iMessage App for Android Raises Massive Security Questions

UPDATED 9:30 am ET Wednesday (Sept. 25) with news that the iMessage Chat app has been removed from the Google Play store.

An app that recently debuted in the Google Play store appears to offer what many Android users have long hoped for: a way to chat with their iPhone-toting friends using Apple's proprietary iMessage technology.

A favorite among Apple users, iMessage lets any device running OS X or iOS send text messages over the Internet, free of charge. Mac laptop users can text iPhone users, and vice versa, as long as the iDevices have Wi-Fi connections.

(iMessage encryption may also be uncrackable by the U.S. government, though in the wake of Edward Snowden's NSA revelations, it's hard to tell for sure.)

iMessage Chat, apparently the product of a third-party Android developer named Daniel Zweigart, even mimics the look and feel of iOS 6.

Canadian coder Adam Bell confirmed that iMessage Chat does indeed work, and successfully fools Apple's iMessage servers into thinking that messages being sent from an Android device originated on a Mac Mini.

But security experts noticed that the app may be sending more than just your text messages to its servers.

MORE: How to Keep Your Smartphone or Tablet Secure

Greetings from China

In his tests of iMessage Chat, Jay "Saurik" Freeman, who maintains the Cydia app repository for jailbroken iOS devices, discovered that iMessage Chat routes all communications through a server in China and then forwards the data to Apple.

Tom's Guide found that, the website listed by Daniel Zweigart on the iMessage Chat page on, is registered to a person named Luo Wangyi in Fuzhou, Fujian province, China.

The website also lists a PC and Android client for iCloud, Apple's proprietary cloud-storage and email service.

A Twitter account listed on the Google Play page for iMessage Chat was set up just this morning (Sept. 24) and is being used by someone with halting English.

Handing over the keys

Messages sent via iMessage Chat arrive at the destination unchanged, but the data itself — including your Apple ID and password, previously known only to you and Apple — could easily be stored on a Chinese server for later exploitation.

Your Apple ID and password are your keys to the Apple universe. Whoever runs that server could steal those keys and hijack your iCloud account, change your registered address to his own and, if you've let Apple save your credit-card information, buy music, movies and apps on your dime.

More worryingly, an Irish app developer named Steven Troughton-Smith discovered that the app can also download and install software on your phone in the background, much like a rootkit on a PC.

Although no one has yet identified exactly what software might be installed by iMessage Chat, this could potentially put your financial data and passwords at risk, thanks to malware that can read your credit-card information when making purchases on sites like

It's unlikely that Daniel Zweigart, or Luo Wangyi, developed iMessage Chat with the intent of stealing your private information. Nevertheless, with security holes as large as these, iMessage Chat is an Android app you should definitely avoid.

UPDATE: The iMessage Chat app was removed from the Google Play store later Tuesday (Sept. 24).

"We remove apps from Google Play that violate our policies," a Google spokeswoman told Computerworld.

Follow Marcus Yam @MarcusYam Follow us @tomsguide, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • How about not trying to use Apple proprietary crap and support universal things like WhatsApp?
    The risk is not worth it...
  • I don't really understand the big deal about iMessage. Don't most data plans come with unlimited SMS these days anyway? Why use data when you have unlimited free SMS?
  • amk-aka-Phantom
    Or, you know, you could just use Google Talk, Skype, Facebook Messenger or any other IM that is widely recognized and is not platform-dependent...