Beeper is an app that connects multiple chat networks into one, such as SMS, iMessage, Whatsapp, Signal and others. Each message you send and receive are relayed through Beeper’s servers, which act as a bridge to convert these messages to a Matrix channel. (This can be cool since you can use multiple Matrix clients to message people using a different network). Beeper has always used a fleet of Mac Minis to relay iMessages, since historically Apple devices are the only way to expose iMessage to be used elsewhere. However, a recent reverse engineering proof-of-concept named Pypush is being actively developed by JJtech, a 16 year old security researcher who outsmarted Apple’s iMessage algorithm – never before attempted. This gained him a vast amount of popularity, especially after YouTuber “snazzy labs” released a video that grew the Pypush community by 8x and gave the project 3k stars in the first week.

Who is Beeper?

The Beeper team bought Pypush a couple months before all of this, and they recently made a new Matrix bridge, replacing the old one which was slower, unreliable, and was powered by Macs. Beeper Mini has just been released, soon to replace the original Beeper app, now named Beeper Cloud. Beeper Mini now does everything locally, no need for any separate servers or Matrix bridge. This app exploded in popularity, gaining 100k downloads in 36 hours. Beeper Mini is the single most defining move in the history of iMessage x Android apps, as many parodies, commentaries, and videos are being made about this app. Linus Tech Tips also talked about Pypush, JJtech, and Beeper Mini in the latest WAN show, and one of their sister channels has released a video here. US Senator Warren also made her opinions known on Twitter, as did many others.

Current Sentiment

However, with the good also comes the bad. Many people have made comments about this app about it being “insecure and a huge vulnerability for Apple”. These are the same people who are thinking you are hacking the government and expecting the FBI to take you to prison or something just because you jailbroke your iPhone. These comments are luckily being called out as BS, since Pypush is very much open source as well as Beeper, who currently has every one of their Beeper Cloud bridges open-sourced, and parts of Beeper Mini in the future (and they have been very transparent compared to other competitors, where communication is a huge problem in the community). You can see exactly how Beeper Mini works and all the technical details right here, which is also where you can find their product roadmap for future plans.

What Broke?

I bet you’re wondering an important question right now, does Apple like this? The answer is: no. No, not one bit. They were fine with the development of Pypush, but the second day Beeper Mini was released, they broke it. If you are interested in the technical details, here they are (I highly recommend you read JJtech’s article before continuing): when Pypush first connects, it requests an authentication certificate from Albert (which is required to connect to APNs), the first step in connecting to Apple’s servers. Device info is sent along with the request, and before we were identifying as a Windows device since Windows can use iTunes and that is what JJtech first developed on. However Windows devices do not have iMessage functionality, so Apple can easily see block devices that identify as Windows but try to send an iMessage.

Beeper’s Response

This was a simple fix but took a few days to implement. However, SMS-registration is still broken to this day due to unknown reasons. SMS-registration is the act of registering an Android phone number with iMessage so you can use your number as an alias within Beeper or any other Android iMessage client. To add onto that, Apple seems to be silently breaking people’s messages, as some can’t send or receive iMessages. Apple appears to be blocking the serials and device info Beeper Mini/Cloud and Pypush uses. This is yet to be fixed for everyone, but it seems Beeper has a solution for now.

Just a Theory…

Many are speculating this will be an infinite cat-and-mouse game between Pypush/Beeper and Apple, but no one knows how it’s going to shape out to be or end, as Apple did confirm they broke “unauthorized actors from gaining access to our system with fake credentials” which is absolute bullshit. We do however know that Apple has not broken iMessage with older devices such as the iPhone 4 or legacy Macs, which is a very good sign for us. The only reason Pypush would ever break is if Apple ever released an update to use the SEP (Secure Enclave Processor, all iPhones and all M series Macs) or T2 chip (Intel Macs starting with 2019) to integrate with iMessage. However many rightfully doubt this will ever happen since older Intel Mac models do not have these chips, and an update would be required – which many of Apple’s EOL devices would not be able to undergo, and even then very few people update their devices that often, and iMessage would be broken for all devices on iOS 17 or lower.

The Future of Beeper Mini

However that doesn’t mean Apple still won’t play a cat-and-mouse game, though eventually it will probably shape up Pypush and Beeper Mini to be more undetectable, and officially end the game. This is most likely since projects like this need much time to mature, and this is a very new product. Many speculate the reason Apple broke Beeper Mini was because it was $2/month, which creates a legal grey area because they were effectively selling the services of another company. Beeper Mini has since made their service free, planning to paywall it with new features in the future as they plan to add more networks and device compatibility.

