My prediction is that Apple will start to use attestation (device check) to lock down iMessage. The problem is that this would require a software update for older devices.
> Warning: In order to generate the “validation data”, pieces of information about the device such as its serial number, model, and disk UUID are used. This means that not all validation data can be treated equivalently: just like with Hackintoshes, the account age and “score” determine if an invalid serial can be used, or if you get the “customer code” error.
The "customer code" error is a prompt from Apple, basically an attestation failure -- you have to contact Apple Support to get your Apple ID unlocked once you've tripped the failure. Legitimate customers will breeze right through (eg, just approving your login from your legit device), but Hackintosh users use crafty means to fake their way through the process.[1]
Apple already provides security updates to all iOS devices made in the last 5ish years at least, so it would probably take a pretty trivial number of years for them to have an update deployed to nearly all iOS devices that see active use.
I think that is how BBM worked, but I could be wrong. I'd be surprised if it is part of the over arching OS security. Sounds like something that should be in their lockdown mode at the very least.
Learning the contract is great, thank you for the work! How about the infra stack used by imessages? Does anyone have intel on that? The scale is incredible, which always makes me wonder how it can be so good while other apple web services (forums, dev portals, etc) can be so buggy and half baked
The actual mind-blowing scale is that Apple's push notification service isn't just carrying iMessages. It's also carrying push notifications for every third-party messaging app.
And the non-messaging apps with notifications too.
And the silent internal notifications. You added a meeting to your calendar on your Mac? Push notification to your iPhone to tell it that the iCloud data changed and it needs to update. Changed a file on iCloud Drive? Push notification to sync your other devices. Got a phone call, and it starts ringing on your Mac too via Continuity? Push notification (encrypted like an iMessage).
Just how many messages are going through that service every second?!
Centralized notifications is not a "genius solution", it is the "only possible solution" for power-constrained devices, if you think about it. Same thing applies to Android: in ideal world it keeps a single connection open to GCM servers to listen for notifications for ALL apps on the device, and then routes messages to the appropriate applications they are intended for.
This is phenomenal work. You should write a little on how you got into this whole field. There are high school and college kids all over reddit struggling how to excel at technical stuff, learn programming, get a job in tech, and I feel like they can really benefit from your perspective.
I don't disagree with what you say, but I would be surprised if it was any sort of secret sauce and not "just" an incredible amount of grinding, the seemingly zero-cost energy reservoir you can tap into as a young adult if you really like what you're doing and possibly an enlightened parent or a role model.
It's not grinding though. My highschool years were also super productive when it came to programming-related things, while I have seen most of my peers, aside from select few, really struggle despite their willingness. So maybe there is some secret sauce that can help others to get good a this. Maybe it's a mindset or attitude, etc...
"just" is doing a lot of work in this construction. Regardless what a person's constellation of privileges is, it always takes an incredible amount of grinding and that's pretty damn cool / laudable / praiseworthy all by itself.
In highschool I had basically all day to work on my own stuff. Finishing stuff early, free periods, and doing my own thing when I wasn't supposed to gave me all the time I needed to create and release an app in about 6 months. I was very productive.
Genuine question - can a topic really be `opertunistic` or is that author typo? I love these `referer`-type misspellings that become fossilized over generations
On the other hand, I'm not sure if this is a typo on Apple's part, but it certainly is weird: you must use "WindowSerial" here[1], not "WindowsSerial" with the extra s
pypush, the open source project behind today’s developments in the iMessage reversing news, is licensed under MongoDB’s Server Side Public License and owned by Beeper (JJTech sold the rights to Beeper, per discord). Although this library is fantastic, I do think that the extremely copyleft license could have implications on where we see this used.
> When making an IDS registration request, a binary blob called “validation data” is required. This is essentially Apple’s verification mechanism to make sure that non-Apple devices cannot use iMessage.
I wonder, will this be in violation of the EU's DSA and/or DMA once they are in force?
DSA and DMA do not magically grant you the permission to do whatever you want with Apple's servers, nor force they Apple into having to serve any particular valid response to the requests you make.
In whatever way Apple is going to comply with DSA and DMA, this ain't it.
I don't know the legal text, but improving interop specifically between messaging services seems to be a goal of the DMA, according to the EU parliament [1]:
> Interoperability between messaging platforms will improve - users of small or big platforms will be able to exchange messages, send files or make video calls across messaging apps.
Lock-in mechanisms like the above would at least run counter to that goal.
I also think that enforcing device restrictions on a messaging service is more problematic than on some random API: Messengers are subject to the network effect and usually you can't freely choose which messenger you want to use - it depends on which one the people you want to talk with are on.
In an extreme case, some person or business could choose to exclusively communicate using iMessage. Then you'd have to buy an iPhone just to be able to reach them. This seems like exactly the kind of interop problem the EU is concerned about.
Readit News
> Warning: In order to generate the “validation data”, pieces of information about the device such as its serial number, model, and disk UUID are used. This means that not all validation data can be treated equivalently: just like with Hackintoshes, the account age and “score” determine if an invalid serial can be used, or if you get the “customer code” error.
The "customer code" error is a prompt from Apple, basically an attestation failure -- you have to contact Apple Support to get your Apple ID unlocked once you've tripped the failure. Legitimate customers will breeze right through (eg, just approving your login from your legit device), but Hackintosh users use crafty means to fake their way through the process.[1]
[1]https://old.reddit.com/r/hackintosh/comments/gij9rt/getting_...
you'd need the key from the TPM/secure enclave too, which is much much harder to extract
Dead Comment
And the non-messaging apps with notifications too.
And the silent internal notifications. You added a meeting to your calendar on your Mac? Push notification to your iPhone to tell it that the iCloud data changed and it needs to update. Changed a file on iCloud Drive? Push notification to sync your other devices. Got a phone call, and it starts ringing on your Mac too via Continuity? Push notification (encrypted like an iMessage).
Just how many messages are going through that service every second?!
I’m confident in saying at least six.
This is typically the 'secret sauce'.
The secret sauce has never been secret
Deleted Comment
On the other hand, I'm not sure if this is a typo on Apple's part, but it certainly is weird: you must use "WindowSerial" here[1], not "WindowsSerial" with the extra s
[1] https://github.com/JJTech0130/pypush/blob/8b33c0ee5d540d8ac7...
Congratulations on this amazing work :)
I wonder, will this be in violation of the EU's DSA and/or DMA once they are in force?
In whatever way Apple is going to comply with DSA and DMA, this ain't it.
> Interoperability between messaging platforms will improve - users of small or big platforms will be able to exchange messages, send files or make video calls across messaging apps.
Lock-in mechanisms like the above would at least run counter to that goal.
I also think that enforcing device restrictions on a messaging service is more problematic than on some random API: Messengers are subject to the network effect and usually you can't freely choose which messenger you want to use - it depends on which one the people you want to talk with are on.
In an extreme case, some person or business could choose to exclusively communicate using iMessage. Then you'd have to buy an iPhone just to be able to reach them. This seems like exactly the kind of interop problem the EU is concerned about.
[1] https://www.europarl.europa.eu/news/en/headlines/society/202...
And I’m completely fine with that.