Most businesses, consumers, and developers universally continue to ignore the primary reason that iMessage is a closed platform, rather than an app on every platform as iTunes is:
Apple is using device serial numbers for anti-spam, supported by a fully-authenticated hardware and software stack that does not allow user modification. This permits Apple to simply “console ban” any Apple device that spams on iMessage. This makes it prohibitively expensive to send spam over iMessage. They have been doing so since iMessage was launched.
Android offers no such attestation that I’m aware of. Windows, on Pluton, could offer this attestation securely — and that is a key deliverable of Pluton.
It’s easy, then, to predict what Apple’s first non-Apple platform will be: Microsoft Windows 12, only if secure-booted, with Pluton-signed attestation that the kernel is unmodified. And it’s easy to predict how Apple will implement anti-spam: by applying “console” bans to specific Pluton chips by their serial number.
If Android wants to join the party, then Android phone builders need to implement secure boot with hardware-signed attestation of non-rooted-ness, in the style of Apple T2 + macOS or Microsoft Pluton + Secure Boot. Until then, Apple iMessage will remain single platform.
(I recognize that this is extremely unpalatable to device hackers, but the same freedom to modify an OS kernel that hackers desire is also the freedom to spam all users, as we have seen repeatedly with all messaging software platforms operated without hardware-backed attestation for the past thirty years — including email, Jabber, and HN itself.)
I'd rather live in a world with spam than a world where corporations get to decide what I run on my devices, and cripple a bunch of critical applications if I decide I want to, y'know, actually do whatever I want with the hardware I own.
I'm not unsympathetic to Apple's difficulties and goals here (assuming this spam problem is actually the reason, though I'm skeptical that there aren't also self-serving reasons that would be sufficient for Apple), but I'm so tired of society's slide toward "security at any cost, and to hell with freedom" since the 9/11 attacks over 20 years ago.
(It's possible and likely that slide has been going on much longer, but I was a teenager in the 90s and not really aware of such things. But I think it's undeniable that the aftermath of 9/11 was a big turning point for the surveillance state and for average citizens being so scared of everything that they'd be willing to give up essential freedoms just to quell that fright.)
> I'd rather live in a world with spam than a world where corporations get to decide what I run on my devices, and cripple a bunch of critical applications if I decide I want to, y'know, actually do whatever I want with the hardware I own.
It’s really oppressive that Apple doesn’t let you install WhatsApp, Secret, Telegram, FB Messenger or any other communications app beyond their own.
While it’s all sweetness and light that Google got into bed with the phone carriers to develop this new “standard” tied to a phone number subscription that brings along all the retrograde privacy nightmares of Big Telecom since the bell system broke up.
The points you want to raise are crucial, but this is far from the hill to die on.
Defaults matter. I too have WhatsApp, Signal, Google Chat and a few others on my phone, but the fragmentation is annoying to deal with, and getting social groups (or even individuals) to move to a single consolidating messaging platform turns out to be much more difficult than I expected.
If the default chat app is featureful and universally supported, people tend not to stray toward non-default alternatives unless they offer meaningful benefits. Sure, this ship has in many ways already sailed, since those alternative apps have a lot of mindshare and network effects.
But if Apple added RCS to its default messaging app (or if Google were permitted to add iMessage support to its default messaging app), I would ditch everything else and just message everyone (including groups) using the default Android Messages app, relying on it to select the best non-SMS/non-MMS contact method for everyone, regardless of platform.
Sure, it would take a little more work to move messaging groups over, but the cool thing is that I could just do it myself, and not wait for my friends to download yet another messaging app. This is the problem I ran into when I wanted to get friends off of WhatsApp; I had to convince people to install something else, and not everyone felt like doing it. But everyone already has the default messaging app installed, so that problem just goes away.
> While it’s all sweetness and light that Google got into bed with the phone carriers to develop this new “standard” tied to a phone number subscription that brings along all the retrograde privacy nightmares of Big Telecom since the bell system broke up.
Just wanted to call this out as FUD. RCS existed as a standard long before Google was involved (nearly a decade?). I too don't love that it's tied to a phone number, but options for doing this well are limited, and building a second, parallel identity system has its own issues. RCS at least can be federated, and it'd be possible to allow phone users to choose their own provider. And in practice, phone number portability means you aren't stuck with the crappy choice of ditching your "identity", or sticking with a phone provider you hate.
Not sure how iMessage or WhatsApp or Google Chat or Signal is any better, though, as they're all controlled by a single company that requires you to use their identity system.
Perhaps you're missing the point though? Maybe your friends simply don't care enough to switch.
Bottom line is iMessage works really well and people like it. Same with FB messenger and Whatsapp. You want to move friends to something else? There needs to be a selling point much larger than just security.
> Perhaps you're missing the point though? Maybe your friends simply don't care enough to switch.
Right, I mean, that's exactly the point. I can't force someone else to install a messaging app I'd prefer to use. But if we had an actually-good, cross-platform messaging standard that was implemented in the default, stock messaging app of both Android and iOS, I would not have to depend on my friends caring or not. I could just use it, and know that they will receive the messages.
The problem with moving groups over to iMessage is that you'll always leave some Android users out. Here in Spain Apple has a minority marketshare so that makes iMessage a total non-starter. But even in the US not everyone has an iPhone.
And really iMessage is not so much better than the cross-platform alternatives that it's worth leaving some friends out.
iMessage is kinda both its own messenger and SMS client. So when you text a number, I don't think you have a choice of how to send it. If the user is "Apple" it sends as an imessage, if not message, it turns the bubble green (so you know its SMS). Though in the epic trial Apple sees messaging as a "lock in feature"
"
In another exchange, Apple executives discussed in 2013 whether releasing a version of iMessage for Android would make it easier to switch phone brands. iMessage is still exclusive to Apple products.
“I am concerned that the iMessage on Android would simply serve to remove and obstacle to iPhone families giving their kids Android phones,” Craig Federighi, Apple software senior vice president, wrote in 2013."
> 1. No threading is supported. If you reply, it duplicates the message being replied to.
Threading (using "Reply") is not supported in mixed iMessage/SMS/MMS text chains. (I'm using iOS 16, so this may have been (unwisely) supported in earlier Message versions.)
> 2. “Tapbacks” (reactions) duplicate the message being reacted to with “so-and-so likes message … message”
The other things you list are limitations and side-effects of the standards used. They're valid, but I consider the experience "fine" without them. If the groups I text with cared about these we would probably use WhatsApp since everyone has that. Signal would be my preference, but it's hard to change people's habits.
Didn’t know about Tapback support on Android. Wish iOS had that support for non-iMessage chats!
I think the point I want to stress is that when everyone uses iMessage, it’s as easy as texting, but just about as good as WhatsApp/etc. from a feature/user experience point of view.
Agree that we can be friends. Hopefully my comment wasn’t seen as adversarial. I just get annoyed when I see the green text bubbles, because people try to use iMessage features and it’s just bad. Non-techies don’t realize it’s different because it’s the same app, but then wonder why photos aren’t high resolution, or things don’t work as expected.
But that uses MMS which many networks here (Europe) don't support anymore, or they charge a hefty fee (even though big SMS bundles are still a thing here). Especially for international use.
I didn't realise it was still used in the US though.
MMS definitely doesn't work on my phone, though I'm not sure if this is a provisioning/settings thing or that the provider has abandoned it. I never really looked into it as I've never needed it. I just tested it once to see if it worked.
I send international MMSes from my phone(android) to my mum's iphone, from UK to Poland, and it seems to work fine. Hasn't bankrupted me yet either(I just checked and it's apparently 30 pence per text).
> But everyone already has the default messaging app installed, so that problem just goes away.
Okay, so let's say Apple implements RCS support. Should they support the version of RCS that the carriers want? The version Google implemented? Are they now going to be required to implement support for proprietary Google extensions? Will they have to run their own RCS servers because carriers don't support this version of RCS?
RCS is a fragmented mess. It's dead in the water. This noise is just Google flailing about after having binned yet another one of their messaging platforms. Personally I don't care what Apple does here. I still want SMS support for when I'm in an area with little/no data coverage and I'm still going to treat RCS with the same disdain I'd treat any unencrypted messaging platform.
They should implement the version (and extensions) that gives them interoperability with the most users. Which, yes, would probably be whatever Google implemented, including the E2EE extensions. This... isn't really hard?
> They should implement the version (and extensions) that gives them interoperability with the most users
They already have that, with SMS. Perhaps you only exchange messages with people in rich countries so don’t notice what is most commonly implemented by carriers?
Why should Apple (or anyone) be on the hook for implementing proprietary extensions? Once you peel back the marketing schtick this is just demanding that Google be able to determine which proprietary services are included on an Apple product. That's ridiculous on its face.
