In the latest chapter of Blue Bubbles vs. Green Bubbles, Apple has blocked access to iMessage from credentials impersonating Apple to protect its customers, the company told CNET on Saturday night. This comes after companies such as Beeper and Nothing released Android apps that offered a workaround.
The iPhone maker said it can’t verify messages sent through unauthorised means that pose as valid Apple credentials. Messages sent via iMessage use end-to-end encryption to ensure that no one but the sender and recipient can access them. Apple said it blocked these “spoofed credentials” to protect its customers.
The move comes less than a week after Beeper reversed access to iMessage, allowing people using Android or Windows to use the service and send iMessages from non-Apple devices. Messages sent to an iPhone owner that would normally appear as green bubbles from an Android user via SMS appeared as blue when sent from the Beeper Mini Android app or Beeper Cloud, the original version of the service that routed iMessage through a Mac.
“At Apple, we build our products and services with industry-leading privacy and security technologies designed to put users in control of their data and keep their personal information safe,” Apple said in a statement provided to CNET. “We have taken steps to protect our users by blocking techniques that use spoofed credentials to gain access to iMessage.”
In order to maintain end-to-end encryption, Apple can’t verify that messages sent through masquerading apps have valid credentials.
“These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam and phishing attacks,” Apple said. “We will continue to make updates to protect our users.”
Beeper Mini users took to Reddit on Friday to say they couldn’t send or receive messages using the app.
“It’s confusing to read that Beeper Mini is somehow making those communications less secure and less private, because that’s the opposite of what’s happening,” Beeper co-founder Eric Migicovsky told CNET on Saturday night. “What we did was encrypt those conversations. And it’s shocking to see a statement that’s almost the exact opposite of what happened”.
SMS messages sent between Android and iPhone users are not encrypted. But for three days last week, the Beeper Mini app allowed Android and iPhone owners to communicate securely with end-to-end encryption. Migicovsky explained that Apple hadn’t contacted him or his company directly. He explained that Friday’s outage started at 11:30am and took down Beeper Mini and Beeper Cloud, but that his team got Beeper Cloud back up and running within 23 hours.
“We got Beeper Cloud up and running. So whatever Apple’s statement is, it’s not entirely accurate. Or whatever they mean by it, it’s not,” Migicovsky said. “As of today, as of right now, it’s working great.”
On Sunday, Senator Elizabeth Warren posted on X, calling on Apple to offer more interoperability between Android users and iMessage, saying “chatting between different platforms should be easy and secure”. It shows that this issue is becoming more than just a green bubble versus blue bubble debate, and is now being scrutinised by politicians, adding to a growing list of concerns Congress has with platforms owned by tech giants.
So what’s next? All of this follows Apple’s recent statement that it will adopt the RCS SMS standard in 2024. But that doesn’t stop Beeper.
“If anyone doubts the security and privacy of our app, we’re happy to provide the source code to a mutually agreed upon third party and let them be the arbiters,” Migicovsky said. “Extraordinary claims require extraordinary proof”.
