Dodgy 'iMessage for Android' app deep-sixed by Google
Harvesting user credentials violates store policies
Google has yanked an app that purported to give Android users the ability to use iMessage.
As is discussed by Jay Freeman here, there was a catch in the app. It didn't “make iMessage run on Android”, but rather sent data off for pre-processing to a server in China.
And that meant users were being asked to submit their Apple ID and password to a third party – a no-no from any point of view (The Register would guess it's a good idea for anyone that tried the application to run a password reset immediately).
As Freeman writes, the “sub-optimal” operation of the app went like this: “Every packet from Apple is forwarded to 220.127.116.11, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what's happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.”
To convince the Apple iMessage servers it was legit, the app apparently disguised itself as a Mac Mini, as noted by developer Alan Bell on Twitter:
So it looks like that iMessage on Android hack is super sketch and is spoofing iMessage requests as a mac mini: pic.twitter.com/TYT6Djumdv— Adam Bell (@b3ll) September 24, 2013
Bell also noted that a chunk of the APK file is obfuscated, while another Twitter user, developer Steve Troughton-Smith, asserted that the app also had the ability to background-download APK files.
Whether the app's behaviours were clumsy or a deliberate attempt to harvest user credentials, it violated Google Play's policies and has been dumped. The putative developer's Website, huluwa.org, is also offline at the time of publication. ®