> What is stopping me from buying a second-hand old iPhone and doing this without Beeper?
In that scenario, you're still using the official client, which Apple presumably knows isn't silently siphoning messages off to somewhere else. You're on official hardware with an official client.
5. "Gah! Beeper was hacked/compromised/deliberately siphoning off Apple ID credentials into a log/error reporting/bad actor's database and now millions of people have had their sensitive texts and other iCloud data exposed."
Facebook and LinkedIn used to try to get people to hand over their email credentials so they could "help you find your friends on Facebook"; people were correctly skeptical then. Giving my Apple ID to a third-party seems insane, given what can be done with it, and I'd imagine Apple sees it the same way.
> Giving my Apple ID to a third-party seems insane
That's fair. You'd be happy to learn that literally no one is forcing you to hand over your Apple ID to Beeper. Your approach is very good for your account safety, but you don't need to keep other people safe from themselves.
Do you have similar concerns when people use non-Google-approved email clients to use Gmail, or alternative YouTube clients, or Signal/Telegram forks?
Perhaps you think HN should ban alternative clients or weird web browsers too. Too bad a lot of people think interoperating clients are important or we would be left with the Web Integrity crap to "keep us safe".
> Do you have similar concerns when people use non-Google-approved email clients to use Gmail.
If they ask for credentials, absolutely. Google has both an OAuth flow and the ability to generate app-specific passwords (which correctly have very limited abilities) so I never have to pass over the real creds.
I have never given my Gmail credentials to Apple, but I get my mail just fine.
Google requires you to register an application and get it approved to log in with OAuth, you can't just use it with arbitrary callback URLs. Why should I need to ask Google permission to use my own data, or ask for Google's permission to allow other apps to use my data?
If the Beeper service is totally fine, and you mind their auth methodology, perhaps you should complain about Apple not providing better iMessage auth options.
Instead, you complain about users being able to give their own data to an app they chose to install.
> Google requires you to register an application and get it approved to log in with OAuth, you can't just use it with arbitrary callback URLs. Why should I need to ask Google permission to use my own data, or ask for Google's permission to allow other apps to use my data?
In that scenario, you're still using the official client, which Apple presumably knows isn't silently siphoning messages off to somewhere else. You're on official hardware with an official client.