This sounds like The Onion, ridiculous.
They’ve stated that they are using Mac minis as relays. They claim that they do not store messages or credentials, but I don’t see how that’s possible if it relies on a Mac or iOS relay server that they control.
They might be able to relay them in a way that the end to end encryption is actually handled on the phone and the relay only relays encrypted messages.
That would likely still give them a capability to MitM but it’s plausible that they couldn’t passively intercept the messages.
They might be able to relay them in a way that the end to end encryption is actually handled on the phone and the relay only relays encrypted messages.
They’d need to control the app on both phones in order to control what it’s encrypting/decrypting. Their system only works because they’ve got a device in the middle separately decrypting/re-encrypting each message. Google’s Messages app can’t read iMessages; Apple’s Messages app can’t read Google’s proprietary encrypted RCS messages.
Of course if you want universally cross-platform messaging, complete with full-resolution photos and available with end-to-end encryption, there’s this crazy new technology called “email.” I feel like there’s a missed opportunity for making setting up S/MIME easier.
You give them the credentials for your Apple account. The security concept is “trust me bro” and that’s really the best they can do unless Apple helps them (which they have no reason to)
If it’s anything like Beeper 's Matrix bridge then it’s E2EE Matrix encrypted between your device and the bridge server and then using Apple’s iMessage encryption between the bridge server and Apple/the other user.
The weak point is always going to be the bridge software as by necessity the message must be decrypted there to re-encrypt for iMessage.
At least in Beeper/Matrix the bridge software is open source and one can host their own bridge while continuing to use the existing Beeper/Matrix main server.
Doing so gives you no-trust security since the Beeper/Matrix host cannot decrypt the messages between you and the bridge you control and rubbing your own bridge eliminates that weak point.
I predict one of two outcomes once Apple becomes aware of this. Either they’ll modify the iMessage protocol to break Nothing Phones compatibility, or they’ll sue Nothing Phone for violating some kind of IP law. Apple absolutely wants to maintain their walled garden and letting a non-Apple product transparently interact on equal footing with Apple products runs counter to that.
The messaging is provided by a third party who is dedicated to working on their iMessage compatibility. Apple has no reason to stop this because this is a good move for them in the larger battle between mobile messaging standards.
Google owns Jibe, the company behind RCS messaging found on all Android phones and an emerging, competent product from the only game in town that can compete with Apple. Google has decided to take this to the government level and push for a unified phone messaging standard, normally a good thing, but proposed their own RCS solution. The one they own and whose servers Google scrapes for user info.
Apple is pushing iMessage as a protest against Google and their inevitable lawsuit to conform with RCS adoption. Android may win unless Apple shows it has parity and provides a non-legislative option: if enough people use iMessage then governments don’t have to make any laws or enforce changes. The company Nothing is using iMessage, which helps Apple prove there is both a significant user base, which would cause a burden on Apple and it’s customers to change, and there is no monopoly on iMessage or messaging in general. So if enough people use iMessage, Apple sees it as a good thing.
RCS is not a Google product, see https://en.m.wikipedia.org/wiki/GSMA
Apple has been pushing iMessage for quite some time, but they want to keep it just to their platform and have made no attempt to make it open to other users. That’s Apples way and it’s not as a “protest” to Google lol
That’s like saying they made the lightning port as a protest to USB standards, nah they just want their proprietary shit.
Apple’s ideology behind not expanding iMessage to other platforms has been - at least in part - due to the security of the iMessage platform and how it authorizes senders and recipients (like many encrypted services on Apple devices, tokens are encrypted/decrypted in the Secure Enclave on the SoC). Apparently, Apple has low confidence in the diaspora of Android devices and just decided to forget even trying to create a client for Android it could tie down to hardware authentication due to not having a reliable hardware base. This was many years ago.
I don’t know if this is still true or even necessary today, or if they’ve even bothered to explore it recently, but that’s Apple’s main issue. Sure, it also benefits them in other ways such as driving users to their platforms, but this is their main issue.
That’s like saying they made the lightning port as a protest to USB standards, nah they just want their proprietary shit.
They wanted a new, compact, durable, reversible plug for their mobile devices. There was no industry-standard option that met their requirements, so they made their own. If USB-C had existed at the time, they would have used it (though as a physical connector, Lightning is still just plain better).
Google’s RCS service is unique in that it is not telecom based. I would advise looking at the RCS Wikipedia article here.
Outcome 3: they buy whatever company is responsible for creating this compatibility layer, slowly integrate it so they can skate past several international regulations/lawsuits trying to open iMessage, and declare victory.
Why would they buy a company that is using a workaround when they could just make an iMessage app for android
Because that’s not their goal, they absolutely don’t want iMessage to work on Android, at least not without severe limitations. They want Android to look like a second class citizen. If they bought the intermediary company it would be with the intent of strangling it not expanding it. They’ll just slow walk the murder so that regulators don’t take too much notice.
Nah, Apple doesn’t care.
These bridges like the ones found in Beeper/Matrix require a Mac server to perform the handshake with Apple’s.
As long as these servers require Apple hardware to function Apple is making money.
It’s roughly equivalent to running iMessage on your Mac at home and making an Android/PC app that remotely sends/receives messages to/from that iMessage app on your Mac.
Nice one, not sure why it’s geo restricted to the US, Canada, and Europe though, unless that’s a limitation of the bridge software they’re using. Could be a pretty neat selling point for a small subset of users, but I don’t think it’ll make people reconsider which Android they choose to upgrade to.
Also nice to see e2ee RCS implemented outside of Samsung and Google’s apps.
For anyone looking at alternatives, there’s AirMessage (if you have a mac, real or virtualized), and Beeper (not free, in any sense of the word, but supports even more messengers)
Sunbird is closed source so you just have to take their word for it when they say they don’t store messages or credentials. How the fuck could you know if they’re lying or not? You can’t because it’s closed source.
As much as I have issues with the similar Beeper, at least Beeper is open sourcing their bridges.
Just read through their faq
Some of the messaging community believes that software that is open source is more secure. It is our view that it is not.
That’s a nope from me.
That statement is pretty stupid in general. But for server side software, open source doesn’t help much. Even if you can look at the source, you still need to trust them that that’s what they are running on their servers.
I think there is levels of trust.
I am often able to reach of level of trust to believe a company is not straight up lying about the code they are running on their servers.
I am not often able to reach a level of trust to believe a “trust me bro” from a company (especially if that statement is not qualified in a meaningful way).
Open source is important for services with end-to-end encryption, because you can make sure the client actually encrypts the outgoing data, is not sending your private key somewhere, and won’t break that security at some point in the future.
Of course this particular service cannot even have end to end encryption in the first place.
Doesn’t help much in terms of privacy. But still is very important. https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
For a bank or any system you would not have control over anyway, it does not have to be open, only the client software you run on your computer should be. But messaging, document editing (like Google Docs), etc. are personal tasks that could be done via a local program, so a remote program should be give you freedom from it’s provider.
In other words: “Some of the messaging community believes that software that can be controled by the user and is clear how it works is doing what the user wants it to. It is our view that it is not.”
They are just like the rest of big companies. Remember when Facebook was a privacy respecting and friendly alternative for MySpace? Or Apple for IBM? Or Google for other search engines?
