They use a Mac mini somewhere to route these messages. So you're logging into that Mac mini with your iCloud credentials. Sounds like a privacy/security nightmare and creepy as fuck.
It seems like all efforts to "bridge" imessage to anything outside apple software work this way - there's a Matrix bridge and a dedicated open source app and they both rely on the imessage client on a mac. Is there a legitimate reason for it not being reverse-engineered yet?
Is there a legitimate reason for it not being reverse-engineered yet?
The actual protocol isn't a secret. It's that the authentication of the device relies on a hardware key, and that key is fully locked down by Apple (as it also secures the user's biometric logins, keyring, financial information in Apple Wallet, etc.).
I use beeper (a version of these apps that is actually released but kinda shit) and it's perfectly fine. Their solution would be better because it runs locally on the phone, however it's only on supported phones which is most likely just nothing phones.