New Beeper Android app – Open beta test
blog.beeper.comI want to use Beeper, but funneling all my communications through hosted bridges (especially so Signal) is gonna be a nope, until they release more very deep technical and verifiable information about how on-device bridges work.
I'm big on unified messaging from the libpurple days, but now 99% of my chats are in Signal so perhaps I am just not the target demographic for this.
On-device bridging works like this https://blog.beeper.com/p/how-beeper-mini-works. We'll put together a full technical deep dive for the real launch, this is just an open beta. Our signal bridge code is open source: https://github.com/mautrix/signal
You don't have to use our hosted bridges, we've made it ridiculously easy to self host: https://github.com/beeper/bridge-manager
I really hope it will be possible to configure the Beeper app to use self-hosted bridges vs using a separate Matrix client.
Having the features and polish of the first party app, but with a user-controlled backend (like how Bitwarden does it) would be great.
BTW, I have a Pebble on my wrist right now :)
That's exactly what our bridge-manager repo allows you to do. Self-host the bridges yourself, use the Beeper client app.
One thing that would make beeper better than other options (eg self hosted matrix) would be the ability to combine multiple accounts from each service. I have multiple telegram, WhatsApp and discord accounts.
What I'd really like to do (and the poster you responded to) is to connect your app to my own self-hosted matrix-server.
I'm confused about the downvoting. This is absolutely what a lot of tech people want to do, use the nice client and self-host.
Genuine question. Why do you do this?
Not the OP, but the beeper client looks better and has native GIF support, among other niceties that more "normal" users would prefer over other clients.
Will the new Beeper app gain support for Fitbit as the "Messaging" app? Before I could select Beeper, Google Messages, or WhatsApp. The new app isn't recognized by Fitbit as an SMS messaging app.
Is there still plans for supporting multiple G Apps accounts?
Isn't mautrix/signal supposed to work on the cloud? Or is there some work that has been done to make it work on the phone?
Wait a minute. How does on device bridge work? Say WhatsApp?
When looking at their bridge documentation for my own homeserver, I noticed that they do provide a way to self-host the bridges to be used with Beeper's homeserver as well.
I use texts.com instead, honestly has worked better for me than beeper
Beeper at least has source code for the bridges, which you can have some hope is the same code that they run and that they don't get court orders to look at the messages.
If they ever chose to implement remote attestation for bridges, and you chose to use an open source matrix client to control your local keys, there is at least a potential path for you to prove they can't look at messages so you don't have to trust them.
You also have the option to self host bridges and take your ball and go home at any time, given that Matrix is an open protocol. Minimal lock-in.
Texts.com by contrast is completely proprietary as far as I can tell, with no path to self host, so it is strictly worse than Beeper in every way in terms of transparency.
Our code isn't open source but when you are using Texts, you are self-hosting it. It runs completely on your device!
So you tell user devices to run any code of your choosing, and no one but you is allowed to look at that code. Presumably you do not use reproducible builds, because almost no one does, so the choice of which code runs on user devices likely comes down to a single system administrator or release engineer.
A court order or someone holding a rubber hose could instruct that release engineer to ship tweaked code to any number of devices that sets "42" as the random seed for private keys, allowing anyone with that knowledge to decrypt all messages in transit covertly.
It would be in the best interest of your shareholders to lie if this was ever to happen.
Without the code being open source, everyone should assume this is the case.
Messengers are a massive target, and a target of that size on one person is certain to be exploited.
One of core areas of my research is supply chain attacks, and you have no hope of providing strong defense against them without open source reproducible builds.
I agree that open source is very important — it’s one of the core values here at Automattic, where we have a long track record of open sourcing our products and vast majority of what we make is already open source.
Texts connects directly to the platform, from your device, without using any Texts servers having any access to your messages (even in encrypted form) and without breaking the E2EE the platform provides (for platforms that support that), similar to Beeper’s new Signal integration.