If the issue is interoperability with Android users, fine. Google had successful messaging apps on iOS (I used a few) and they destroyed them through their own mismanagement. RCS doesn't solve that in the slightest.
> This... isn't really hard?
If you want E2EE the demand is now that Apple spin up its own Google-RCS servers and/or rely on Google's infrastructure. If you want Apple to rely on the carriers you don't get E2EE. Rather than work with the carriers Google fragmented RCS making implementation that much more difficult.
At the end of the day, what we need is interop, so Apple should be forced to either open the protocol, or adopt something that is already open. But either option is strictly better than the existing mess.
But either option is strictly better than the existing mess.
Disagree. We have interoperability, just not with advanced features within the default messaging apps. To me that's not a big deal at all as there are other, popular, options. We should get out of the habit of relying on carriers to provide much more than dumb pipes. To that end SMS (not MMS) works just fine and RCS is just going to continue to get bogged down.
It's easy to say that if Apple bent to the will of the carriers the iPhone would never have been as good as it is. But look at RCS, Google had to stand up their own infrastructure because the carriers weren't cutting it.
It's not that RCS is not the right product it's that RCS is the wrong approach entirely. Even in the United States Android is wildly popular. They've had every opportunity to create a wildly popular messaging platform and have failed. Google killed their own products as a result of their internal culture. This isn't Netscape vs IE again, it's more like Mosaic vs Gopher (or AOL vs Netscape if you like).
I was going to write "as much as I'd like to see non-Apple devices brought into the iMessage fold" but then I realized that's not true. I don't care because I'd just use Signal. In fact I still use Signal with some friends that have iPhones. RCS wouldn't change that, it'd either be one more shitty carrier product to avoid or one more shitty Google product that's going to get killed in a few months.
Turn that on its head. What does RCS bring to the table? RCS brings two types of features: those that carriers will try to monetize (file transfer, VoIP, visual voice mail) and those that seek to drive "customer engagement" (chatbots, carousels, branding, quick-reply suggestions, "rich" cards).
From the Wikipedia page:
RCS Business Messaging (RBM) is the B2C (A2P in telecoms terminology) version of RCS.
*This is supposed to be an answer to third-party messaging apps (or OTTs) absorbing
mobile operators' messaging traffic and associated revenues*. While RCS is designed to
win back Person-to-Person (P2P) traffic, RBM is intended to retain and grow this A2P
traffic. … RBM is expected to attract marketing and customer service spend from
enterprises, thanks to improved customer engagement and interactive features that
facilitate new use cases. *This was the primary reason for the development of RCS by
the GSMA*.
No. Thanks. As I said, I don't really care if Apple implements RCS support in their Message app. If they do it's just one more thing I'll disable.
My take is that carriers should be dumb pipes. Voice, SMS, and data routing and that's it. Part of the reason RCS is already fragmented is because the carriers are trying to monetize it, you can bet your ass they're going to continue to drag their feet with E2EE – which is why Google's stood up their own separate RCS infrastructure.
Didn't Google Talk, Google Chat, Google Hangouts, and Google Meet all support group chats? Didn't Google Talk even allow for federation?
The problem with RCS as a solution is that you're either going to rely on the carriers or Google and Apple to host infrastructure. Requiring Apple to implement support for Google (hosted) products is ridiculous as Apple already lists Google chat apps in their app store. Requiring Apple to host their own servers to interoperate with Google's services is also ridiculous because again Apple already provides software to interoperate with Google's chat services.
Requiring Apple to support RCS so their users can leverage carrier hosted RCS is also ridiculous because that's a fancy way of saying Apple should be required to monetize their users for the carriers' benefit. Per the Wired article linked to MMS was created solely to extract money from their users (or as Wired put it to "collect a fee every time anyone snaps a photo"). I'm sure most folks who are old enough remember when SMS (which literally consumes no additional bandwidth) was a paid feature, does everyone remember when MMS cost even more than a plain SMS?
RCS may not be a cash grab by Google, but they certainly haven't had any luck in getting the carriers to implement customer friendly features. Another lowest common denominator "standard" like RCS isn't an improvement at all, especially not in the face of the freely available, cross platform messaging apps.
What does RCS theoretically bring to the group chat table?
File transfers? Google's gonna mine them or carriers will charge exorbitant storage/transfer/viewing fees.
The default chat app and the technical merit dosn't matter. What matters is what people we want to chat with. Most of my friends and groups are on WhatsApp. Some prefer to use Telegram, me too. A very few living outside the country use FB Messenger. Nobody use SMS unless for emergencies, if they think the recipient has no data connection. RCS is totally unknown. If I say RCS somebody will ask me "the newspaper company?"
Making people switch is possible (use Telegram to chat with me), making a group switch is impossible as there is always at least one person that doesn't want to install a new app or can't (phones with tiny storage.) Anything else is irrilevant in my country. There are probably some friends of mine using iMessage when chatting with somebody they know to have an iPhone. They still to have to use WhatsApp to chat with everybody else.
Is Matrix built into the default, stock messaging apps of Android and iOS? No, it's not, so it does not solve the problem I've posed in any useful way.
(Beyond that, I've found the usability of Matrix on both desktop and mobile to be atrocious.)
> It however turned out that although the content of the message is encrypted, there is still a lot of user identifiable data that is not encrypted and can be seen by potential attackers.[0]
The amount of required metadata to maintain federation is very small. Some matrix instances operate in this minimalist or near minimalist domain, but in my experience, getting folks to share their custom forks of matrix requires some social schmoozing.
For better or worse, much of the fediverse is made up of small enclaves of hyper-paranoid tech weirdos who have often reinvented the wheel over and over, each in their own little group, which is a big problem for the casual person who wants to toss a server on a home server for friends and family.
And I say this as one of these hyper-paranoid tech weirdos. The network's growth is immensely stifled by the fact that people aren't keen on sharing, or building user friendly tools for the normies.
Message content can be fully end-to-end encrypted. Federation needs some unencrypted metadata. Some of it can be reduced, but some will be needed for federation to work. Signal probably needs less unencrypted metadata, but you lose federation.
> “standard” tied to a phone number subscription that brings along all the retrograde privacy nightmares of Big Telecom since the bell system broke up.
Is there a way to make an account with Apple that isn't tied to a mobile phone number? If so, I've never been able to find it.
Nope, you can just click skip. If the device had previously been enrolled in Find My iPhone you have to log back in to turn it off, but if it’s fresh out of the box you don’t have to hook it to iCloud/iTunes at all (and that’s not uncommon to block in corporate environments).
Not sure what device you’re on but every iphone I’ve set up I’ve (at least initially) skipped signing in. It’s not hidden or subtle or anything (especially compared to latest windows OS), it’s a big Skip link. The main downside is you can’t install any apps, and in my experience iMessage does NOT work until you log in with apple ID, just SMS/MMS.
Using iMessage requires an Apple ID. The Messages app on iPhones supports both SMS/MMS and iMessage because it’s a phone and needs to support SMS. But without being signed into an Apple ID on the device the Messages app only handles SMS/MMS, i.e., green chat bubbles.
Yes, but if you don't have an Apple ID, the iMessage app will use SMS/MMS, not the proprietary encrypted Apple messaging protocol. This can be tested easily: send a message to another Apple user: it will arrive as a green SMS message, not a blue Apple messaging message.
Promise all you want, but in the US you can’t activate an iPhone without an Apple ID. Yes, you can set iMessage to only send/receive iMessages using your phone number. However, you cannot set it up in the first place without an Apple ID.
> You don't need an Apple ID to use iMessage. Just an Apple device.
Has Apple fixed the bug where it wasn't relinquishing your phone number and blackholing all iMessages which were supposed to be downgraded to SMS instead?
In the past, AppleIDs could be created with only email address, and not phone numbers. I see that the current account creation step requires a phone number for verification via SMS/phone call.
That said, I don't believe you need to use that phone number for messaging – an email address is used as the contact information when messaging with iMessage. This is especially important for iPads/iPod Touches and Macs, which most don't have a cell phone number.
You say this like it is a bad thing. I used Signal, which is an open-source messaging app. If Apple were censoring messaging apps I would agree with your seemingly negative sentiment, however, as someone who has pushed out apps to the Apple and Mac app stores, I can say they absolutely do not do that.
There are many reasons many IT folks actually prefer an iPhone over Android. The two biggest ones are privacy and security. Google, thus far, takes neither seriously. Google routinely sells your data (including location data, active timestamps for all apps, what you search for, the list goes on), and it routinely has malware show up on the play store. If Google could fix those issues and stop also murdering their various applications every year, maybe they'd be able to compete.
