iMessage App for Android Raises Massive Security Questions
A new Google Play app lets Android devices use Apple's iMessage service -- but it could also hand over your Apple ID and password to unknown people in China.
UPDATED 9:30 am ET Wednesday (Sept. 25) with news that the iMessage Chat app has been removed from the Google Play store.
An app that recently debuted in the Google Play store appears to offer what many Android users have long hoped for: a way to chat with their iPhone-toting friends using Apple's proprietary iMessage technology.
A favorite among Apple users, iMessage lets any device running OS X or iOS send text messages over the Internet, free of charge. Mac laptop users can text iPhone users, and vice versa, as long as the iDevices have Wi-Fi connections.
(iMessage encryption may also be uncrackable by the U.S. government, though in the wake of Edward Snowden's NSA revelations, it's hard to tell for sure.)
iMessage Chat, apparently the product of a third-party Android developer named Daniel Zweigart, even mimics the look and feel of iOS 6.
Canadian coder Adam Bell confirmed that iMessage Chat does indeed work, and successfully fools Apple's iMessage servers into thinking that messages being sent from an Android device originated on a Mac Mini.
But security experts noticed that the app may be sending more than just your text messages to its servers.
Greetings from China
In his tests of iMessage Chat, Jay "Saurik" Freeman, who maintains the Cydia app repository for jailbroken iOS devices, discovered that iMessage Chat routes all communications through a server in China and then forwards the data to Apple.
Tom's Guide found that Huluwa.org, the website listed by Daniel Zweigart on the iMessage Chat page on Download.com, is registered to a person named Luo Wangyi in Fuzhou, Fujian province, China.
The Huluwa.org website also lists a PC and Android client for iCloud, Apple's proprietary cloud-storage and email service.
A Twitter account listed on the Google Play page for iMessage Chat was set up just this morning (Sept. 24) and is being used by someone with halting English.
Handing over the keys
Messages sent via iMessage Chat arrive at the destination unchanged, but the data itself — including your Apple ID and password, previously known only to you and Apple — could easily be stored on a Chinese server for later exploitation.
Your Apple ID and password are your keys to the Apple universe. Whoever runs that server could steal those keys and hijack your iCloud account, change your registered address to his own and, if you've let Apple save your credit-card information, buy music, movies and apps on your dime.
More worryingly, an Irish app developer named Steven Troughton-Smith discovered that the app can also download and install software on your phone in the background, much like a rootkit on a PC.
Although no one has yet identified exactly what software might be installed by iMessage Chat, this could potentially put your financial data and passwords at risk, thanks to malware that can read your credit-card information when making purchases on sites like Amazon.com.
It's unlikely that Daniel Zweigart, or Luo Wangyi, developed iMessage Chat with the intent of stealing your private information. Nevertheless, with security holes as large as these, iMessage Chat is an Android app you should definitely avoid.
UPDATE: The iMessage Chat app was removed from the Google Play store later Tuesday (Sept. 24).
"We remove apps from Google Play that violate our policies," a Google spokeswoman told Computerworld.