A major benefit of this is you can verify what requests are made and what responses are received. You can also use Texts, not upgrade, and would run the same WhatsApp code for example until you upgrade. Same can’t be said for WhatsApp Web for example. It might also be easier to compromise the platform themselves for a government entity, if that’s our threat factor.
It should go without saying we take user privacy and security very seriously, and have restrictions around who can build, sign and distribute our binaries.
I do hope to see something like Texts fully open source, as then it becomes instantly a Beeper killer.
Until then at least hearing if you are willing to to be transparent about your supply chain security strategy would be a great start.
Some of the supply chain integrity tactics I find most companies skip:
1. Are all commits signed with personal engineer HSMs (yubikey, nitrokeys etc)?
2. Are all reviews similarly signed by someone other the author?
3. Does tamper-evident CI/CD (that no single engineer can manipulate) verify these signatures?
4. Is the code for release binaries reproducible?
5. Does more than one system controlled by different employees (or ideally a third party audit firm) build the code at least a second time and get the same hash?
6. Are the app signing keys managed with multi-party custody? (Threshold signing, multiple-in-person witnesses to airgapped signing, or managed in a remotely attestable secure enclave running reproducible firmware?)
7. Does the signing system verify multiple reproducible build signatures before issuing app-store signing keys?
8. Do you provide standalone signed binaries for users to side-load on de-googled devices so users can remove google (and their many partners) from their supply chain attack surface?
9. Do you review any/all of your third party dependencies, and every update to them?
10. Do you build exclusively with multi-signed reproducible OS and system packages?
11. Do you have published audits from reputable third party security firms attesting all your security claims, and all of the above? (Ideally with the exact hashes of the binaries whose sources they audited)
My team and I help companies with most of the above regularly for highly targeted orgs, but it takes a lot of engineering hours to get this stuff right. Failing to do any of the above would put a massive target on a single human or system, and in my experience this always results in a compromise one way or the other for a highly targeted service such as yours.
It is honestly much cheaper to just open source reproducible code, and let the community help check some of supply chain security and accountability boxes for you.
I highly doubt Beeper gets much of the above right either, but by allowing you to self host open source bridges, they grant users with higher risk profiles the option to not trust them a bit less. Granted, if you are self hosting bridges with an open source client, then there is no reason to pay Beeper.
IMO the only reasonable move in this space is to provide turn-key remotely attestable open source bridges paired with an open client to save users work without asking for trust.
Full disclosure, I did do some security and infrastructure consulting work for Beeper a few years ago.
You may be interested in a feature in the new app:
> On-Device Signal Bridge
Haven't tried it yet.
I really hope that in the future such bridges can run in secure enclaves to protect the re-encrypt step.
Lol how'd you get 99 percent of your chats on Signal I envy you
Better selection/triaging of friends/contacts, perhaps.
Interesting! Anyone here remember Pidgin? It was such a fantastic app for chatting with friends on AIM, MSN, ICQ, gchat (XMPP), and IRC all from one interface. It even had an "off the record" (OTR) plugin that was an early example of end-to-end encryption.
It was a good illustration of how an open source app could surpass all the proprietary alternatives because it wasn't subject to the same incentives as a commercial company. Although obviously all those companies wised up and killed XMPP...
Remember? Pidgin is still a core piece of infrastructure in our company's managed services platform, and not for lack of interest "upgrading" but because it's just exactly the right tool for the job for certain kinds of internal company messaging, with self-hosted XMPP.
Completely defining your own secure perimeter by self hosting everything possible makes for extremely perfunctory audits by regulatory bodies for the industries (finance, mainly) we support.
Is there a good way to get google chat/hangouts/whateveritscallednow into pidgin? It used to support xmpp, but it doesn't anymore :/
Sorry, can't help there. Although I'm not entirely sure if I understand what you're asking properly, because pigeons certainly does support xmpp, in fact it's the only thing it really supports quite well as far as I'm aware. Its these other services that either don't use XMPP or don't use it (or any open standard protocol) any more.
