Sign in with
Sign up | Sign in

iMessage App for Android Raises Massive Security Questions

By , David Eitelbach - Source: Tom's Guide US | B 16 comments

A new Google Play app lets Android devices use Apple's iMessage service -- but it could also hand over your Apple ID and password to unknown people in China.

UPDATED 9:30 am ET Wednesday (Sept. 25) with news that the iMessage Chat app has been removed from the Google Play store.

An app that recently debuted in the Google Play store appears to offer what many Android users have long hoped for: a way to chat with their iPhone-toting friends using Apple's proprietary iMessage technology.

A favorite among Apple users, iMessage lets any device running OS X or iOS send text messages over the Internet, free of charge. Mac laptop users can text iPhone users, and vice versa, as long as the iDevices have Wi-Fi connections.

(iMessage encryption may also be uncrackable by the U.S. government, though in the wake of Edward Snowden's NSA revelations, it's hard to tell for sure.)

iMessage Chat, apparently the product of a third-party Android developer named Daniel Zweigart, even mimics the look and feel of iOS 6.

Canadian coder Adam Bell confirmed that iMessage Chat does indeed work, and successfully fools Apple's iMessage servers into thinking that messages being sent from an Android device originated on a Mac Mini.

But security experts noticed that the app may be sending more than just your text messages to its servers.

MORE: How to Keep Your Smartphone or Tablet Secure

Greetings from China

In his tests of iMessage Chat, Jay "Saurik" Freeman, who maintains the Cydia app repository for jailbroken iOS devices, discovered that iMessage Chat routes all communications through a server in China and then forwards the data to Apple.

Tom's Guide found that Huluwa.org, the website listed by Daniel Zweigart on the iMessage Chat page on Download.com, is registered to a person named Luo Wangyi in Fuzhou, Fujian province, China.

The Huluwa.org website also lists a PC and Android client for iCloud, Apple's proprietary cloud-storage and email service.

A Twitter account listed on the Google Play page for iMessage Chat was set up just this morning (Sept. 24) and is being used by someone with halting English.

Handing over the keys

Messages sent via iMessage Chat arrive at the destination unchanged, but the data itself — including your Apple ID and password, previously known only to you and Apple — could easily be stored on a Chinese server for later exploitation.

Your Apple ID and password are your keys to the Apple universe. Whoever runs that server could steal those keys and hijack your iCloud account, change your registered address to his own and, if you've let Apple save your credit-card information, buy music, movies and apps on your dime.

More worryingly, an Irish app developer named Steven Troughton-Smith discovered that the app can also download and install software on your phone in the background, much like a rootkit on a PC.

Although no one has yet identified exactly what software might be installed by iMessage Chat, this could potentially put your financial data and passwords at risk, thanks to malware that can read your credit-card information when making purchases on sites like Amazon.com.

It's unlikely that Daniel Zweigart, or Luo Wangyi, developed iMessage Chat with the intent of stealing your private information. Nevertheless, with security holes as large as these, iMessage Chat is an Android app you should definitely avoid.

UPDATE: The iMessage Chat app was removed from the Google Play store later Tuesday (Sept. 24).

"We remove apps from Google Play that violate our policies," a Google spokeswoman told Computerworld.

Follow Marcus Yam @MarcusYam Follow us @tomsguide, on Facebook and on Google+.

Discuss
Display all 16 comments.
This thread is closed for comments
  • 4 Hide
    chuckydb , September 24, 2013 8:18 AM
    How about not trying to use Apple proprietary crap and support universal things like WhatsApp?
    The risk is not worth it...
  • 0 Hide
    JD88 , September 24, 2013 8:18 AM
    I don't really understand the big deal about iMessage. Don't most data plans come with unlimited SMS these days anyway? Why use data when you have unlimited free SMS?
  • 8 Hide
    amk-aka-Phantom , September 24, 2013 8:41 AM
    Or, you know, you could just use Google Talk, Skype, Facebook Messenger or any other IM that is widely recognized and is not platform-dependent...
  • 3 Hide
    rcm , September 24, 2013 9:10 AM
    The "data is all processed through a server in China." It has "code to download other Android programs."

    It could have been developed so the Chinese can eavesdrop on the American people.
  • -1 Hide
    wemakeourfuture , September 24, 2013 9:17 AM
    Quote:
    JD88
    I don't really understand the big deal about iMessage. Don't most data plans come with unlimited SMS these days anyway? Why use data when you have unlimited free SMS?


    When you travel abroad all you need is a wifi connection and you can message people on iMessage, its a huge advantage. OOTB (out of the box) feature on iPhones.

    Especially for work and vacation where text messages are really expensive its saved me a lot of cash
  • 4 Hide
    house70 , September 24, 2013 9:17 AM
    Just don't use it, plain and simple. There are better alternatives out there.
  • -1 Hide
    thundervore , September 24, 2013 9:55 AM
    SMS is a thing of the past especially when you travel overseas allot. I was surprised when ATT charged me 25 cents a text both send and receive when i went to Canada on business even though i had their overpriced $15 for 1500 texts a month. Appearently Canada is international and you need an overpriced international texting plan.

    After i got that bill for over $100 i said F that, removed both my text plan and my data plan from my smart phone and installed Whatsapp. I have wifi at home, work and optimum wifi when i walk around in the city. My bill dropped from $80 to less than $50 a month and thats with 20 cents pay per texts and i only text about 20 times a month max which equalls about $4 pay per text. Everything else is through Whatsapp which i will gladly pay the $1 per year for. And this is on a 2 year contract.

    Whatsapp is cross platform.

    BBM and iMessage are late to the race and the only people who still use it are people who do not know they have a choice to install and use something else.
  • 2 Hide
    Vladislaus , September 24, 2013 10:26 AM
    @wemakeourfuture
    How about the Google Hangout, former Google Talk? It's also out of the box.
  • -1 Hide
    robochump , September 24, 2013 12:18 PM
    Some scammers trying to cash in on a known name, in this case iMessage. Just another vulnerability Android users need to watch out for.
  • 3 Hide
    threehosts , September 24, 2013 1:43 PM
    The Chinese server is actually operated by the CIA and the App download code is just for Prism. So, there is nothing to worry about, move along folks!
  • 0 Hide
    nevilence , September 24, 2013 3:59 PM
    Haha dont mind the man behind the curtain, he isnt here to hurt anyone =P
  • -2 Hide
    jonathan1683 , September 24, 2013 4:45 PM
    imessage also doesn't have a send limit and pictures are higher resolution when you use it and you can see when others are typing.
  • 0 Hide
    JackFrost860 , September 24, 2013 7:48 PM
    I used to have Android, but as a software developer I found that most of the apps I downloaded from the google PlayStore where doing something nasty in the background. It's not going to change all the while Google takes an unvetted approach to the PlayStore.
  • -1 Hide
    otacon , September 24, 2013 10:12 PM
    @JD88

    iMessage can use wifi, sends high resolution images, no send limit and is also encrypted.
  • -1 Hide
    knowom , September 25, 2013 1:37 AM
    iHAZ Apple iSECURE iNFACT iM iNVULNERABLE!!
  • -1 Hide
    knowom , September 25, 2013 2:15 AM
    iHAZ Apple iSECURE iNFACT iM iNVULNERABLE!!
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter