This post is referring to beeper mini. It’s confusing naming, but that’s not the same as beeper(cloud service). Beeper mini is available to everyone on the play store and is not a cloud service. You just get it, login to Google (to pay the subscription cost) and it works. No invite needed
Comment on Beeper reverse-engineered iMessage to bring blue bubble texts to Android users
KinNectar@kbin.run 11 months ago
I really want to sign up for Beeper, but the fact I have to give them my phone number to sign up for a waitlist seemed like a red flag. How is their security profile?
jamon@lemmy.world 11 months ago
Merlin404@lemmy.world 11 months ago
Want a invite code? Its just to prevent people from mass signing up
KinNectar@kbin.run 11 months ago
Can I get a code, please please?
LinuxSBC@lemm.ee 11 months ago
That’s to prevent multiple entries by one person. Their security is very good, with audits and their products being largely open source (for this, PyPush. For Beeper Cloud, their Synapse fork and their bridges.). Only the parts that don’t matter to security (the clients, mostly) are closed source.
LWD@lemm.ee 11 months ago
twix@infosec.pub 11 months ago
They do have to run servers in order to keep the service alive. If you want to run this stuff yourself on your own server that’s possible using PyPush. The reason they have to run those servers for you is to keep the notification service alive.
LWD@lemm.ee 11 months ago
twix@infosec.pub 11 months ago
Yeah, sorry, I got confused. Beeper mini does need servers to keep the notification service alive. And thus not crazy to ask for 2$ a month. Beeper cloud could indeed do without servers I guess, but I don’t know anything about that. I was just keeping up with the development of pypush (the python poc) and reverse engineering progress.
I don’t understand your point of “you have to log in with a google account”. I understood that was a requirement to check subscription status (and as such limit fraudulent apk’s).
But that seems to be a different story than “opensourcing this would mean a competitor could do it for free”.
You can already do this for free with pypush. And if you want to use something else then python you could build something based on it with any language as pypush is completely open source.
stu@lemmy.pit.ninja 11 months ago
By that logic, there’s nothing guaranteeing iMessage on iPhones is secure or private either because it’s closed source. If you don’t want to trust Beeper mini, you’ll be free to run their iMessage bridge on your own Matrix stack when they open source it at some point, which they’re promising to do (and you still won’t know that Apple isn’t scraping your messages on the iOS side). When I decide to trust a company, it’s because I look at what they’re transparently communicating to their end users. Every indication is that they are trying to get out of the middle of handling encrypted messages. Their first move to make this happen was allowing people to self host their own Beeper bridges (which you can still do with Beeper Cloud if you prefer and you will know that your messages are always encrypted within the Beeper infrastructure). They aren’t going to release the source for their client ever because that’s the only way they make any money.
LWD@lemm.ee 11 months ago
BearOfaTime@lemm.ee 11 months ago
You should read the docs. It’s impressive.
I get where you’re coming from, but after readinhow badly security is implemented in iMessage frankly I trust the Beeper devs more than Apple.
Get this, iMessage delivers the AES encrypted message in a package with the AES key, that package is encrypted with your RSA key.
iMessage lacks forward secrecy. So if anyone ever got your RSA key, they could read all your messages, including past messages, because your RSA key never changes!
stu@lemmy.pit.ninja 11 months ago
I assume you’re not using iMessage anyway then because Apple’s Messages stack isn’t open source. If you’re not using iMessage anyway, it shouldn’t matter to you what Beeper Mini is doing. This app isn’t for the ultra paranoid. Neither is Google’s RCS in Google Messages. This is where Signal and Matrix would be better choices. If you are using iMessage on an Apple device, you’re choosing to trust Apple despite their app being closed source and you’re not choosing to trust Beeper, which is fine and I don’t judge you at all for that stance. But at that point, your qualms aren’t simply about Beeper Mini being closed source, the implication is that you don’t trust Beeper as a company and/or its developers which, again, is a valid stance even if it’s one I don’t share.
But I am personally pretty sure I can trust Beeper and Apple enough with my relatively meaningless conversations.
Rootiest@lemmy.world 11 months ago
To be fair they never claimed otherwise and all of the code for the bridges are open-sourced and can be run on your own servers so that those servers you control (as opposed to Beeper-owned servers) act as a “middle man” and none of your messages need be trusted to a 3rd party.
To put it simply: only the actual bridge on Beeper Cloud has access to unencrypted messages and you do have the option to run the bridge yourself while continuing to use the Beeper app. You can use as many or as few self-hosted bridges as you’d like.
A few bridges are preconfigured for self-hosting with just a couple of clicks for free through fly.io here