Resources

JJtech’s article
Beeper Product Roadmap
How Beeper Mini Works
Beeper Mini’s return

From JJtech’s article

IMFreedom Knowledge Base: iMessage
M. Frister: pushproxy
Nicolás: APNs-dissector
QuarkSlab: iMessage Privacy
Garman et al. Chosen Ciphertext Attacks on Apple iMessage
NowSecure: Reverse Engineering iMessage
Elcomsoft: iMessage Security and Attachments
Eric Rabil’s open-imcore
The Apple Wiki: Apple Push Notification Service
Mihir Bellare and Igors Stepanovs: Security under Message-Derived Keys: Signcryption in iMessage
Apple Platform Security: How iMessage sends and receives messages securely
Nicolás: Apple IDS payload keys
Various people on the Hack Different Discord

Rising Concerns

Community members have raised concerns about the app’s privacy for quite a long time, pointing out trackers found in the decompiled app’s code. Sunbird later banned this member and did not allow discussion of this incident. However three days ago, November 18 2023, multiple members found a fatal vulnerability. The initial request to the Firebase DB is made using HTTP, rather than HTTPS – the secure version. Many of us wonder how in the world a mistake like this was made – many people pointed out that a simple 14 year old could identify and fix this issue with some tech knowledge, and implementing HTTPS is an extremely easy task to do. A proof-of-concept showing how this could be exploited can be found [here], and shows the true impact of user’s privacy. Every user that has ever used Sunbird now has some amount of information leaked online.

Sunbird’s Response

Days later, Sunbird shut down their service due to these security concerns, and their app has been pulled both from the Apple App Store and the Google Play Store. Nothing’s relationship with Sunbird seems to be dwindling in light of this situation, as Nothing probably had no idea who they were dealing with. Amid these leaks, Sunbird still holds their stance on having their app closed-source – a foolish decision since they have the least transparency and user trust than any other unified messaging platform to begin with!

Current Sentiment

Many users have since left, but few are still foolishly siding with Sunbird, not knowing the benefits of using generally better apps such as Beeper. After communicating with some of the Sunbird community members about the truth of what is happening, many others (including those who made the proof-of-concept demonstration, those who raised concerns about trackers, and even those who said anything positive about Beeper) have been banned – I myself have gotten a lengthy timeout. The only thing that surprised everyone is how long it is taking Sunbird to correct this issue…we were all generally aware about security concerns and failing user trust, but this entire situation has been enlightening for everyone, and will continue to be once this gets resolved.

The Future of Sunbird

Sunbird’s future is ultimately unsure. However this has left a astonishing mark on their reputation and will never fully recover from this, after a lot of time, work, and consideration it will be added back to app stores. I believe Sunbird unfortunately will live on, but I also believe that Beeper will reign supreme in the long run, and that Sunbird’s tarnished trust with its users will only slightly heal, especially when we find more vulnerabilities. But for now, Sunbird’s reputation is very much dwindling, and we are unsure if Nothing will continue their partnership.

Overview

History

Pypush is written and maintained by a high school student, Who’s Github alias is JJtech. His endeavors began in the Hack Different community, and it eventually gained enough traction to get it’s very own small community. (He currently has a blog post about how it works right here). Right now, Pypush can do two main things: send iMessages, and link phone numbers; however iCloud and Openhaystack integrations are currently being worked on. Soon after, a company called Beeper bought it and hired JJtech, or James, as a part-time employee. A community member has ported Pypush to Rust, gaining the name “Rustpush”, and Beeper has an internal Go version, soon to be open-sourced. Beeper is also currently rolling out betas with the new “Pypush bridge”, in place of their previous Mac server farm.

Impact

Apps such as Beeper, Sunbird, and BlueBubbles currently use a Mac server to host an iMessage bridge on Android devices. This is basically the backend of all these platforms. However, Pypush now can serve as the “serverless backend”, being able to now use Apple related services locally, without a separate server. Beeper is moving towards this, and there is a current push to get it working with BlueBubbles….once this happens, it will be a game changer, since BlueBubbles is without a doubt the best platform for iMessage.

In summary, the impact of Pypush extends beyond its proof-of-concept roots. Each of the platforms I mentioned before will soon be impacted by Pypush, serving as the new backend for these apps, and hopefully ending Apple’s monopoly on iMessage. Beeper’s integration and ongoing efforts with BlueBubbles show that this could be a huge transition, especially with companies like Nothing implementing Sunbird on their consumer devices (more on that here) and Apple claiming to integrate RCS on their messaging app.