[NettleBurr]

>Apple on Wednesday appeared to have blocked what Beeper described as "~5% of Beeper Mini users" from accessing iMessages

>Apple previously issued a (somewhat uncommon) statement about Beeper's iMessage access, stating that it "took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage." Citing privacy, security, and spam concerns, Apple stated it would "continue to make updates in the future" to protect users. Migicovsky previously denied to Ars that Beeper used "fake credentials" or in any way made iMessages less secure.

Not commenting about the ethics of all this, just wondering why technically Apple can only block ~5% of Beeper Mini users instead of all of them? Could this potentially be tied to the use of an email id as the iMessage handle?

[turquoisevar]

> Not commenting about the ethics of all this, just wondering why technically Apple can only block ~5% of Beeper Mini users instead of all of them? Could this potentially be tied to the use of an email id as the iMessage handle?

Apple could block 100% of the people using Beeper and throw Hackintosh users into that as a bonus as well.

The reason they’re not doing that is because it could have unintended consequences as some are using someone else’s actual device serial number and those people would be inconvenienced.

It’s nothing that can’t be easily solved, the moment they reach out to support either in person or via phone/chat Apple can immediately verify if they’re using a legitimate Apple device, but even if it boils down to a small percentage of users you still need to prepare for the influx of support requests.

To do this, Apple uses a scoring model to determine if they can access iMessage and historically they’ve been pretty generous by allowing clearly spoofed serials if the Apple ID involved is in good standing and has a positive history, think of it as a credit score. They can tweak the threshold score and probably are testing this out as we speak to find a sweet spot they’re content with.

Apple could also push out an update tomorrow that would end this once and for all by utilizing device attestation and leveraging Secure Enclave, but this would potentially lock out older devices, something they were willing to do when they upgraded the FaceTime protocol a couple of years ago, but they might not want to do that this time around.

[dylan604]

>Apple could also push out an update tomorrow that would end this once and for all by utilizing device attestation and leveraging Secure Enclave, but this would potentially lock out older devices, something they were willing to do when they upgraded the FaceTime protocol a couple of years ago, but they might not want to do that this time around.

Just give it a couple more hardware generations to ensure the largest % of older hardware upgrades. Anything pre-secure enclave chip would need to be in the low digits I'm guessing. Then again, if they are going to block Messages, that might be the incentive to get these older device users to upgrade.

[Sunspark]

Are you talking about the iOS 6 to 7 transition where the security certificates expired and Apple wouldn't issue a new one and said you needed to switch to iOS 7 if you wanted Facetime to work again? That was my last iOS device.

[dylan604]

I don't remember that as I just upgraded the OS. Why would an OS upgrade be some thing you wouldn't do? Seems to me like you have bigger personal issues than some technical one with this situation.

[Sunspark]

I just really liked the old skeuomorphic UI which dripped gorgeousness and didn't want to switch to a bland flat white interface.

[jwells89]

> The reason they’re not doing that is because it could have unintended consequences as some are using someone else’s actual device serial number and those people would be inconvenienced.

One is supposed to try to find a plausible (follows certain rules) but invalid serial to use for hackintoshing and not use real serials, but of course in practice there’s always some number of careless users…

[turquoisevar]

Yeah, that's what they're supposed to do, and to the credit of the Hackintosh community, that’s what most tutorials suggest.

But like you said, there are always people who don’t care about others as long as they have theirs.

There is, so far anyway, no reason to go against this best practice because, even though Apple can instantly detect a bogus serial, their currently used scoring threshold still allows you to use iMessage provided you’ve got a non-fresh Apple ID in good standing.

[rezonant]

This is interesting. How do you define "invalid" and why can Apple not also detect such invalidity?

There's been some talk that blocking this for Beeper will also block this for Hackintosh, but are we just talking about iMessage?

Because I have a hard time believing that (A) Apple can't just block this for iMessage without affecting whatever other system services rely on it and (B) That Apple would care if Hackintoshes lose iMessage.

If those two are true, and assuming Beeper Mini also tries to find plausible but invalid serials to use, then Hackintoshes definitely aren't the reason they aren't blocking based on this.

[jwells89]

My understanding is that the serials represent information, including model and date/location of manufacture. It’s therefore possible to create correctly formed but impossible serials, for example one that represents a pre-touchbar 2015 MBP manufactured in Ireland in 2018.

Apple should easily be able to tell when someone has done this.

[turquoisevar]

They indeed used to have data like that encoded in it.

Not too long ago, however, they moved to a completely randomized serial format, perhaps partly because of iMessages shenanigans.

[rezonant]

Hmm, how many bits of entropy are in one of these things? Can we calculate the likelihood of collision?

