interesting. Not sure what’s going on with Contacts but it might be a bug?

The Messages app in macOS is less capable than the Messages app in iOS. It cannot even edit sent messages.

It can, by right clicking the desired message to edit. This is in macOS Sonoma, and I believe was a part of Ventura as well.

Oh interesting, I have a 2015 MacBook Air. Wonder if the feature is not available on whatever macOS version I have.

It’s a Ventura and later feature and your MacBook Air probably topped out around Monterey or earlier. 2016 MacBooks Pro also didn’t make the cut for Ventura.

fwiw it hasn't been called "OSX" for awhile now

It's not too hard to think through -

They would need to accept and verify a flag from messages that the copycats can't reproduce. At the very least that would require a client update from anyone using official iMessage clients, which covers many millions of devices.

Unless they're able to hook into already existing flags/keys on the devices since they already verify application signatures and a whole other host of things.

Apple can probably do it, but much like jailbreaking how fast can they release breaking changes?

They could probably require a new check but whitelist already registered numbers.

What's brilliant is they get press either way this goes down.

i understand no such thing as bad news/publicity, but if the 800lb gorilla squashes the little guy, then that's some pretty bad news. with the recent Twitt...er,X and reddit debacle with 3rd party apps, that 800lbs is pretty powerful when it wants to be

edit, because i used the wrong turn of phrase

is it powerful? In both cases X and reddit, nothing meaningful happened.

Apple could block any device without attestation then offer a discount for those on old products to upgrade. Now bad news is good news.