Feeds

Dodgy 'iMessage for Android' app deep-sixed by Google

Harvesting user credentials violates store policies

SANS - Survey on application security programs

Google has yanked an app that purported to give Android users the ability to use iMessage.

As is discussed by Jay Freeman here, there was a catch in the app. It didn't “make iMessage run on Android”, but rather sent data off for pre-processing to a server in China.

And that meant users were being asked to submit their Apple ID and password to a third party – a no-no from any point of view (The Register would guess it's a good idea for anyone that tried the application to run a password reset immediately).

As Freeman writes, the “sub-optimal” operation of the app went like this: “Every packet from Apple is forwarded to 222.77.191.206, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what's happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.”

To convince the Apple iMessage servers it was legit, the app apparently disguised itself as a Mac Mini, as noted by developer Alan Bell on Twitter:

Bell also noted that a chunk of the APK file is obfuscated, while another Twitter user, developer Steve Troughton-Smith, asserted that the app also had the ability to background-download APK files.

Whether the app's behaviours were clumsy or a deliberate attempt to harvest user credentials, it violated Google Play's policies and has been dumped. The putative developer's Website, huluwa.org, is also offline at the time of publication. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.