[nneonneo]

iMessage seems to use quite a lot of information from the hardware aside from the serial number. See https://github.com/JJTech0130/pypush/blob/main/emulated/data... for the data that is used to calculate the "validation blob" to activate iMessage. Several of the keys (not values!) are random-looking gibberish like "kbjfrfpoJU" and "oycqAZloTNDm", while others are normal things like "product-name" and "IOPlatformUUID".

[turquoisevar]

Apple can detect this, but they’ve allowed it in most cases when it’s done with an Apple ID in good standing and some history.

Why they allowed it is anyone’s guess, but the leading theory is that they valued not hindering established customers over locking iMessage completely down and perhaps the bad PR that comes with banning someone’s Apple ID over this.

[rezonant]

Well they could block the client itself, independent of blocking the Apple ID. It's the client that sends the serial information. Your Apple ID only gets associated with it indirectly.

[rezonant]

> The reason they’re not doing that is because it could have unintended consequences as some are using someone else’s actual device serial number and those people would be inconvenienced.

As far as I know, it's not actually known what model numbers, serial numbers, and disk UUIDs Beeper Mini is sending (and no the POC repository doesn't really tell us)-- if you have a source that talks about this I'd love to read it!

[_rs]

I’m pretty sure Apple could figure this out pretty easily by running it on an Android device themselves, considering they control the endpoints it talks to

[beeboobaa]

> Apple could also push out an update tomorrow that would end this once and for all by utilizing device attestation and leveraging Secure Enclave

More proof that Remote Attestation is evil and does not exist to serve the user.

[turquoisevar]

Like any tool, it can be used for good and for evil and the perspective of which is which depends on who you ask.

You can use device attestation to combat spam by making sure only authentic devices connect to your service.

You can use it to facilitate contact key verification together with a hardware key to ensure contacts know who they’re talking to.

I’ve used it to make sure that introductory promotions are only offered once per device.

On the other end of the spectrum you can use it as a DRM of sorts to make sure ads on your website aren’t blocked.

[mngdtt]

As a user, I am very well served by remote attestation when it is used to stop cheaters in videogames or spammers in messaging platforms.

[rezonant]

This assumes that all Beeper Mini users are spam, and that's a weird take.

More charitably, perhaps you are saying spam will increase over previous levels. From what I understand, Apple does not have any spam prevention technologies in Messages at all, neither for incoming iMessages, nor for SMS messages-- so the only thing keeping your iMessage conversations free of them is the obscurity of the protocol. Perhaps they should just add anti-spam tech like other texting clients have had for years.

[43920]

When you get an iMessage from a new contact, there's a "report junk" option; I'm assuming Apple does some kind of spam detection with that (ie if a particular Apple ID gets enough reports, it gets blocked). I've never seen any public documentation of it though.

[StressedDev]

The same technology Beeper Mini uses to get onto iCloud can also be used by spammers, crooks, etc. to get onto iCloud. You either get both or none. Frankly, as a paying Apple customer, I want them to close this because I hate SPAM. Also, the obsession of iMessage seems very strange to me.

[beeboobaa]

Nonsense. You still just receive SMS messages as normal, so any spam will be delivered to you regardless.

The solution to spam is to petition your government to crack down, or do server side filtering. Banning random phones is like playing whack a mole.

[SpaghettiCthulu]

You are incredibly selfish. Neither of those are more than a mild inconvenience. On the other hand, loss of personal freedom and privacy are major issues with real world consequences.

[beeboobaa]

Both of those are issues that can be solved server side if the company actually cared. They don't, and instead want to steal your freedom so they can push DRM.

[CaptainFever]

iMessage already has a spam problem, even with attestation.

[kmeisthax]

I know of no messaging platform using remote attestation for antispam - and, as far as those platforms continue to support web registration, they can't use remote attestation[0]. Even if they could, it wouldn't help. Remote attestation verifies that your client code is running without modification. What you care about with spam is keeping the spammers from registering large numbers of unrelated accounts, which doesn't require modifying the client at all.

I will give you that remote attestation does help anticheat. However, the current state of anticheat in games is so invasive now that you have to install special kernel drivers, and that kernel has to be on bare metal (no hypervisors allowed). This only happened because a specific genre of fast-twitch first person shooter has a lot of closet cheating going on. But it also gets blindly applied to things like rhythm games that absolutely do not need kernel-level anticheat[1]. So every game gets more invasive because of one hyper-competitive game genre triggering an anticheat arms race.

[0] Or at least, for as long as Web Environment Integrity stays dead

[1] Altering the client isn't even the most common way of cheating rhythm game records. For example, a good chunk of the rules for, say, Pump It Up's online leaderboards is "don't have other players play on your A.M.Pass" and "don't hook up a hand controller onto an online cab". Neither of which would be stopped by an anticheat system (and yes, PIU being an arcade rhythm game, there's shitton of encryption on it).