While it may sound like I have a hard-on for Apple products, I really do love Android, I just hate Google.
> There are many reasons many IT folks actually prefer an iPhone over Android. The two biggest ones are privacy and security.
I've been downvoted to hell for it before, but I'll add mine to this list because I don't _think_ it's all that uncommon either: I don't want another PC to administer and support.
I've had a lot of Android phones over the years (started with the ADP1!). Taking my last one as an example--it stopped receiving updates way too soon. Once apps started breaking, I ended up updating it by putting LineageOS on it. But then my camera never worked right again because apparently there's a driver issue. One time I updated and my microphone stopped working in phone calls so I had to wipe the thing and install an older OS on it...
You know what that sounds like to me these days? _Work_. That's literally the same sort of stuff I'm doing all friggin' day. Between work and my kid I'm lucky if I've got a couple hours a day to portion out to chores around the acreage and maybe whatever I could do ostensibly for fun. The last thing I want is to be obligated to work more because my damn phone is being a PC and doing PC things.
The fact that it's not customizable, not open, and just generally an appliance _is a feature to me_. My five year old phone is still receiving regular updates. I install them, it keeps working. I can't mess with it (and and up breaking things) even if I want to. I don't have to think about how I want the phone to work because it just works the Apple way and if I don't like it I can just get a different phone. If anything ever does go wrong, I don't need to fix it because I _can't_, reimage the phone if that doesn't work then well you're screwed.
Basically, I treat it the same way I do a toaster. It does what it does, there's a single big knob that makes my options clear. If that knob can't make it do what I want then I either learn to live with it or find another toaster. It's never gonna cook a steak for me, and that's fine. I'd rather not have steak or use another device to cook my steak than shun the toaster and try and pan-fry myself toast every morning.
I pay a premium to get an appliance instead of a PC because I _want_ an appliance. I'm happy I can outsource all the decisions and work and keep the brain space free. Sorry if I'm contributing to the downfall of society and freedom or whatever, but I just don't have the time to do anything else anymore.
The big difference between a toaster and your phone is that the phone gets updates. Which, aside from fixing things, also do stuff like change UI. On Android, when Google comes up with some new inane idea for the launcher, I can at least install a different one. On iOS, when Apple does the same, I don't really have a choice other than to go along with it.
> On iOS, when Apple does the same, I don't really have a choice other than to go along with it.
Part of my original comment:
> I don't have to think about how I want the phone to work because it just works the Apple way and if I don't like it I can just get a different phone.
That's a feature to me. I don't spend any brainspace when I'm using my phone on thinking about things that annoy me or things that could be better. Launcher sucks? Does it suck bad enough to make me switch platforms? No? Then it's not worth worrying about any further and so I won't.
When I used Android, knowing I _could_ fix those annoyances meant I _did_ fix those annoyances. That's just not something important for me to be spending my time on, but I know I will if put in that situation.
You're perfectly welcome to have good defaults, but how do those conflict with allowing people to use third-party messaging apps and letting people customize their phone? Your comment isn't a refutation of the argument you're replying to.
> When I used Android, knowing I _could_ fix those annoyances meant I _did_ fix those annoyances. That's just not something important for me to be spending my time on, but I know I will if put in that situation.
The more important difference between my phone and my (non-existent) toaster is, that the toaster won't be connected to any networks (beside the wall-power outlet). While the phone is connected to various outside networks and has a generic computer inside.
> If Apple were censoring messaging apps I would agree with your seemingly negative sentiment, however, as someone who has pushed out apps to the Apple and Mac app stores, I can say they absolutely do not do that.
Perhaps not in your country, but they've certainly done it before - censoring Telegram in both Russia[0] and Iran[1], for example.
The fact that more secure alternatives are freely available, and by sabotaging SMS/iMessage they would be losing their wiretap on the nation's text messages?
Are you really suggesting governments requiring those apps be banned from distribution in their jurisdictions shares the context of the post you're replying to?
Yes. As for some other mobile OSs I'm not required to comply with whatever is on their official store, and can just install an app from a different source.
It has been a bad thing for me because iOS decided to get me off Whtasapp and forced me using the much worse Apple message system without me having any say in it.
I have a SE and a relatively older iOS version on it, can't remember exactly which one. I don't have internet banking and don't have very much of a financial presence online, and, as such, I don't care that much about security on my phone (hence the older iOS version).
Some time ago I had checked the "offload apps"in case of full disk" option or something like that, with the implicit understanding, from my part, that I could "reload" any of those apps once I would have made enough space available (usually by deleting some older videos and photos). One of those offloaded apps was Whatsapp.
It turns out I cannot "reload" any of those offloaded apps if any one of them doesn't support my iOS version anymore. Whatsapp doesn't support my iOS version anymore, hence I cannot "reload" it, hence I cannot use it anymore. Trying to install the exact Whatsapp "version" that used to worked perfectly fine on my phone is, of course, impossible. This is very unsatisfactory for me.
And back to the subject at hand, of course that Apple can't hold a candle when it comes to more mature messaging systems like Whatsapp (I haven't used Telegram and Signal). The "upload photos" experience in iMessage is day and night worse and less intuitive compared to Whatsapp. I also don't know if iMessage has any builtin groups and, even if it were to have, it would be of no use to me because more than half of my friends and acquaintances don't own an iPhone so they can't use iMessage.
I’ve been able to download apps that require newer OSes on iPhone. If I have downloaded it before, it lets me download the last compatible version. Is this not the case with WhatsApp or somethinh
Yes, I have the “cloud”-y thingie close to the WhatsApp icon, meaning is offloaded. When clicking on the item to “load” it again it tries to do just that, only to give me a “Unable to download” message (or something similar) a few seconds later. I’ve tried searching for the app directly in the AppStore, I cannot find it anymore, presumably because of that older iOS I have running. Forgot to mention, the same happened to me with the Google Maps (?!) app also last year or so.
> It turns out I cannot "reload" any of those offloaded apps if any one of them doesn't support my iOS version anymore.
You can – unless the application publisher decides to disable this. It sounds like Facebook disabled your ability to install an older version of WhatsApp that supports the version of iOS you are running. All it would take for this to work for you is for somebody at Facebook to tick a single box that allows their users to do this.
Got it. So it’s a shared blame between Apple de facto uninstalling one of the few installed apps I was using on a regular basis and FB not allowing their app to run on iOS versions that are approaching their estimated end-of-life.
Not sure how that helps users like me, but had you told me 20+ years ago that this was going to be “the state of the art” when it comes to app management (by two of the biggest tech companies in the world) I would have called you crazy. And I was a Windows 2000 user back in those days.
It’s also funny that, in a way, the WhatsApp app was the one that nuked itself. The “full storage” issue had been caused by some of my friends sending constant photos and videos of their cats (and one guinea pig) via WhatsApp, storage gets full, iOS decides to offload the WhatsApp app, I get left out of the app once I’m not allowed to “reload” it anymore. Again, crazy to think that this is the state of the art in app management.
Apple (like Google) gets to decide what the pain points are in their ecosystem, so likewise they also get to peddle the solution.
"Want to sideload apps? No problem, just pay us $99/year for temporary installation privileges!"
"Want to sell your app? Here, just give us 30% of your proceeds."
"Running out of storage? Here's a red-dot notification in your Settings app begging you to pay for iCloud."
I don't think any of these companies will (or should) get out of this antitrust litigation unscathed. The amount of control all of these platform-holders exert is unreasonable, and unless the government steps in we're helpless to stop it.
Apple also collects timestamps for app usage (iOS and MacOS), tracks Spotlight usage and tracks your iPhone with Find My by default. This insidious behavior is widespread, and saying it's only Google's issue is comically hypocritical. Malware is a rampant issue on both operating systems, both iOS 16 and Android 12 have zero-click exploits that allow completely rooted control of the device.
I'd argue Google competes just fine. If you hate Google, then use AOSP or an AOSP-derived OS; there's not a drop of Google, Apple or anyone code out of the box. Of course, I'd wager that 'privacy and security' don't matter as much to IT folks as brand-loyalty or ease-of-use, so it's all a bit of a moot point in the end. Arguing that either of these OSes is more secure than the other is a bad comedy routine; they're both being spied on by PRISM, they're both vulnerable to NSO Pegasus.
> Apple also collects timestamps for app usage (iOS and MacOS), tracks Spotlight usage and tracks your iPhone with Find My by default
Hmm, as I understand it:
"Timestamps for app usage": notarization checks happen the first time you start a new app, basically like OCSP to enable certificate revocation:
https://support.apple.com/guide/security/gatekeeper-and-runt...
