> Beeper Mini does not MITM messages - it's a reverse engineering of how iMessage works, and runs entirely on-device, without putting messages thru Beeper's servers. It talks directly to Apple and pretends to be an iPhone.

It doesn't matter. It's closed source and not easily audited - they could easily just be doing a naive solution and piping every message back to themselves after it's decrypted by the client.

iMessage is also closed source, and iOS (as documented by Apple) backdoors the encryption in iMessage by including the cross-device “Messages in iCloud” endpoint iMessage sync keys in the non-e2ee iCloud Backup (as documented plainly in Apple’s own HT202303).

This means Apple can read the iCloud Backup contents, and Apple has the Messages in iCloud device endpoint keys, and Apple can decrypt the iMessages sent to or from the device in realtime.

iMessage is, in practical terms, not really e2ee.

It’s not fair to level these sorts of potential/speculative security concerns at Beeper Mini when iMessage’s first-party implementation has way worse problems that are actually documented.

> It’s not fair to level these sorts of potential/speculative security concerns at Beeper Mini when iMessage’s first-party implementation has way worse problems that are actually documented.

Apple has a proven track record of not handing over all your messages to russian and chinese intelligence, something that beeper is almost certainly doing (as their business model revolves entirely around MITMing your email and chat)

You sound like a fifth columnist.

Even if it is done on device, the Beeper app is an effective MITM on what should be communications between official clients. It could have security issues, be logging everything to disk, or include a third party analytics SDK that is snarfing data for marketing. Like I said, if they want to flag the communications as being from an unofficial client I am ok with that.