In the latest chapter of blue bubbles versus green bubbles, Apple has blocked access to iMessage from credentials masquerading as Apple to protect its customers, the company told CNET on Saturday evening. This comes after companies like Beeper and Nothing released Android apps that had provided a workaround.
The iPhone maker said that it can't verify messages sent via unauthorized means that were posing as valid Apple credentials. Messages sent over iMessage have end-to-end encryption to ensure that no one but the sender and recipient has access. Apple said it blocked these "fake credentials" to protect its customers.
The move comes less than a week after Beeper reversed-engineered iMessage access so people using Android or Windows could use the service and send iMessages from non-Apple devices. Messages sent to an iPhone owner that would normally show up as green bubbles from an Android user over SMS showed up as blue if sent from the Beeper Mini Android app or Beeper Cloud, the original version of the service that routed iMessage through a Mac.
"At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe," Apple said in a statement provided to CNET. "We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage."
To maintain end-to-end encryption, Apple can't verify these messages sent through masquerading apps as having valid credentials.
"These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks," Apple said. "We will continue to make updates in the future to protect our users."
"It's mind-boggling to read that Beeper Mini is, in some way, making those communications less secure and less private, because that's the opposite of what's happening," Beeper co-founder Eric Migicovsky told CNET Saturday night. "What we did was make those conversations encrypted. And it's shocking to see a statement that's almost the polar opposite of what exactly happened."
Messages sent via SMS between Android and iPhone users are unencrypted. But for three days last week, the Beeper Mini app allowed Android and iPhone owners to communicate securely with end-to-end encryption. Migicovsky said that Apple hasn't reached out to him or his company directly. He said that Friday's outage started at 11:30 a.m. and knocked out Beeper Mini and Beeper Cloud but that his team got Beeper Cloud up and running again within 23 hours.
"We got Beeper Cloud up and running. So whatever the statement Apple said, it's not entirely correct. Or whatever they mean by it isn't," Migicovsky said. "As of today, as of right now, it's working great."
On Sunday, Sen. Elizabeth Warren posted on X calling on Apple to offer more interoperability between Android users and iMessage, saying "chatting between different platforms should be easy and secure." It's a sign that this issue is becoming more than just a green bubble versus blue bubble debate and is now coming under scrutiny from politicians, adding another to a growing list of concerns Congress has with platforms owned by tech giants.
So what's next? All this follows Apple's statement last month that it would adopt the RCS texting standard in 2024. But that doesn't account for Beeper.
"If anyone doubts the security and privacy of our app, we're more than happy to provide the source code of it to a mutually agreed-upon third party and let them be the arbiters of this," Migicovsky said. "Extraordinary claims require extraordinary evidence."