Beeper Isn’t a Safe Solution for iMessaging on Android

Beeper Isn’t a Safe Solution for iMessaging on Android

You might have seen some buzz online about Beeper, an all-in-one solution that combines all your messaging apps in one place. According to the company, you no longer need to juggle a huge number of apps just to keep in touch with friends, family, and work: With Beeper, you can keep those chats in one place, and can even iMessage your friends from Android.

That last point would be especially revolutionary. Sure, it’d be great to message all my friends from just one app, but an easy way to iMessage on Android? Gold. You could pick up a Galaxy Z Flip, something totally different from the standard iPhone we all know, yet never pop up as a green bubble for anyone on the platform. Incredible.

But here’s the thing: Beeper absolutely works, and this can be your reality, but at a steep cost to your security. In my opinion, it just isn’t worth it.

How Beeper works

As complex a task as it takes on, Beeper is a surprisingly simple machine. It is built on two parts: first is the client app, available on Mac, Windows, Linux, Chrome OS, iOS, and Android. This is the program you use to round up your various chat apps in one place. The other part is the service itself, which Beeper maintains on the backend.

This service is built on Matrix, an open-source, decentralized standard for messaging. Like other decentralized systems, Matrix allows you to freely message other people regardless of which platforms you’re using. You could both be using Matrix, or you could create a “bridge” to connect your Matrix standard to their platform of choice. This required some know-how in the past, but Beeper makes it as easy as setting up any other chat app.

When you set up a new chat service with Beeper, it creates one of these bridges to connect your client to that app. The bridge’s job is to relay messages back and forth, and each chat platform has its own bridge. That, in a very brief nutshell, is how the basics of Beeper works.

Beeper can’t securely handle end-to-end encryption with most chat apps

Of course, things get more complicated when you bring encryption into the picture. Encryption varies from platform to platform, but there are some services, like iMessage, Signal, and WhatsApp, that are entirely end-to-end encrypted (E2EE). Beeper itself is E2EE between other Beeper and Matrix users: Any message you send to someone using the Beeper client or Matrix in anyway is protected. Good news!

However, the good news ends there. As most of your friends won’t be using Beeper, you’ll need to send your message from Beeper directly to their platform of choice. Let’s focus on iMessage for this example, since many people will likely be interested in Beeper for using Apple’s message protocol on Android, but much of the essentials here apply to WhatsApp and Signal as well.

In order to get iMessage up and running on Beeper, you need to give Beeper access to your Apple account. That’s a huge security risk in and of itself, and your Apple devices will warn you of that right away: When you connect Beeper to iMessage, you’ll receive a security alert that someone in another location is attempting to log into your Apple account. That’s one of Beeper’s Macs, which you’ll need to give permission to if you want to bridge your iMessages to your Beeper client. Some might see this as a worthwhile trade, but I draw the line right here.

But that isn’t the end of the security issues. When you send a message from Beeper to a contact on iMessage, that message is encrypted on your device, sent to Beeper’s web service, decrypted and re-encrypted, then sent to your friend. Basically, Beeper has to “open” your iMessage first in order to send it on its way. This is necessary for this service to work, because platforms like iMessage, WhatsApp, and Signal have proprietary encryption protocols that do not communicate with other platforms, like Beeper or Matrix. However, it is an enormous security flaw, as it breaks the E2EE these services are built on.

When you send an iMessage to a friend on your iPhone, that message is protected from everyone besides you two. The only way to decrypt and read that message is if you have access to one of your connected devices. To all interceptors, everything from a funny meme to your social security number looks like a jumbled collection of unintelligible math. That’s E2EE at work.

By decrypting the message on Beeper’s servers, Beeper’s employees can read your messages. But even if they swear an oath to never look at users’ messages, it doesn’t matter, because if Beeper is ever hacked, bad actors will have access to all incoming and outgoing iMessages. (And I promise you, they will read them.) Sure, once a message is processed and re-encrypted, no one can read them but the intended parties, but that weak link in the middle defeats the purpose of the entire “end-to-end” design.

Imagine there’s a tiger in your living room. You’re in your bedroom, where there is no tiger, and you need to get to the bathroom, which is also tiger-free. Just because these two rooms are safe from the tiger, doesn’t mean it’s safe to cross the room with the tiger to get there. Sure, there’s a tiger keeper who swears they will keep this thing on a chain. But if someone were to sneak in and silently let the tiger loose, that tiger will have access to your unencrypted iMessages.

Beeper isn’t all bad with encryption

The story is better for the data stored on Beeper’s servers, all of which is encrypted. That includes your message histories. Beeper cannot read this data because it is E2EE. The only way to access it is with the Recovery Code you receive when creating your account. That allows you to securely access your data on other devices, and also means Beeper cannot help you recover this data if you lose this key.

There’s also hope for the future: Beeper mentions that new EU legislation will compel companies like Apple and Meta to create interoperable end-to-end-encrypted APIs. In short, this change could allow a service like Beeper to preserve E2EE across its bridges, which would keep your iMessages protected in-transit. As it stands, however, the service just isn’t safe: It takes protected messaging protocols and exposes them to anyone who wants to look. You might think that’s worth the risk to have iMessage available on Android, but for anyone who values their privacy and security, Beeper isn’t the move—at least, not yet.

Leave a Reply

Your email address will not be published. Required fields are marked *