We only use Pidgin for native XMPP intra-org chat via self-hosted, AD-integrated private servers, a role which it has served remarkably well up to our largest client site of about 300 users or so. For phones, we support Xabber or Conversations but all BYOD usage comes with mandatory wireguard wrapping. We don't have much occasion to experiment with Pidgin's multi-protocol functionality, as our clients typically have little incentive to facilitate and support internet-facing chat capabilities.
Pidgin was (is) great, but that was possible with jabber transports on any client. I had multiple major closed networks, blogging platform, RSS, IRC and more in one jabber/xmpp client. Cli, phone, second computer... No problem, including self hosted.
Miss those days when companies didn't invest into building walled gardens.
I still use pidgin daily for Slack. I've even written a libpurple custom protocol for our own homegrown app.
> On-device iMessage bridge (like Beeper Mini) is not enabled at this time.
Wasn't this the reason to use beeper on android?
It’s the reason they made the news.
Their ability to bridge other networks may be useful to you. It’s what they did before the iMessage thing.
I agree though a ton of their possible demand is gone now due to that. Add in RCS later this year, and even if iMessage came back I’m not sure it would be worth it to many.
But hey. I didn’t know they existed before that. I do now. That’s something. I also distrust their judgement based on their actions. But I’m sure that not true for everyone who now knows they exist.
I use Beeper on Android to have one app through which I send messages on WhatsApp, Signal, Telegram, LinkedIn, Facebook, Instagram etc. I never cared for iMessage support.
Meta had better rollout their WhatsApp bridge thing soon
This works?
It works great for me. No support for complex things: calls, message requests, and probably a few more. But most days I don't need to open any other app, and when someone asks me which network they can contact I honestly just don't care anymore. They all look exactly the same on my phone.
How much would you think this degrades Signal security? I don't know exactly how the Signal bridge works, but Signal's putting so much effort into security and the people use it through an app like this one not vetted by Signal, it can't be too good I assume...
Cool, anyone got a referral?
sure: refer.beeper.com/descsi
Thank you!
Does for me, although I do self-host their stack. It's been surprisingly stable, given what's actually happening behind the scenes.
Replaced Signal and Whatsapp on my Android today, got a lot if faith in these guys. But if there's a breach I'm f'ed.
If you're that concerned, self-host. It's not too bad with the Ansible script.
It was one of the features, but it's existed for a while outside of the iMessage support. It just got a lot of eyes on it when they got the iMessage hack working (which Apple broke last I heard, not sure the current state of it)
AFAICR it still "works" if you do a ton of manual setup. They basically said they're not going to support it because it's bad PR
It's bad PR because Apple is going to keep breaking it and then people go on social media and talk about how it doesn't work.
For me, the killer feature is being able to keep up with my various non-SMS/MMS/RCS conversations (with prompt notifications) without having to install the Facebook app et al
I switched from Android to iOS for the first time ever last month (was on Android since the very early 2010s), and I still use Beeper for everything but iMessages.
Curious how you're finding it so far? I mowed my Note20 Ultra in June of last year and replaced it with a 14 Pro Max then just last month went and swapped back to an S24 Ultra. I found Apple to be too restrictive. The OS level stuff was one thing but the app store lacking things like emulators or vape apps because "Apple said so" rubbed me the wrong way, whether I need them or not. Plus I like writing python on my phone.
I’m not doing anything super technical on my phone, so I can’t provide any opinion about things like code writing or testing from it.
I’ve found iOS 17 to be amazing so far on my 15 pro max. My only persistent irk is with the notification management. If a notification pops up that I don’t care to interact with, I’d like the option to swipe it away and have it actually go away. Instead, that initial banner can only be swiped up to make it go to the Notification Center, where it has to be swiped away or opened.
Everything else about the device is phenomenal for me. Battery life (even capped at 80%), 1Password integration, Focus Modes, and Shortcuts.
web-app.pax.com may be relevant to somebody's interests, here!