I dislike online validation and would prefer a revocation list. I also dislike syspolicyd's perpetual, repeated, and CPU-hungry anti-malware scanning. Installing Xcode or enabling developer mode allows pointless online checks to be turned off for scripts in Terminal at least.
"Find My": a feature that allows you to go to icloud.com and locate your iPhone if it is lost, and also creates its own ad hoc network for finding iPhones. Probably that involves location information. I usually turn this off.
What I'd like to know is: Is there any evidence that Apple is retaining this information and using it for other purposes, for example to build user-specific profiles for advertising the way Google or Facebook might?
> What I'd like to know is: Is there any evidence that Apple is retaining this information and using it for other purposes
Sure; all sorts of data leaves your iPhone in the form of encrypted channels to Apple servers, whether you have telemetry/analytics enabled or not. When you fully power-down your iPhone with Find My disabled, your Baseband modem is still sending and receiving information from nearby cell towers. Apple has created conduits specifically for harvesting and retaining this data, they wouldn't collect it all if this wasn't the case.
Oh, and if you still don't believe me, you should look into some of the more recent PRISM revelations (eg. how iMessage and Find My can be used by law enforcement), or the ways that the CCP uses the data Apple collects for them. There is nothing besides marketing that suggests Apple has a commitment to privacy or security.
> There is nothing besides marketing that suggests Apple has a commitment to privacy or security
That is not what I hear from people who work there.
> you should look into some of the more recent PRISM revelations (eg. how iMessage and Find My can be used by law enforcement), or the ways that the CCP uses the data Apple collects for them
I'd be interested in references/citations if you have them.
> I'd rather live in a world with spam than a world where corporations get to decide what I run on my devices, and cripple a bunch of critical applications if I decide I want to, y'know, actually do whatever I want with the hardware I own.
Egads, no. The abuse heaped on me by Apple pales in comparison to the spam phone calls and emails I get. If I start getting spam via iMessage, I'll be an extremely unhappy camper. It already happens with text messages and that's bad enough.
Sounds like other people in this thread already get a lot of iMessage spam, so I guess you've just been lucky? And it shows that this attestation junk doesn't actually curb the spam problem, so it's just an analogue of security theater.
Anyhow, sure, if you want to give away your freedom to actually own your devices, just so you don't get spam... I guess that's your choice. I just don't want to be locked into a system where that's the only choice.
Regardless, iPhones also receive SMSes. If it's impossible to spam over iMessage, they'll just use SMS. If it becomes impossible to spam over SMS, then presumably Apple can implement similar measures for iMessage that don't require us all to have hermetically-sealed, locked-down devices.
> Sounds like other people in this thread already get a lot of iMessage spam
Same folks who didn't realize that all messages show up in the same color, the blue bubbles only happen when you send. They're getting SMS spam.
> I just don't want to be locked into a system where that's the only choice.
Who's locked in? I can and have switched back and forth between iPhone and Android devices. My contacts are sync'd between them, calendar, mail, all of it just works either way. Only reason I'm back on iPhone right now is because the churn (and by extension, TCO) is significantly lower. If the calculus changes on that, I'll jump ship again, no big deal.
Because iPhones and Androids of comparable quality are not cheap. And many people don't know how to move their data and photos among devices regardless.
> Given that the discussion is about switching from Apple being hard, this seems like the opposite of the point you're trying to make.
You said you switched back and forth repeatedly. I was responding to that, since I view it as a luxury not everyone can afford. And folks who've sold an organ to get a blue bubble may have some sunk-cost fallacy to overcome even if they're only going from Apple to anything else.
The spammers mass send an sms spoofing a number that has iMessage. When you reply, it goes to an iPhone in the spammers hand. That way they don’t have to navigate millions of messages on the phone. Using things like blue bubbles, they can even interact via api and use a cms
iMessage users don't get spam from other iMessage users. Also, iMessage lets you filter out 'known' and 'unknown' senders. Apple also will automatically flag/block certain messages if they are clearly spam.
Even knowingly using child labor wasn't enough [0] - or people just don' know about it, so spread the word please. This is how Apple actually care about children unlike what their PR says [1].
> I'd rather live in a world with spam than a world where corporations get to decide what I run on my devices,
Why do you present this as a binary choice?
Why do I need to suffer at the whims of your wants and needs? Why are you so hellbent on advertising your opinion in this binary manner? Don’t like iMessage? Use something else. Nobody is stopping you. Why do you feel compelled to bring the conversation back to this weirdly obsessed and diluted dilemma where you see a first party solution and start kicking and screaming incessantly
This thread is about a hypothetical situation where Apple allows iMessage on other platforms (such as Android), but only on platforms that can securely attest that they have not been modified.
Yes, I use Android, but would like to also be able to interoperate with iMessage. But I don't want to be stuck in a (for now hypothetical) state where I have to choose between using iMessage and being able to do what I want with my phone.
> We use WhatsApp abroad and SMS at home. The messages are green and I can't tapback. That's it!
SMS has ordering, latency, and delivery issues. You also cannot send media over SMS, and MMS has size limits for media that were set decades ago. Any video you send over MMS will be recompressed to the point where it'll be unwatchable. SMS also does not support group chats. MMS does, but delivery and message ordering issues are even worse there, and group chats are inflexible; for example you can't add new people to an existing group chat, or remove existing people.
I do use WhatsApp, grudgingly, for some people who refuse to switch to something else, but I'd like to reduce my reliance on things owned by Meta/Facebook.
That is a personal choice, and I choose to not have spam on my phone. Several months ago I was subjected to a floodgate of good ol' fashioned SMS spam that lasted several weeks. There was no way to stop the spam because the phone was receiving it through the legacy SMS channel coming specifically from Android devices infected with Flubot; the bulk of spam now comes from unpatched Android devices because hardware vendors stop releasing security updates after a short cycle, or due to loose default app permissions set on the device. I ended up creating a support ticket with my mobile telco and soon I received the following reply from a human being:
What you have encountered is, as you may have guessed, not a legitimate SMS notification.
This particular message is designed to entice you to click on a link, and doing so would potentially expose your device to malicious software.
This malicious software is trying to target Android devices, so, if you are an Android user, you should take particular care with such messages.
Note that you may receive this message even if you do not use Android devices - the website link is simply being sent to a number of random telephone numbers in the hopes that an Android user will receive it, and manually bypass the built-in security protections and install the malicious software presented by the website.
In other words, if you use an iPhone, you can still receive these SMS messages (often claiming to be relating to a voicemail or parcel delivery), but there is no direct risk to your iPhone by simply receiving the SMS. Nor is there currently any risk to your iPhone if you happen to click on the link that is in these SMS messages.
If you use Android, you should avoid permitting your device to install any software that did not come from the official Google Play store.
> … where corporations get to decide what I run on my devices …
Corporations, such as Google, make decisions for users without getting their consent nor without informing the users. If you sign into a Google account in a web browser on your phone, for instance, the sign-in will also silently and non-consentually sign you into your Google account across all Google apps installed on the device without informing you.
The corporations, good or bad or anything in between, must be bound by the code of conduct they ought not to be allowed to get out from: must request the explicit user consent first.
> That is a personal choice, and I choose to not have spam on my phone.
The problem here is that we are talking about a (possible, hypothetical) measure that blocks spam, but requires phones to be 100% locked down and unmodified from the factory. I categorically refuse to accept that sort of thing. If you will accept that, then you are a part of the problem.
In reality, though, there are plenty of ways to combat spam that do not require us to have locked-down phones and move closer and closer to a corporate nanny state. Your shitty telco is actually fully capable of blocking spam like what you've received, but they have chosen not to.
> Corporations, such as Google, make decisions for users without getting their consent nor without informing the users.
Sure, but at present I can wipe my phone and install GrapheneOS or CalyxOS or whatever, and Google will not be able to make any decisions as to what I do on my phone.
I get that they make other random decisions for us. Sure, that's inevitable. If I want to use Google Docs or whatever, they will make decisions about how my data is used, and what features are present in the product, etc. I accept that, and am ok with that. But if I'm sold a piece of general-purpose hardware, I expect to be able to do whatever I want with it.
> If you sign into a Google account in a web browser on your phone, for instance, the sign-in will also silently and non-consentually sign you into your Google account across all Google apps installed on the device without informing you.
Maybe if you use Chrome, but... I don't. So that doesn't happen to me.
> The problem here is […] I categorically refuse to accept that sort of thing.
It is a perceived problem specifically for you (and, based on the arguments presented so far, it appears to solely based on the personal dislike rather than on objective grounds). If you refuse to accept it, that is solely your personal choice, and I, for one, have no objections to you being able to exercise freedoms to make your own choice(s).