[JimDabell]

> as far as those platforms continue to support web registration, they can't use remote attestation

They can; Apple (and others) have implemented Private Access Tokens (PATs) for this.

https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

[kccqzy]

Remote attestation does more than ensuring code is not modified. It definitely can be used to prevent spammers from registering a large number of accounts.

And no, web registrations as a must have is an extremely antiquated concept.

[I_Am_Nous]

Seems like a chess move. Apple blocks a small percentage of users instead of all of them, which casts uncertainty on using Beeper Mini at all. It also allows them to A/B test various methods of blocking or honeypotting Beeper Mini logins without giving away any big secrets.

From Beeper's perspective, they now have to figure out why only those logins were blocked and if they need to patch something or not. Apple could be wasting their time and blocked random users out of spite.

Time will tell.

[standardUser]

Ugh, it is beyond depressing to imagine Apple bigwigs sitting around discussing ways to make absolutely certain teens keep getting ostracized until they buy their overpriced product.

[StressedDev]

If someone is ostracizing you because you do not own an iPhone, you probably want to avoid that person. I have never met anyone who would do this and frankly, only an extremely nasty person would do this. I am mean seriously, why ostracized someone because they use a different type of phone?

[vineyardmike]

Do you forget being a teenager? /s

It's not simply a MeanGirls experience of not being cool enough. Most Americans don't use or have 3rd party apps like WhatsApp, so most people will fall-back to SMS, which is objectively a much worse experience. I feel like the adult equivalent is getting group dinner with a friend with severe allergies or dietary restrictions. You care about your friend, and you want to invite them, but the effort to include them is high and sometimes you want to try a restaurant you know they can't eat at, so you skip the invite. I'm a vegetarian, and I know my friends skip me outright in the steakhouse dinners.

50% of Americans have an iPhone, and that is even higher for teenagers (almost 90%). That means >50% of people have this superior group functionality built-in (can't beat defaults). That means for teenagers, most of your friends will have iMessages, and most will be able to do effortless group chats, and its a statistical dice-roll to see if someone doesn't have an iPhone. You become "that guy" that causing disruption, and you'll 100% be ignored sporadically.

Again, the issue isn't "I don't wanna see green bubbles", the issue is "I don't want to bother with a third party app for this conversation". Since most people don't regularly use 3rd party messaging apps, there's a coordination issue to be solved picking the app and confirming everyone has it, OR falling back to SMS which is pretty messy. The alternative is to skip one friend and just fill them in later. Sometimes it's easier, it's not an elitist attempt to ostracize.

[text0404]

sorry but this sounds like it's written by someone who is definitely not a teenager and who hasn't experienced this before.

[vineyardmike]

Not a teenager today but I was ~13 when iMessages came out, and owned an iPhone since. Except for 3mo when I was 16.

[withinboredom]

This is an adulting problem. Most of my adult friends use WhatsApp around me. So, our kids use WhatsApp because that is how they communicate with us. So, the "actual" solution is to start using WhatsApp (or whatever) and get your friends to do it. Then force your kids to do it ... then bam, iMessage no longer matters.

[fennecfoxy]

First of all you forget what it's like being a teen/young person I guess, or perhaps your personality is different from most, but that sort of social pressure is quite tough on people.

Apple also relies on the path of least resistance as well, if someone is having a poor experience in a group chat with their iPhone friends...it just becomes "easy" for them to choose an iPhone the next time they change phones.

Look at other companies, Microsoft porting Office etc to MacOS, Google services like maps gmail etc available on the iPhone. It's only Apple that walls their tech in so that it's only on iPhone - they don't care about profit lost to not expanding their reach because they reinforce their own platform.

[Aeglaecia]

I admire the surety in children applying logic to their behaviour

[standardUser]

> I am mean seriously, why ostracized someone because they use a different type of phone?

Your current lived experiences may not be in sync with people in their teens or twenties. This is a well-known phenomenon called "green bubble bullying" that Apple has masterfully orchestrated to make people force other people to buy their phones.

[jollyllama]

They're imagining that they won't just get made fun of for something else. It never ends; you either have to not care, conform, or sustain trauma.

[expensive_news]

I have met people that will do this, and trust me, they are worth avoiding.

[averageRoyalty]

Given the majority of their users don't care about that, it seems unlikely to be an accurate portrayal of the internal discussions.

[standardUser]

You don't think Apple brass is doing everything in their power to convince non-iPhone users to switch to an iPhone? Every excluded teen is another potential customer and to pretend they don't know that is beyond naïve.

[averageRoyalty]

I do, but the group that consists purely of American teenagers (even if it's 100% of them), is one of many demos, and a relatively small one globally.

[frumper]

I doubt anyone is shocked that Apple execs want to sell more Apple products. They are paid very well to do that.

