I just tried out the app - an SMS challenge was sent to my phone number, and the app sends a response via SMS. By challenge, I mean there's several fields with encoded data (not just a 6-digit OTP).
I have no idea how it's implemented by Apple but I'd hope there's some sort of expiry time. I'm sure they've thought of SIM-swapping as a way to take over people's accounts.
Does that challenge seem to come from Apple or Beeper? I hope Apple. That would largely allay my concern. I guess I should have given Apple more credit, because this “vulnerability” would likely have come to light much earlier otherwise, as they’ve always needed reliable means to establish ownership of a number — it’s just been automatic and invisible on the iPhone.
I have no idea how it's implemented by Apple but I'd hope there's some sort of expiry time. I'm sure they've thought of SIM-swapping as a way to take over people's accounts.