> If you will accept that, then you are a part of the problem.
You have neither moral nor any other right to inflict the sense of collective guilt upon anyone, including myself, who has an opinion distinct from that of yours. What is an adjudged problem for you, is a feature (and not a bug) for some, and is a conscious compromise for some others. I am in the latter category as I have consciously consented to the trade-off after weighing up pros and cons of alternatives existing at the time – it became my personal informed choice.
> In reality, though, there are plenty of ways to combat spam that do not require us to have locked-down phones …
Combating text message spam requires a non-trackable, universal digital identity which is a non-solved problem. SMS and RCS do not solve this problem as they both allow a digital identity to assume one persona exactly: the device owner's phone number. iMessage, o the other hand, offers a stop-gap solution and allows iMessage users to assume one of the many personas (either a default phone number or one of the email addresses registered with iMessage), and it allows the user to select the specific persona on their own volition. Countering spam is a bonus and optional feature that comes as a byproduct of the iMessage way of tackling the identity management, and is not a requirement. Allowing multiple personas in iMessage also allows the user to disassociate themselves from their phone number, change it however frequently they want yet allow their friends circle and relatives to stay in touch via another persona (email address(es) registered with iMessage) – a useful feature when the iMessage user moves to live overseas.
A successful and a badly needed replacement for SMS (the protocol) will have to solve the identity management problem (as well as a morass of present SMS and RCS security vulnerabilities) first before it can become a viable option. And only then, it will have to be pushed out in a centralised manner (e.g. become a mandatory requirement for all 6G or 7G networks) so that no mobile telco would have a chance to opt out from the text messaging protocol upgrade. The adopotion of such a standard will take years, though, as users won't instantly upgrade their devices overnight, so the interoperability between GSM and new style text messages for some time will look exactly like it does today between SMS and iMessage.
As for Google crying foul on not being to interoperate with iMessage, in reality they are shedding crocodile tears and are not telling you what they actually mean by that. Google wants to track every text message to a user across both major mobile platforms (Android and iOS) AND beyond, which is something they can't do today. SMS does not offer a unique transferrable digital ID (other than IMSI which gets incised out once a message hits the SMSC), therefore Google can't link the user to activities on their smartphone to wider activities across all of their devices and the web as mobile phone numbers are not typically used for web browsing and in general app use.
Apple controls the passage of the Rubikon (iMessage) that, once crossed, would instantaly allow Google to find a creative way to track users, so Google wants that (in the same vein as Facebook does). Yet, Google is being coy about their true intentions.
> I get that they make other random decisions for us. Sure, that's inevitable … and move closer and closer to a corporate nanny state.
I vehemently and vociferously object to corporations encroaching on our larger freedoms, and, regretfully, strict regulation and even stricter enforcement of the regulation appears to be the only way to accomplish it.
> Sure, but at present I can wipe my phone and install GrapheneOS or CalyxOS or whatever, and Google will not be able to make any decisions as to what I do on my phone […] But if I'm sold a piece of general-purpose hardware, I expect to be able to do whatever I want with it.
To the best of my knowledge, nearly no-one (apart from Librem) sells general-purpose smartphones today. Each offering comes with a host of pros and cons, yet none of them are neither marketed nor sold as the general-purpose computing hardware.
Also, the option of wiping an OS is not ubiquitous on Android platforms and some handsets have the hardware that stock and alternative Android distribution may or may not support. Therefore, there is no such a thing as a generic Android phone which is what the majority of Android users have. And no, since you are part of the HN congregation, you are not a representative selection of the Android user base.
Apple, on the other hand, sells a package that happens to have a smartphone (or a smartwatch, or a tablet) and an OS (as a conduit into the package), and the nicely wrapped package has well stipulated constraints that one either takes or leaves. Purchasing an iPhone is not mandatory in any jurisdictions that I am aware of, either, therefore an the act of puchasing one is also a personal and conscientious choice.
> Maybe if you use Chrome, but... I don't. So that doesn't happen to me.
Ha, the classic «it does not happen on my laptop!» remark.
Sarcasm aside, it is more insidious than that. I had to log into Google using my work Google account in Safari on my laptop, but because Safari syncs the browser cookies and local storage across devices via iCloud (it is another feature I have consciously consented to), the Google account cookies have made it into my phone via an iCloud sync. Next time when I opened Google Maps on my phone, it pulled the Google cookie + stuff out of the Safari local storage, and I was then instantly and silently logged into Google using my work Google account (I degoogled myself years ago in favour of paid 3rd party services and no longer personal Google accounts). Such a practice, apart from being blatantly deceitful, is borderline nefarious, so, with all due respect, I do not buy into Google's crocodile tears about iMessage.
I think the thing you're missing is that the spam countermeasure we're talking about relies on the sender's phone being locked down, not the recipient's. If spammers can get around this by just using non-locked-down phones, the whole thing is pointless. It only works if you require everyone's phone to be locked down.
That is why I mentioned the universal/global, non-trackable digital identity as a solution and a posion pill for the locked down device. Such a digital identity has to be decentralised, resistant to ID theft attacks and a wide range of other attack vectors and, most importantly, be independent of hardware vendors so they could never wield influence over their users.
If an identity can be verified via a presented assumed persona (supplied as a proxy for the identity in question) as a third party identity verification service call, locking down a device becomes redundant (although the hardware vendor will likely continue to do so for other reasons). It does not seem likely that the identity management is going to be solved any time soon though.
> I choose to not have spam on my phone. Several months ago I was subjected to a floodgate of good ol' fashioned SMS spam that lasted several weeks.
If Apple provides an anti-spam SMS filtering service it is completely orthogonal to how much they decide to handcuff their own users.
SMS is not a platform specific protocol and cell phone numbers have their own independent authority (however dysfunctional it may be). So unless you decide to block yourself from the entire world outside of Apple devices, it has nothing to do with being locked down. Locking down a platform from it's own users does not intrinsically benefit security or spam prevention, saying so is a false dichotomy, no matter how much Apple spins it.
I never had spam on my Android phone for that matter, but the reliance on manufacturers to supply security updates is a side effect that is primarily induced because the platforms are as locked down as they are.
But in the past five years, I have received so much call spam that I just don't answer my phone anymore. Imagine that, the primary use of a phone and it's all cocked up.
Imagine what happens to imessages if they leave it open.
Sounds like iMessage spam is already a problem (if another poster in this thread is to be believed).
Since I'm on Android, I'm stuck using SMS a lot, since most people I know have iPhones. I do get some SMS spam, but not a ton, and most of it is auto-flagged and I never see it.
> Blame the cretins that spam people.
SMS and voice call spam is actually a solved problem, but carriers have been dragging their feet implementing the solutions (and have lobbied the US government to give them more time). Killing spam does not require our devices to be locked down. Carriers deserve some blame here too.
But I don't really care about blame, I care about outcomes. Blaming spammers isn't going to fix anything. Forcing carriers to implement the required technical measures to stamp out spam... that could actually work.
> Forcing carriers to implement the required technical measures to stamp out spam... that could actually work.
Another desperately needed measure is enabling law enforcement to actually fight spam at the root: follow the money. When the spammers can't monetize their spam, they won't have any incentive to spam and scam.
Uncooperative countries (e.g. India, just look Mark Rober's Youtube series where he and a bunch of associates track down and prank scam call centers or Turkey which is the German equivalent) should be sanctioned until they are compliant. Letting spammers, scammers and hackers operate in a foreign country unimpeded should be considered an act of war.
Forcing carriers or anyone to implement technological measures (remember the idea to charge people .5 cents to send out emails?) is a worthwhile effort but it's at the core a band-aid at best and the only thing it achieves is to marginally drive up the cost and complexity of service for everyone else while the scammers simply find workarounds.
I've not had a single SMS/messaging spam message in the last decade. In the UK if that makes a difference, maybe we have effective laws around it? Not looked into it.
I’m also in the UK and received two SMS spam messages last month, which wasn’t particularly out of the ordinary. Both were low effort fishing attempts along the lines of “You have been sent a package that requires the payment of customs fees. Please provide your account information at http://customs.uk.gov.scam.example.xn--horse-sw3b
I probably get more of those now than the “we’ve heard that you’ve been in an auto accident that wasn’t your fault” robocalls.
I'm in Singapore and when I read this I realised that it's been a long time since I received an SMS spam message. It must be at least 2 years. And even then they were quite rare (one ever few months maybe?).
I wonder what different telcos does differently, because I have heard about some countries where you're getting flooder by these things.
In the last 6 months SMS spam has increased a lot for me. A lot of it are random messages like "I'm sorry but please don't message me again!" or "Hey, I really had a great time last night, let's make plans for next weekend!" that basically is reply-bait.
