Dodgy ‘iMessage for Android’ app deep-sixed by Google
Google has yanked an app that purported to give Android users the ability to use iMessage.
As is discussed by Jay Freeman here, there was a catch in the app. It didn’t “make iMessage run on Android”, but rather sent data off for pre-processing to a server in China.
And that meant users were being asked to submit their Apple ID and password to a third party – a no-no from any point of view (The Register would guess it’s a good idea for anyone that tried the application to run a password reset immediately).
As Freeman writes, the “sub-optimal” operation of the app went like this: “Every packet from Apple is forwarded to 184.108.40.206, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what’s happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.”
To convince the Apple iMessage servers it was legit, the app apparently disguised itself as a Mac Mini, as noted by developer Alan Bell on Twitter:
So it looks like that iMessage on Android hack is super sketch and is spoofing iMessage requests as a mac mini: pic.twitter.com/TYT6Djumdv
— Adam Bell (@b3ll) September 24, 2013
Bell also noted that a chunk of the APK file is obfuscated, while another Twitter user, developer Steve Troughton-Smith, asserted that the app also had the ability to background-download APK files.
Whether the app’s behaviours were clumsy or a deliberate attempt to harvest user credentials, it violated Google Play’s policies and has been dumped. The putative developer’s Website, huluwa.org, is also offline at the time of publication. ®