An adversarial iMessage client for Android

Beeper Mini preserves end-to-end encryption and doesn’t require an Apple ID.

Cory Doctorow
6 min readDec 7, 2023

--

A screenshot of an early iMessage setup dialog showing that iMessage was a multiprotocol client.

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2023/12/07/blue-bubbles-for-all/#never-underestimate-the-determination-of-a-kid-who-is-time-rich-and-cash-poor

Adversarial interoperability is one of the most reliable ways to protect tech users from predatory corporations: that’s when a technologist reverse-engineers an existing product to reconfigure or mod it (interoperability) in ways its users like, but which its manufacturer objects to (adversarial):

https://www.eff.org/deeplinks/2019/10/adversarial-interoperability

“Adversarial interop” is a mouthful, so at EFF, we coined the term “competitive compatibility,” or comcom, which is a lot easier to say and to spell.

Scratch any tech success and you’ll find a comcom story. After all, when a company turns its screws on its users, it’s good business to offer an aftermarket mod that loosens them again. HP’s $10,000/gallon inkjet ink is like a bat-signal for third-party ink companies. When Mercedes announces that it’s going to sell you access to your car’s accelerator pedal as a subscription service, that’s like an engraved invitation to clever independent mechanics who’ll charge you a single fee to permanently unlock that “feature”:

https://www.techdirt.com/2023/12/05/carmakers-push-forward-with-plans-to-make-basic-features-subscription-services-despite-widespread-backlash/

Comcom saved giant tech companies like Apple. Microsoft tried to kill the Mac by rolling out a truly cursèd version of MS Office for MacOS. Mac users (5% of the market) who tried to send Word, Excel or Powerpoint files to Windows users (95% of the market) were stymied: their files wouldn’t open, or they’d go corrupt. Tech managers like me started throwing the graphic designer’s Mac and replacing it with a Windows box with a big graphics card and Windows versions of Adobe’s tools.

Comcom saved Apple’s bacon. Apple reverse-engineered MS’s flagship software suite and made a comcom version, iWork, whose Pages, Numbers and Keynote could flawlessly read and write MS’s Word, Excel and Powerpoint files:

https://www.eff.org/deeplinks/2019/06/adversarial-interoperability-reviving-elegant-weapon-more-civilized-age-slay

It’s tempting to think of iWork as benefiting Apple users, and certainly the people who installed and used it benefited from it. But Windows users also benefited from iWork. The existence of iWork meant that Windows users could seamlessly collaborate on and share files with their Mac colleagues. IWork didn’t just add a new feature to the Mac (“read and write files that originated with Windows users”) — it also added a feature to Windows: “collaborate with Mac users.”

Every pirate wants to be an admiral. Though comcom rescued Apple from a monopolist’s sneaky attempt to drive it out of business, Apple — now a three trillion dollar company — has repeatedly attacked comcom when it was applied to Apple’s products. When Apple did comcom, that was progress. When someone does comcom to Apple, that’s piracy.

Apple has many tools at its disposal that Microsoft lacked in the early 2000s. Radical new interpretations of existing copyright, contract, patent and trademark law allows Apple — and other tech giants — to threaten rivals who engage in comcom with both criminal and civil penalties. That’s right, you can go to prison for comcom these days. No wonder Jay Freeman calls this “felony contempt of business model”:

https://pluralistic.net/2023/11/09/lead-me-not-into-temptation/#chamberlain

Take iMessage, Apple’s end-to-end encrypted (E2EE) instant messaging tool. Apple customers can use iMessage to send each other private messages that can’t be read or altered by third parties — not cops, not crooks, not even Apple. That’s important, because when private messaging systems get hacked, bad things happen:

https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak

But Apple has steadfastly refused to offer an iMessage app for non-Apple systems. If you’re an Apple customer holding a sensitive discussion with an Android user, Apple refuses to offer you a tool to maintain your privacy. Those messages are sent “in the clear,” over the 38-year-old SMS protocol, which is trivial to spy on and disrupt.