It’s not going to be uniform for everyone. The primary number I’ve used for ages doesn’t get SMS spam at all. A secondary number which probably got recycled from someone else receives multiple spam messages every single day.
I've had maybe one or two spammy text messages in the last decade. My phone number's already in many spammer's databases based on the number of spam calls I get.
I’m not sure this is either/or though. I have a secure/locked down device with iMessage and an open not-as-nice device for my playground as a programmer and hardware hacker.
But to be honest you don’t really need to live in the whole world of spam, if that’s your preference then you can just avoid Apple stuff? You live in the best world of choice
True, but we're talking single digits if not less than 1% of the Android population there, regardless of the ability. And if you add Google services you're right back where you started.
Sure, but I'm talking about simply having the capability. If Google started getting ridiculous, regularly censoring apps, deleting data off people's phones, stuff like that, I can easily believe that there'd be a push to make installing an alternative ROM or OS a simple thing to do. Regardless, the option is there. I think there's a ton of value in that, even if the vast majority of users don't avail themselves of it.
With iOS, you live with what Apple lets you do, and that's that.
It isn't about opening up iMessage. The article is about using RCS instead of SMS/MMS as the fallback. It's a pretty reasonable ask that will raise the quality of service when texting with the majority of the market. They can continue to lock down iMessage however they want.
It's not a "reasonable" ask if you're Apple, selfish, and therefore want iMessage to remain superior to SMS at all costs, because it's part of your luxury appeal.
There are literally multiple internal Apple emails released through court testimony where Apple executives clearly explain how important iMessage is to lock-in to iPhone and how if parents can just buy an Android and install an iMessage app it would mean disaster.
In none of these emails is spam or privacy or security even mentioned.
The primary reason Apple is doing it for platform lock-in, plain and simple. They literally said so themselves internally. Any other explanation is fanboyism.
> There are literally multiple internal Apple emails released through court testimony where Apple executives clearly explain how important iMessage is to lock-in to iPhone and how if parents can just buy an Android and install an iMessage app it would mean disaster.
You misunderstand. I don’t care about Apple’s desire for lock-in at all. I want Google RCS to implement, and make mandatory, secured device identifier attestation. I want to be able to block the actual hardware devices that spam me through carrier messaging. RCS could have offered that, and doesn’t. What a shame.
> If Android wants to join the party, then Android phone builders need to implement secure boot with hardware-signed attestation of non-rooted-ness, in the style of Apple T2 + macOS or Microsoft Pluton + Secure Boot. Until then, Apple iMessage will remain single platform.
This exists and has existed for years, via the SafetyNet Attestation API [1].
As indicated elsethread, that API doc expressly declares near the top that it is not usable for device identifiers. Without device identifiers, there is no way to stop spammers.
It feels like you've concocted some narrative to support your incredibly speculative original comment about how Apple does this because spam. You're clearly wrong. You can do attested compute on Android as others have been trying to point out.
Okay, I’ll assume you’re right, which considerably worsens the case for RCS:
Google could have given us device-signed messaging with RCS, so that users and carriers could block devices for spamming regardless of the source address.
Google didn’t. They had the power to do so in RCS using their own APIs, and yet they chose not to offer an effective protection.
How is this failure by Google a selling point for RCS? Why would anyone consider RCS at all without device attestation? We don’t need yet another abuse-laden, unidentifiable-source chat protocol. We need a material improvement in quality of life for users, not a veneer of fancy bells and whistles on top of the same plague of spam as today.
Maybe your hypothesis that device attestation is the answer to spam is just… wrong?
Maybe Google doesn't think you need device attestation to manage spam on a messaging platform. There are numerous examples of apps today that don’t suffer from spam and don’t use device attestation. And there are examples of spam on iMessage.
Furthermore, I can already receive messages on my iPhone from non-iMessage users so I don’t even understand how any of what you’re saying makes sense in the first place. RCS is a protocol (not a platform) that would make the experience of receiving those messages better. It does not add some new attack vector for spammers.
Have you tried using a device with an RCS messenger app and been plagued with spam more-so than on iPhone? I switch between devices all the time and have not noticed any difference.
It’s not about spam. It’s about Apple playing lazy/dirty. Hence the OP.
> If Android wants to join the party, then Android phone builders need to implement secure boot with hardware-signed attestation of non-rooted-ness, in the style of Apple T2 + macOS or Microsoft Pluton + Secure Boot.
There are literally emails leaked, that say iMessage is closed, because Apple wants monopoly in this area.
Yet in every thread recently someone spreads FUD how without uncle's Apple protection, bad world will hurt you, when reality shows that's nonexistent problem on other platforms.
I’m celebrating the antispam properties of device attestation, not asking anyone to trust Apple. I’m quite upset that Google RCS doesn’t include device attestation. It would have helped us get rid of text spam in carrier messaging, and made a convincing case for adoption by telcos. Imagine being able to block text spam by the equipment sending it. Imagine being able to block phone spam by the equipment calling you. It’s a missed opportunity for Google and for all of us.
> Most businesses, consumers, and developers universally continue to ignore the primary reason that iMessage is a closed platform, rather than an app on every platform as iTunes is: Apple is using device serial numbers for anti-spam.
This doesn’t work though. I receive enough iMessage spam specifically through Apple ids that I wish I could disable the ability to message me unless you use a phone number.
That's weird -- my phone number is definitely in some spammer lists (I get so many calls) but I have never once received an SMS or iMessage spam. What kind of things do they send?
They’ll ban the entire device used to send it, not just the one account. But see also elsethread “wait, how do I know this was delivered over iMessage”, since MMS allows the From field to be an email address.
On the top of the first message it'll either say Text Message or iMessage. If it's an iMessage and you delete the thread without replying, it'll ask if you want to report the message as spam.
How would you prove the account is sending spam? By sending them screenshots? Will they believe you? This could be used to ban a neighbor I don't like. Or does Apple spy all conversations so they can check themselves? :P
You only see the colors on messages you send. OP is implying that you wouldn’t know what “color” the conversation is unless you’re actively replying to the spammer.
You can still tell whether it is an iMessage or text message without replying and observing the color. Long-press on the incoming message. If the menu shows: Reply, Copy, Translate, More… then it is an iMessage. If the menu shows: Copy, Translate, More… then it is a text.
That's cool, didn't know that Apple didn't try to somehow shoehorn threads into SMS (like they currently do extremely poorly with tapbacks and stickers)
Messages you receive are always black text on a grey bubble. What part of this was confusing?
As other have mentioned, you can tell if it's iMessage or not in a few different ways, the send button color, the "Text Message" or "iMessage" label interspersed in the conversation, etc, but if you want to talk about the color of the bubbles, that only applies to outgoing messages.
The gist of the article has been a soapbox of mine for years. We wouldn't stand for "you can only send Gmail email to other Gmail users" (Fidonet people know), and shouldn't settle for similar with messaging. That said, this spam angle is an aspect I hadn't fully considered.
Google closed down their Jabber gateway because they couldn’t stop the endless flood of spam into their userbase. If they had instead required device identifier attestations to accompany all Jabber messages, they could have left that API open for everyone to use, and simply banned device identifiers used for spamming. I wish they’d done so, instead of just giving up and closing their doors to Jabber.
This idea that we need to rely on big Google to protect us is insane. Just make it so that messages from unknown contacts are not as annoying or even hidden entirely unless you go explicitly looking for them.
You don't need to stop federation. You don't need device attestation. These don't benefit the user. They are only there to give the platforms more control.
I've seen SMS spam maybe 3 or 4 times ever. Before Signal started permanently storing sensitive user data in the cloud (and refusing to update their privacy policy) I was using Signal for both secure communication and SMS/MMS and since I've moved away from them I still don't see any more spam now than I did then. I think the solution for the spam problem has a lot more to do with not giving your cell phone number out to every company who asks for it than it does what client you're using to read/store messages.
Of course the real solution should be on the network's end, but not giving out your number to any businesses is probably the best thing you can do while still accepting random texts from anybody.
What's the advantage of iMessage spam? Group chat spam? Higher quality video spam? Is that worth all the effort to do your spamming only on Apple devices?
You can build a hackintosh, generate a serial number, and get on iMessage without any fully-authenticated hardware or even a legitimate secondary Apple device. Spammers use these setups to iMessage spam to great effect.
I think the onus is on Apple to open the platform.
And yet I get plenty of spam via text on my iPhone. What is more, I cannot block numbers from texting me (unless there's an option I haven't found). What is more, a clearly spam text will stay as an alert number grabbing at my attention until I open up and see whatever spam image text was sent my way to dismiss it which is surely a security risk.
I used to work at Apple but this messaging stuff is really damning.
