In the latest chapter of blue bubbles versus green bubbles, Apple has blocked access to iMessage from credentials masquerading as Apple in order to protect its customers, the company told CNET on Saturday evening. This comes after companies like Beeper and Nothing released Android apps that had provided a workaround.
The iPhone maker said that it cannot verify messages sent via unauthorized means that were posing as valid Apple credentials. Messages sent over iMessage have end-to-end encryption to ensure that no one but the sender and recipient has access. Apple said that it blocked these “fake credentials” in order to protect its customers.
The move comes less than a week after the company Beeper reversed-engineered iMessage access so that people using Android or Windows could use the service and send iMessages from non-Apple devices. Messages sent to an iPhone owner that would normally show up as green bubbles from an Android user over SMS, showed up as blue if sent from the Beeper Mini Android app or Beeper Cloud, the original version of the service that routed iMessage through a Mac.
“At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe,” Apple said in a statement provided to CNET. “We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage.”
To maintain end-to-end encryption, Apple can’t verify these messages sent through masquerading apps as having valid credentials.
“These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks,” said Apple. “We will continue to make updates in the future to protect our users.”
Beeper Mini users took to Reddit on Friday to share that they couldn’t send or receive messages using the app.
“It’s mind-boggling to read that Beeper Mini is, in some way, making those communications less secure and less private, because that’s the opposite of what’s happening,” said Beeper co-founder Eric Migicovsky on a call with CNET Saturday night. “What we did was make those conversations encrypted. And it’s shocking to see a statement that’s almost the polar opposite of what exactly happened.”
Messages sent via SMS between Android and iPhone users are unencrypted. But for three days last week, the Beeper Mini app allowed Android and iPhone owners to communicate securely with end-to-end encryption. Migicovsky explained that Apple hasn’t reached out to him or his company directly. He explained that Friday’s outage started at 11:30 a.m. and knocked out Beeper Mini and Beeper Cloud, but that his team got Beeper Cloud up and running again within 23 hours.
“We got Beeper Cloud up and running. So whatever the statement, Apple said, it’s not entirely correct. Or whatever they mean by it isn’t,” said Migicovsky. “As of today, as of right now, it’s working great.”
So what’s next? All this follows Apple’s recent statement that it would adopt the RCS texting standard in 2024. But that doesn’t account for Beeper.
“If anyone doubts the security and privacy of our app, we’re more than happy to provide the source code of it to a mutually agreed upon third party and let them be the arbiters of this,” Migicovsky said. “Extraordinary claims require extraordinary evidence.”