Apple sacrifices its users’ security and integrity in the hopes that they will put pressure on their friends to move into Apple’s walled garden. As CEO Tim Cook told a reporter: if you want to have secure communications with your mother, buy her an iPhone:

https://finance.yahoo.com/news/tim-cook-says-buy-mom-210347694.html

Last September, a 16-year old high school student calling himself JJTech published a technical teardown of iMessage, showing how any device could send and receive encrypted messages with iMessage users, even without an Apple ID:

https://jjtech.dev/reverse-engineering/imessage-explained/

JJTech even published code to do this, in an open source library called Pypush:

https://github.com/JJTech0130/pypush

In the weeks since, Beeper has been working to productize JJTech’s code, and this week, they announced Beeper Mini, an Android-based iMessage client that is end-to-end encrypted:

https://beeper.notion.site/How-Beeper-Mini-Works-966cb11019f8444f90baa314d2f43a54

Beeper is known for a multiprotocol chat client built on Matrix, allowing you to manage several kinds of chat from a single app. These multiprotocol chats have been around forever. Indeed, iMessage started out as one — when it was called “iChat,” it supported Google Talk and Jabber, another multiprotocol tool. Other tools like Pidgin have kept the flame alive for decades, and have millions of devoted users:

https://www.eff.org/deeplinks/2021/07/tower-babel-how-public-interest-internet-trying-save-messaging-and-banish-big

But iMessage support has remained elusive. Last month, Nothing launched Sunchoice, a disastrous attempt to bring iMessage to Android, which used Macs in a data-center to intercept and forward messages to Android users, breaking E2EE and introducing massive surveillance risks:

https://www.theverge.com/2023/11/21/23970740/sunbird-imessage-app-shut-down-privacy-nothing-chats-phone-2

Beeper Mini does not have these defects. The system encrypts and decrypts messages on the Android device itself, and directly communicates with Apple’s servers. It gathers some telemetry for debugging, and this can be turned off in preferences. It sends a single SMS to Apple’s servers during setup, which changes your device’s bubble from green to blue, so that Apple users now correctly see your device as a secure endpoint for iMessage communications.

Beeper Mini is now available in Google Play:

https://play.google.com/store/apps/details?id=com.beeper.ima&hl=en_US

Now, this is a high-stakes business. Apple has a long history of threatening companies like Beeper over conduct like this. And Google has a long history deferring to those threats — as it did with OG App, a superior third-party Instagram app that it summarily yanked after Meta complained:

https://pluralistic.net/2023/02/05/battery-vampire/#drained

But while iMessage for Android is good for Android users, it’s also very good for Apple customers, who can now get the privacy and security guarantees of iMessage for all their contacts, not just the ones who bought the same kind of phone as they did. The stakes for communications breaches have never been higher, and antitrust scrutiny on Big Tech companies has never been so intense.

Apple recently announced that it would add RCS support to iOS devices (RCS is a secure successor to SMS):

https://9to5mac.com/2023/11/16/apple-rcs-coming-to-iphone/

Early word from developers suggests that this support will have all kinds of boobytraps. That’s par for the course with Apple, who love to announce splashy reversals of their worst policies — like their opposition to right to repair — while finding sneaky ways to go on abusing its customers:

https://pluralistic.net/2023/09/22/vin-locking/#thought-differently

The ball is in Apple’s court, and, to a lesser extent, in Google’s. As part of the mobile duopoly, Google has joined with Apple in facilitating the removal of comcom tools from its app store. But Google has also spent millions on an ad campaign shaming Apple for exposing its users to privacy risks when talking to Android users:

https://www.theverge.com/2023/9/21/23883609/google-rcs-message-apple-iphone-ipager-ad

While we all wait for the other shoe to drop, Android users can get set up on Beeper Mini, and technologists can kick the tires on its code libraries and privacy guarantees.

--

--