How does unmodified software relate in any way to the ability to console-ban bad actors? It's apple's servers, apple's accounts, and apple's devices. They are perfectly capable of burning a private key into the fuses of every device they sell, keeping a revocation list, and requiring a valid signature from an unrevoked key to log in and send messages. You can't get around that with any quantity of homebrew or custom software. Same reason that you don't see spam on Nintendo Switch games - if Nintendo bans your hardware you're not getting back online unless you buy a new Switch, and that's enough of a cost to make spam uneconomical. You can't do that with Android because maintaining a single revocation list across many manufacturers would be impossible - or because Google would have to host it and they'd get mobbed by angry HNers frothing at the mouth about their privacy - but Apple is totally capable of it and already gets a free pass on whatever walled garden shenanigans they can imagine.
SafetyNet does not specifically give you a device ID, but keystore attestation does. SafetyNet is a higher-level API used to verify you're in a trusted compute environment (which is also sufficient for anti-spam, btw). The keystore attestation API provides everything you need to acquire signed data directly from the HSM with things like device IDs and security trust level baked in.
That can be built trivially using this API. The app stores an identifier, which it knows has not been tampered with because of attestation. Giving apps access to a unique device identifier shared across apps is a privacy leak but can be obtained with the proper scary permission.
> Giving apps access to a unique device identifier shared across apps is a privacy leak
Correct: 'Non-heuristic antispam' and 'Private device identifiers' are incompatible requirements, unless you introduce another expensive obstacle to overcome. Spamming depends on cheap/free sock puppet accounts. The cost per account is inversely proportional to the value it holds to spammers. That cost can be in Apple's iMessage terms: $100+ per serial number, all devices must include burned-in serial number attestation in their server communications. Or that cost can be in bureaucracy: $10 per notarized "account signup request with verified citizenship", but now all communications can be associated with the notary's logs of your citizenship ID number.
There is no way to stop spam without incurring one or another cost to each user. Apple's method doesn't care who you are, so long as you possess Apple hardware. The Pluton method wouldn't either. What other methods exist that are unconcerned with the exact identity of the user, but still make spamming unprofitable?
I mean, maybe expensive dongles should be a thing of the past and Apple should invest in machine learning a bit more. My Pixel does a great job filtering out SMS spam, with 2 false positives (both automated messages) and zero false negatives in the last month.
I have received a single iMessage spam message in ten years, total. You would have, statistically, received at least 240 false positives in that time assuming current heuristics technology. I don’t think heuristics are the answer if your goal is Project Zero Spam.
I just showed how Apple could implement exactly its method on Android. I'm not sure why you're looking for other methods.
As far as private antispam, you can imagine a hashcash-like system that takes into account how many messages you've accepted from the sender, but this is a completely different discussion.
You can disable Secure Boot on a Mac and still use iMessage.
In this state, it would still be theoretically possible to attest to some kind of unique hardware ID, as the Secure Enclave is still locked down. But even if it weren't, it would be good enough to just distribute a unique key with each device. Sure you could take it off the device, but who cares? If it got banned, you'd still need to buy a new device for a new key.
…But given the sibling comment (by pxeboot) about using iMessage in a VM, I'm not sure whether any of this is actually done.
Spamming doesn’t, however, as it requires a lot of serial number lookups and creates a very identifiable trail of behavior just to get a single device working. Scaling that process up to spamming would be unprofitable and risk being caught.
“I am concerned that the iMessage on Android would simply serve to remove and obstacle to iPhone families giving their kids Android phones,” Craig Federighi, Apple software senior vice president, wrote in 2013."
They'll find another reason not to implement it on other platforms.
Consider whether Apple has changed their position about shipping key functionalities of their platform to non-Apple devices in the decade since then, in light of (for example) their purchase of and continued offerings of Android-friendly Beats products, their beta of Apple Music as a webpage in any browser, and their TV services app spreading to every smart television platform that competes with Apple TVs.
Any limitations/restrictions that Apple imposes on their devices that usually provides them some competitive advantage is ALWAYS explained away as 'protecting' the user. It's a joke how often this corporate spin is used as an excuse.
This is a great point which I haven't heard before in this age-old debate.
But until Apple's dominance starts to wane, there's no chance in hell they will provide iMessage for other platforms unless forced by regulation.
If push comes to shove, they can implement heuristics which run texts from non-Apple devices through a harder spam filter. Spam isn't non-existent on the iMessage network, and there already seems to be a rudimentary spam filter in place.
Apple could easily charge $1/mo or $10/year for iMessage on secured devices, with automatic refund and prorated cancellation if no secured device is signed in within a given billing period; and then discount $1/mo if one or more Apple devices are signed in and active during a given billing period. They'd make a billion dollars a month off of secured Android users, without exposing themselves to any new spam whatsoever, and showing Android users that Apple users have a better experience. Win-win for platform marketing and cloud services revenue.
iMessage spam isn't non-existent because sometimes someone tries to spam, gets a few messages out, and then their device gets console-banned. The iMessage "unsend" feature doesn't yet exist in any released iOS or macOS, so it can't be used to hide the spam after the fact.
Hell, they could charge a token amount for un-secured devices, which I imagine could make things prohibitively expensive for spammers.
I would (grudgingly, because the whole thing is just stupid) pay 3 bucks a month or so to be able to message iPhone users from Android without dealing with unreliable message delivery and ordering, and photos and videos pixelated to hell. I have a ton of barely-recognizable videos of my niece and nephews from my sister because she always forgets that sending me video over MMS is a boatload of fail.
Jailbreaking iOS doesn’t affect the OS on the Secure Encoave chip. Crypto attestations of device identity can be protected from alteration by jsilbreakers.
> unreliable message delivery and ordering, and photos and videos pixelated to hell.
Unless I've been an edge case, SMS/MMS has been nothing BUT super reliable on my phones in Australia. Can you provide a demo ? I'd like to see what you're talking about since maybe I do have the photos and videos pixelated, I just don't see this.
There's such a thing as overregulation, but when industry fails to act in an upstanding manner they are playing chicken with regulators. Here's the result. The way to avoid this is create an industry body to develop a standard and 'regulate' themselves. It looks bad when you do that, then also flaunt the standard for greater profit/market position.
As much as I agree with this in principle, there is absolutely no denying that Apple is abusing their power when it comes to consumer lock-in.
I find it very hard to argue against regulation which is only meant to make devices more interoperable. USB-C for charging is mature enough at this point that it seems reasonable to declare it THE charging port.
An interesting - partially ironic - observation here, is that Apple actually designed the reversible USB-C connector and submitted it to the USB-IF - a team of bureaucrats. Bureaucrats, who of course previously were responsible for blunders such as micro-USB-B 3.0, and more recently, the ambiguous shitshow that is the current state of the USB spec.
I wholeheartedly believe that Apple is such a design-driven company that they would actually engage with regulators again (gasp, even the EU), if they were to come up with a better connector design down the road. Everybody wins.
> but having bureaucrats decide is the worst idea ever
I agree wholeheartedly, but what's the alternative? The so-called "free market" (not that such a thing actually exists) clearly has not solved this problem for us.
I couldn’t agree more. I like the walled garden. I don’t care if some messages are green. If I wanted to have granular control over everything, I’d buy an Android phone. I really struggle to see why some regulatory body should be able to force a company to alter their products unless it’s something that impacts customer safety. There are plenty of alternatives in the market.
I suspect most iPhone users are of a similar opinion or no opinion at all. Sure, here on HN you can find plenty of strong opinions, but the average iPhone user doesn’t care and is happy with the ecosystem and hardware.
Apple is already not even close to dominant in a lot of EU countries. As a result nobody uses iMessage here (I never get any, nor SMS). That never swayed them to open it up.
> Apple is using device serial numbers for anti-spam, supported by a fully-authenticated hardware and software stack that does not allow user modification.
This can't be true. It is trivial to get iMessage working in a macOS VM with randomly generated hardware IDs.
That attitude is what gets people phished. They are generally very clever, but will take the path of least resistance. If you accuse them of anything, it’s laziness.
> the same freedom to modify an OS kernel that hackers desire is also the freedom to spam all users
Yes, and that is absolutely fine. Computer freedom is more important than the ability to prevent spam. It should be illegal to prevent the rooting of devices or even put up any roadblocks for the user. It doesn't really matter how much this freedom impacts their networks. The freedom to run whatever software we want and interoperate with everything without being discriminated against should be our inviolable right.
If that is the main reason, then why not use RCS when communicating with Android devices, and their own proprietary system when communicating with other iPhones. And or push to add an optional attestation to RCS that apple can use.