I've been an early access user for a few months and I'm really enjoying Beeper -- I hope they continue to deliver like this and can scale the operations as needed.
I currently use through it: Telegram, WhatsApp, RCS (Android Messages), Signal.
Beeper is built on Matrix and their client is based on Element but I would say the experience is slightly better than native; for example I prefer how client verification works in Beeper over vanilla Element.
Congrats on the open beta!
How does beeper work? Do I have to give beeper full access to all the different accounts I use for messaging?
Not if you self host the bridges and set them to end to end encryption (not sure if they all support that yet though)
Yes.
Why do we need a Google account for this service ? What's the point of allowing an app to be independent and E2EE if everything is also linked to Google Accounts? When will the software community stop automatically utilizing the most dominate services for every implementation Is there a service similar to Beeper that doesn't require a Google account?
I want to try it, but I don't want to become dependent on it if it will transition to a paid product in the future (It's cool, but I probably wouldn't pay for it).
How long will it remain free to use?
That's a reasonable concern, but in practice the likelihood of the product being killed by malicious counterinteroperability games by Apple (and the other proprietary backents too) is far higher than the chance you'll be screwed by the manufacturer.
Beeper isn't in a business that's every going to make them significant money. Their core value proposition is, ironically, that reverse engineering iMessage is "just hard enough". If it becomes too hard, they fail.
But if it becomes too easy, they fail too because everyone will launch Apple-compatible chat apps! In fact the worst case is that the protocols end up standardized, in which case they'll have to compete with genuine open source implementations.
Basically, I'm absolutely in their corner in this fight, but I'd never bet on Beeper as a product.
I would gladly pay a few bucks a month for such product. It solves a real problem
Beeper is already a paid product at $10 per month, see beeper.com
Used to be that way, they decided to give it out for free for the time being. [1]
Oops thanks. Should have checked my link but it feels like I only looked at it a couple months ago.
now if only I had a small android phone I could install this app on...
Hoping Eric pops in here like he does on other Beeper threads and sees this. I'm still checking every day for a small android phone.
I found my Xperia z3 Compact in a drawer the other day. It was immediately such a pleasure to hold, I love the concept of having something as powerful as a smartphone in such a small package.
There are 3” Android “media player” devices for under $100 on Amazon. No cellular but cool to play with.
That's the dream...
Any updates on the project?
Have you looked into the Jelly Phone? I used mine for over a year until I destroyed the battery. Was definitely small and got used to it pretty quick
Yes, Jelly phone seems decent, though I'm not a fan of the "rugged" design. I liked the Palm Phone, great concept. But they don't make them anymore.
Zenfone 10 is your last chance.
I'm on a Zenfone 9 and longing for something smaller.
I've been on the wait-list for at least a year I think? "Open beta test" plus a wait-list is quite weird.
I was on the wait list for a while too (I think my place in the waitlist even went backwards) and someone from HN wat nice enough to hook me up with an invite.
I'm happy to pay it forward, the only caveat is that I think the referral code has to be sent via a chat method that beeper supports. Feel free to email me (HN username @ big G's mail service) with a GChat/WhatsApp/SMS address.
If you get an invite from someone, it jumps you to the front of the line.
So viral marketing.
I'm happy about every new Matrix client! It would be cool if they would release it as FOSS so it could be used generically. There's a painful lack of (average, non-technical) user friendly Matrix clients.
I'm wondering if this app will eventually work with other (e.g. self-hosted) Matrix accounts or if it'll remain locked to Beeper's.
You can communicate with other self-hosted Matrix accounts already. I think that was always the case.
I think what OP meant is if you could use the beeper app with your own matrix account, not with username@beeper.com.
I try to register, i receive code, I apply it then unable to register, tried twice, uninstalled this app..
The app tells me I need Google messages to handle SMS.
But I don't want to depend on Google on my phone.
So all of the messaging apps I use are just damn protocols?
Always have been
Anyone have a referral code? TIA