[rezonant]

Do you have data about that or are you assuming you and your friends are representative of the majority of users?

It seems like one side of the debate says "I have experienced this, and the product features seem to encourage this behavior" and the other side says "No one really does this, you just have a few insane friends who happen to use iOS".

Feels like gaslighting when you've experienced this sort of behavior yourself, and not even from tweens who aren't well adjusted to the world, from your middle aged and up friends and family who are bought into that ecosystem.

[averageRoyalty]

I am not refering to myself or my friends at all.

That said, I've only seen this green vs blue debate reported on in the context of American teens. Even if it is accurate in that group (questionable), that group make up a tiny portion of global smartphone users. Even if the actual group who care are double that, it's still tiny.

As such, it seems unlikely this is such a critical thing that Apple bigwigs are sitting around discussing this group.

[MuffinFlavored]

My bigger question is how are any Beeper Mini users getting through (aka how is Beeper Mini's backend getting around the fact that... I thought you needed a valid serial # to an Apple device specific to you to log in + use iMessage)

[dylan604]

at some point Serial Box will have a list of valid/invalid hardware serial numbers. or, someone will crack the code to generate valid codes.

oh wait. i drifted off back to the 90s software cracking days.

[rekoil]

Apple doesn't have predictable serial numbers anymore, they're all just random numbers corresponding to rows in a database. There's no way to generate them.

[dylan604]

It wasn't a serious idea. The fact I mentioned it along side Serial Box should have been a clue. Maybe you're too young to know what Serial Box was, or the 90s cracking culture. Shh, the adults are speaking =)

[rekoil]

No, I remember Serial Box, serials.ws, MegaGames, scene intros, etc. I just have trouble determining tone on the internet sometimes is all.

[MuffinFlavored]

if apple checks an online database for "you authenticated and paired this hardware ID to this apple ID", is that a "Beeper Mini" killer?

[dylan604]

isn't that essentially what they are doing? that's one of the reasons a stolen iDevice is pretty much worthless.

[rezonant]

What about when the hardware is legitimately sold and reset and a new Apple ID starts using it?

[chongli]

You have to de-register the device with Apple when you sell it. Otherwise you retain the ability to remote wipe and brick the device and the buyer has no recourse.

After you de-register it the buyer can register it with Apple under their Apple ID.

[Wingy]

I have Apple devices that are allowed to use iMessage including some that I don't use. If my computer can impersonate one of them to allow me to message from my workstation that's success.

[MuffinFlavored]

> If my computer can impersonate one of them to allow me to message from my workstation that's success.

But Beeper Mini isn't asking users to bring-their-own valid hardware registered Apple hardware ID tied to their Apple ID, they're doing something different/unknown behind the scenes

[MuffinFlavored]

> Migicovsky previously denied to Ars that Beeper used "fake credentials"

As far as I know (I could be wrong), in order to log in + auth to Apple's various protocols that are involved to make iMessage work, you need a valid Apple ID and some sort of valid hardware ID.

If you don't have either of those, how would you be talking to Apple's services?

If their POST /login requires email + password + valid registered serial # of device sold that isn't flagged stolen and not shared across 100 accounts... how does Beeper Mini expect to work?

[saintfire]

AFAIK, and I could be wrong, beeper mini registers a new HWID with apple for each phone. Which is why they thought it was unpatchable, at first, as they would need to determine which phone is in fact an iPhone.

[nneonneo]

There's much more to the validation protocol than just HWID/serial. See https://github.com/JJTech0130/pypush/blob/main/emulated/data... for a list of the data that is pulled from the platform and used for validation. I would assume that Beeper registrations either use data from a pool of real devices, or made-up data that Apple might "permit" (because hackintoshes) but can definitely detect and block at any time.

[MuffinFlavored]

> use data from a pool of real devices

This feels super against terms of services. Taking a paying Apple user's hardware ID and using it for a non-paying user?

Also, I thought you had to tie/pair hardware ID to Apple ID.

[jimmyk2]

Might be intentional. Unreliable service is probably worse as a user. Never know if the system is down or if it’s just you. Plus probably harder for beeper to work out how/why they are getting blocked.

[user_7832]

> Not commenting about the ethics of all this, just wondering why technically Apple can only block ~5% of Beeper Mini users instead of all of them? Could this potentially be tied to the use of an email id as the iMessage handle?

I wonder if it might also have anything to do with govt action. I believe a US elected rep recently tweeted in favour of Beeper. Apple cares much more about PR than they'll admit, and server costs for them are negligible.

[nozzlegear]

The rep was Senator Elizabeth Warren, who was once pretty popular during the Obama years when she helped create the CFPB. She sadly doesn’t hold much sway (e: in the senate) anymore.

[hackernewds]

block 5% for experimentation data to observe whether it's net viable for their metrics to allow cross-pollinating the users finally