Is Beeper Safe? Why Apple Shut Down the Android-to-iMessage App

Apple has shut down Android-to-iMessage app Beeper Mini. But is Beeper safe, and was Apple's decision justified?
Written by
Published on December 11, 2023

Apple has emphatically shut down Beeper Mini, an application that allowed users to send iMessages – which are sent using Wi-Fi rather than cellular networks – between Android and iOS-powered devices.

On Friday, the company announced on social media platform X that they were experiencing an outage. It later transpired that this was due to Apple’s efforts to block it, with the tech giant citing “safety concerns”.

In this short guide, we’ll explain why Apple wanted to shut Beeper Mini down so badly, whether Beeper is safe, and whether any Beeper alternatives are out there are worth considering. All in all, we cover:

What Is Beeper?

Beeper Mini is a mobile app that launched in early December 2023. The app allows Android users to send iMessages, a form of correspondence typically exclusive to iPhones, iPads, and other devices running iOS.

“Beeper”, on the other hand, is an all-in-one unified messaging app for iOS devices and desktops that was launched back in 2021. After the launch of Beeper Mini, it has been renamed “Beeper Cloud”.

Although it’s been possible to send iMessages without an iPhone before the existence of Beeper, the company’s method is a newer, simpler, and more secure way of doing this.

Beeper doesn’t even require users to create or hand over their Apple IDs.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

Beeper Mini was launched after a security researcher – a high school student at the time – submitted a Python script that managed to reverse engineer Apple’s iMessage protocol and provide the functionality to Android phones.

Why Did Apple Shut Down Beeper?

Towards the tail end of last week, Reddit began to be filled with reports of a Beeper outage as users’ message requests were timing out en masse.

The reports were later validated by Beeper co-founder Eric Migicovsky on X (formerly Twitter), who said that “all data indicates that” Apple was behind the outage.

Apple explains in a recently released statement that it “took steps to protect our users by blocking techniques that exploit fake credentials to gain access to iMessage.”

“These techniques posed significant risks to user security and privacy” the company’s solitary statement to the press on the issue continues, “including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.”

Apple’s decision to block Beeper Mini provoked the ire of US Senator Elizabeth Warren, a long-term advocate for more stringent anti-trust laws, who accused Apple of “squashing competitors”.

Is Beeper Safe?

In short, Beeper Cloud has some security limitations that make it less secure than using encrypted messaging apps. However, Beeper Mini is a lot more secure – the company’s openness about its security architecture and rigorous app testing is encouraging, and you don’t need to hand over any Apple account information to use it.

Importantly, Beeper Mini seems like it’s safer than other Android-to-iMessage options at the moment, as well as sending unencrypted SMS messages. Security is rarely a zero-sum equation – and currently, Android messages aren’t encrypted. What’s more, there seems to be no obvious security issue with the way the app has been configured, despite Apple’s protestations.

Beeper Cloud

There are limitations to Beeper Cloud from a security perspective, that are worth knowing about. The company states in its “Getting Started Guide“:

“Beeper is a universal chat app that supports connections to 15+ chat networks. To use Beeper, you must give the app permission to send and receive messages through other chat networks using your account credentials. By definition, this may be less secure than using other chat apps alone, especially encrypted chat apps like Signal.”

On top of this, as this LifeHacker report pointed out in August, if users wanted to send messages via Beeper, they’d have to hand over their Apple account information – which is a “huge risk”.

However, this is not the case with the recently launched Beeper Mini (more on this below) which Apple has blocked – you don’t have to log in with any credentials.

Beeper Mini

Beeper Mini has gone to great lengths to make it as secure as possible for users, which is encouraging – and it’s so confident in its work that it’s open-sourced its code.

As we’ve said previously, it’s certainly safer for Android users than sending standard text messages – and your Apple account ID is not needed to use the app.

Beeper Mini encryption and security process explained

At present, Android/”text” messages (i.e. “green bubbles”) are unencrypted. This means they can be read by anyone who wants to – including your phone carrier. There are very few protections in place to stop this kind of intrusive behavior from happening.

In contrast, when you send a message from an Android device using Beeper Mini, it’ll be end-to-end encrypted (E2EE) before it is sent, and thus sent securely. It does this by implementing Apple’s E2EE protocol natively in the Android app.

“We built Beeper Mini by analyzing the traffic sent between the native iMessage app and Apple’s servers and rebuilding our own app that sends the same requests and understands the same responses,” a company blog post explains.

Beeper says it cannot view the contents of any messages sent using its app, and the private encryption keys used to secure messages – as well as contacts – don’t leave users’ local devices. Only public keys are sent to Apple’s servers, and messages aren’t transferred as plain text.

A diagram showing how Beeper’s message routing system works. Image: Beeper

Unlike other apps that provide similar services, Beeper Mini connects directly to Apple servers rather than using a Mac server relay, something that competitors have struggled to do thus far. This is considered more secure than a middleman company hosting its own servers.

In this way, Beeper Mini effectively tricks Apple into thinking that Android messages sent via its services are iMessages, which means it can take advantage of Apple’s Gateway security system.

However, considering this is the case, questions remain about how Apple was able to parse these messages from standard iMessages and stop Beeper Mini in its tracks last week.

Beeper Mini diagnostics and reporting services

Importantly, Beeper Mini uses very few additional services and apps for diagnostics and analytics reporting and lists them on its security blog.

The company utilizes “a self-hosted installation of Rudderstack for analytics and diagnostic events” – this is used for app improvements but can be disabled by users in settings. OneSignal and RevenueCat are also used, the company says.

Beeper Mini security testing

Beeper says that it performed a red team analysis on Bleeper Mini. That means it got a team of security experts together to attempt to hack the app like a threat actor would, to spot its weaknesses and vulnerabilities, and then subsequently fix them.

Encouragingly, the company invites independent researchers to contact the company if they would like to perform similar analyses and provides an email address for them to do so.

Is Beeper Fixed Yet?

While Beeper Mini isn’t up and running again just yet, Engadget reported over the weekend that the company says it’s “very close” to a fix for the current disruption. 

However, now that it’s confirmed that Apple is behind the outage rather than a technical issue or cyber-attack, the app might be down for a while longer.

In the meantime, many people will look for a Beeper alternative to continue to send iMessages from their Android devices – but users should be very careful about what they decide to use. 

Sunbird Messaging: a Beeper Alternative to Avoid

According to Google Trends data, in the wake of Beeper’s outage, an application called “Sunbird Messaging” has seen a sharp uptick in searches.

Sunbird messaging markets itself as a “unified inbox” application that, similarly to Beeper Cloud, aggregates messages across various platforms, and claims to include secure Android-to-iMessage support.

The 9to5Google reports that the app was made available as a closed alpha to those who signed up for its waitlist during 2022, and claimed to use E2EE similarly to Beeper Mini. However, the app was put on pause in late November 2023 due to “security concerns”, with several sources claiming that the app wasn’t end-to-end encrypted in the way specified.

Sunbird had partnered with Nothing – a phone brand company owned by OnePlus co-founder Charles Pei – to launch Nothing Chats, which was also pulled from app stores around the same time as Sunbird was paused.

We’d recommend avoiding these apps, and also bear in mind that any apps claiming to be either of these two services is also not to be messed with. The great lengths Beeper has gone to in order to ensure their app is secure illustrates how hard it is to produce this kind of technology in a secure fashion.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Aaron Drapkin is a Lead Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and Politics.co.uk covering a wide range of topics.
Back to top