I have two cell phone, android and iOS. On Android I install my own spam filter message app and see no spam at all.
On contrary, I still get plenty of spam from iMessage.
This is just wrong because as others have pointed out, you can have a fully virtualized macOS environment with no secure boot or any kind and iMessage will run just fine.
Also, since basically every device that receives message also receives sms, isn’t this irrelevant?
What do you mean Android doesn't have an analog? It has both secure boot and device attestation. It has multiple APIs that can be used to design applications requiring varying levels of trusted computing context.
There's the high-level SafeyNet API which essentially lets you assert that you're running on a non-modified device running non-modified software in the context of a verified boot:
It also has the lower-level Keymaster 3 API (since 2017) which provides HSM-signed certificates with the device attestiation extension, including the system trust level and verified device identifiers:
Microsoft is the one that's late to party... And your hypothesis seems pretty dependent on an argument that Apple can't build iMessaging on other platforms because they're the only platform with device attestation. That's simply not true.
If Apple wanted iMessage on other platforms, they've had at least 5 years to build it in the way you theorize must be required.
There are multiple public bypasses for SafetyNet. Many 3rd party roms provide them out-of-the-box. Granted, Apple's attestation is bypassable as well.
Furthermore, others mentioned that a large portion of SMS-spam originates from the FluBot infected Android devices. Well, the only reason FluBot does not infect iPhones is laziness - it is perfectly doable at scale using custom configuration profiles.
> Until then, Apple iMessage will remain single platform.
This seems to be a strawman - no one is asking for cross-platfrom iMessage, just for Apple to upgrade it's officially-supported cross-platform messaging stack (SMS) from the 90s.
I do get random spam on Matrix/Element, a couple of times a month. I am in some big public channels though, which may make me a lower hanging target to find my matrix ID to send spam to
But seriously, we all know spam and abuse from bad actors is a huge problem for any sort or platform. Email, phone calls, physical mail. Sometimes people will put fliers on your car window to spam it.
Same with VPS providers. Even my router gets random pings and port scans. Forums have to fight bots. It goes on.
I have even gotten iMessage spam, which can easily be reported.
I get spam on Matrix. And Matrix is hardly used so these are just people trolling rather than having some kind of organized entity behind it. As far as I know there is really no anti spam measures on the network.
Matrix userbase is much larger than IRC. In my experience IRC spam is still worse, but matrix spam will grow more common as the platform grows. But matrix.org devs are aware and have some plans for spam. Distributed/federated reputation...
iMessage spam has been through the roof for me the last couple of months. 1 or 2 messages a day with no obvious reporting mechanism. Whatever Apple is doing, it’s not working and it’s disingenuous to claim this is the reason iMessage isn’t on Android.
So the reason to track and identify every app on every device and have a switch to remotely brick it is to reduce spam ?
My BS detectors just tripped.
Would you be ok if your home had the same "security" features? Say BigCo home builders install a front door, sensors, cameras and scanners in your home that allow them to monitor track and remotely lock you out of your home, your water and power supply ? Their reason? ... so that they can shutdown "bad neighbors" and keep the neighborhood "clean". And remember there's no fkin way you can get rid of those scanners, cameras and other control mechanisms.
But ya'know they gave you a piece of paper that says "we respect your privacy" with BigCo logo on it ?
I don't get why Apple, MS or anyone should be able to get away with this.
I never get spam on any other networks either. Be it WhatsApp, telegram, signal or even matrix.
It's not that big a problem apparently, and doesn't require giving up that much control.
On the other hand I social never use iMessage. It's not very popular here in Spain at all because of the Apple-only thing. Android is far bigger in marketshare here.
A good enough and low hanging fruit solution to spam is an allowed list. Generally allow contacts (initially at least). Track spam feedback by age against contacts.
If someone does end up in a spam list (and they don't rack up a high score across multiple targets), let them know they're in such a list and where to start looking to resolve that issue. A good enough solution for this is to have number carriers attest to have verified the government issued ID of the individual in question; and if spam happens shortly after that to yield the government ID number of that individual.
An alternate form I've considered, for email, is to pay a postage (transfer + storage) micro-transaction fee, and possibly an attention fee for prompt review. The custom might be to refund these in cases of legitimate messages.
I have received zero spam messages over iMessage in maybe ten years, without using an allow list. Why, as a consumer, would I tolerate the degree of effort you describe when I have a perfect zero-effort solution available today?
But... this is ridiculous on its face. SMS and iMessage both live in the Messages app. The only thing you achieve by locking down iMessage is that spam messages appear as green bubbles in Messages instead of as blue bubbles in Messages. It does literally nothing to prevent spam.
I'm having trouble understanding how this is a good solution... If a customer purchases a used iPhone from another person, and that person had used it for spam, is the customer now screwed and unable to message their friends without buying a new phone?
This post is about Google pushing RCS to other platforms. I’m pointing out why their competitor, Apple, has not done the same with RCS’s competitor, iMessage. It’s an apples-to-apples comparison, and I consider it relevant to be mindful of this particular difference when considering RCS.
Google could have implemented crypto-signed device identifier attestation as a mandatory requirement for RCS, which would have given them considerable leverage against iMessage. Why wouldn’t they? What was more important to them than stopping texting spam?
But there are very important key disadvantages that come with that. And I don't believe fighting spam is Microsofts MO. Just open Edge and look at the ads. This is very close to selling penis enlargement pills.
"device hackers" - seriously? You mean people that like to have control about what their devices do. Installing software you want should never be hacking.
That aside I am very skeptical of forcing Apple to open their messaging. The responsibility to choose a different medium is on the user.
Apple apologists always find some wacky reason to justify things, but this is the first I’m hearing of “iMessage exists to prevent spam”…
Have you used WhatsApp or Telegram? Neither need hardware attestation. No spam, in the decade I’ve used them. I have an iPhone and a Pixel, neither have spam.
Unless the gov allows free-for-all SMS, which is not the case in the continents I’ve lived in. Sounds like a uniquely US problem, which iMessage can’t stop? You still get them, and Apple just hides them in a folder.
Or this is because more iTunes users means more potential customers to their iTunes store, i.e. more revenue when it is cross platform. While opening up iMessage will not incease their revenue but makes people easier to switch to other platform such as Android.
It is not like other platforms cannot deal with spam...
Are we really at the point where letting a corporation decide what we can/cannot do on our own hardware is a good thing now?
Though the more I think about it the more I realize that we are indeed already at that point, and people really think that's a good thing. That's really sad to me.
You're talking as if spam via text messages is a common occurence? I've had maybe one spammy text message on Android in the last 10 years, even though most websites I use have my phone number. Spammy phone calls are constant, but Apple doesn't do anything to prevent that.
Since iMessage is restricted to those with an Apple ID, what's stopping them from releasing cross-platform apps that function only if the user has a valid Apple device? I think it's a business choice, not a spam one.
> Apple is using device serial numbers for anti-spam, supported by a fully-authenticated hardware and software stack that does not allow user modificatio
Ah, perfect tracking. Let's add that to Pluton list of promises.
I literally never receive spam on telegram. And I have been using it for years. And by never I really mean never. I'm very doubtful spam is the crux of the issue here.
The device still receives SMS messages, which makes all that wonderful iMessage security completely useless when receiving spam SMS messages with fake headers.
Thank you. I have tried explaining this to people but the “freedom” people overwhelmingly flood the discussion and prevent any meaningful debate about it. Of course for them that point is not debatable but still for majority of people no spam is a huge deal.
Apple is using device serial numbers for anti-spam, supported by a fully-authenticated hardware and software stack that does not allow user modification. This permits Apple to simply “console ban” any Apple device that spams on iMessage. This makes it prohibitively expensive to send spam over iMessage. They have been doing so since iMessage was launched.
Android offers no such attestation that I’m aware of. Windows, on Pluton, could offer this attestation securely — and that is a key deliverable of Pluton.
It’s easy, then, to predict what Apple’s first non-Apple platform will be: Microsoft Windows 12, only if secure-booted, with Pluton-signed attestation that the kernel is unmodified. And it’s easy to predict how Apple will implement anti-spam: by applying “console” bans to specific Pluton chips by their serial number.
If Android wants to join the party, then Android phone builders need to implement secure boot with hardware-signed attestation of non-rooted-ness, in the style of Apple T2 + macOS or Microsoft Pluton + Secure Boot. Until then, Apple iMessage will remain single platform.
(I recognize that this is extremely unpalatable to device hackers, but the same freedom to modify an OS kernel that hackers desire is also the freedom to spam all users, as we have seen repeatedly with all messaging software platforms operated without hardware-backed attestation for the past thirty years — including email, Jabber, and HN itself.)
(No, I do not work at Apple.)