- cross-posted to:
- tech@kbin.social
- cross-posted to:
- tech@kbin.social
All messages are end to end encrypted. Also you don’t need an Apple account and it connects directly to Apple servers.
All messages are end to end encrypted. Also you don’t need an Apple account and it connects directly to Apple servers.
Their “how it works” blog article is worth a read - they’re using a blackbox reverse engineering of the protocol and re-implementing it natively in the app, so there are no man-in-the-middle servers. Impressive software engineering for sure.
The tech is called PyPush and was developed by a teenager and purchased by Beeper.
For sure very interesting! And its open source and you can run it in your computer if you have the knowledge.
Yup, the PyPush python-based proof-of-concept can run pretty much anywhere there’s python.
I’m aware regular Beeper can be self-hosted, but Beeper Mini can too? Is there any more information on this or is that the “if you have the knowledge” part?
The mini version doesn’t need hosting, it doesn’t have a proxy middle man. A 16yo kid reverse engineered the protocol and then got contracted by beeper to implement it as beeper mini. It’s a client directly connecting to apple like imessage native.
Will it break? I’d argue if the cost of breaking it in engineer time is worth doing to Apple, yes. All they’d have to do is roll their own crypto and reverse engineering that might be impossible. Probably easier ways to break it but then maybe it turns into a cat and mouse game.
Legally it’s hard to say if it’s OK too, the end user is likely fine, but the developer especially being contacted may not be since to reverse engineer it could be breaking terms of service or licensing clauses though I’m not really sure what kind of damages could be claimed. To reverse engineer they had to use the original on jailbroken iphones to go through the engineering discovery.
Anyway the point is, it’s not going through beeper or anywhere other than Apple. So there’s no component to host. It’s different to beeper.
The problem is that breaking it will also break a lot of Apple devices.
Hmm you could be right. Keeping old protocols running for legacy compatibility reasons could in this case keep the solution working for some time.
According to Apple users, the color of their bubble has a lot of value
The difference between old and new is that all the services on the old one rely on Matrix bridges and the new one will not. They claim iMessage, Signal and WhatsApp will all be working on-device. So those obviously won’t be self-hosted. The rest they have yet to decide exactly how they will implement them but Matrix is going to be part of it.
Brad Murray said the end goal is to have everyone messaging each other directly on Matrix.
I don’t know about the app itself, but the blog article links to the PyPush python-based proof-of-concept, which you can run pretty much anywhere.
huh, interesting. so from a security perspective is there any other concern with this protocol? at least they’re not using a mac relay server like Nothing Chats was
If the diagrams in their explainer are correct, their servers are only involved to forward Apple’s push messages to your phone through Firebase. That means Beeper knows when you’re receiving messages and how often, but nothing more than that; the phone syncs up with Apple’s servers.
I can’t find the source code so I can’t say much about the encryption code this app uses, but assuming they implemented the encryption well, security should be solid. However, the blog post explaining their architecture does link to another blog post that seems to have kicked off this project that says the most commonly documented format is the outdated encryption system without forward secrecy. I can’t find whether Beeper implemented the newer
pair-ec
encryption or not.There is the risk that Apple bans you for breaking the ToS by using this service, of course, and it’s possible Beeper’s servers get blocked, the company gets served by a cease and desist. If Beeper does go down, the app will stop working well, and you’ll need to unregister your phone number with Apple or your iOS friends won’t be able to text you until that registration auto-expires.
The app itself is closed-source, but they use PyPush, which also has a blog post explaining how it works.
You can ask more questions on Reddit!
If you have any questions, I’m hosting an ask-me-anything on reddit.com/r/beeper - feel free to ask any questions you have for us there (after reading our blog posts first to see if it’s already been answered!)
Heads up: People on Lemmy typically hate Reddit. That’s why we’re here and not there.