Unofficial iMessage App for Android Surfaces in Google Play Store Amid Significant Security Concerns [Update: Gone]

[ThunderSkunk]

That it's taken such efforts and questionable practices to make this happen is absurd, and entirely annoying that it's in large part Apples own fault. I get WHY apple doesn't want to make iMessage work cross platform, or Facetime (even though they said they would) or or or... because they're looking out for Number 1 and don't want to assist their competition, but it might benefit them more if their paranoia didn't sabotage their own customers device functionality. Catch more flies with honey.

 

[roadbloc]

I'd use it. If i used iMessage. And Android. But I doubt Apple will allow this to continue for long. I smell iOS 7.0.1 and an Messages OS X patch coming soon.

 

[Lancetx]

I really do hate the Google Play store. More control needed.

But, but, it's open!!!

 

[Chatter]

There is no way Apple is going to let this continue.

I read on another blog that the way it spoofs IP addresses, there is no way for Apple to stop this app. From what I understand (and I could be totally wrong here), it emulates as the user and not a 3rd party so Apple cannot block it unless it blocks you as the user.

 

[nagromme]

There's a perception (which I used to fall for!) that the Google Play store (for Android users who limit themselves to that) is safe and secure in the way the App Store is. It's just not.

In fact, the Play store is full of fakes and rip-offs. They have "Letterpress"--a ripoff of the real one for iOS--and it's been there all year. By the reviews, it doesn't really work, and yet it costs $1.34. How many Android users are happily saying, "actually we DO have such-and-such app, it's NOT iOS exclusive," when what they're getting is some shady knock-off?

That it's taken such efforts and questionable practices to make this happen is absurd, and entirely annoying that it's in large part Apples own fault. I get WHY apple doesn't want to make iMessage work cross platform, or Facetime (even though they said they would) or or or... because they're looking out for Number 1 and don't want to assist their competition, but it might benefit them more if their paranoia didn't sabotage their own customers device functionality. Catch more flies with honey.

Who gets blamed when a FaceTime call doesn't work well on Android? Apple's smart not to spend time/money adding features to Android: they'd reap the penalties of "Apple can't make cloud services perfect" while Android reaped the PR rewards of claiming "Apple had to bow to our juggernaut or die!"

 

[cclloyd]

If it uses iMessage protocols, won't they not be able to read the messages because of P2P encryption? At least if sent from a real Apple device?

 

[techpr]

This is the primary reason why I don't trust Android. The Google Play Store apps are not reviewed for security threats like Apple's App Store. I have seen lots of malware apps this year.

 

[rmwebs]

No, it doesn't mean that. It means that someone is emulating a mac mini (or, may actually have one set up somewhere, like this, in China) and that the user has willfully given them an AppleID username and password with which to send and receive messages on your behalf.

As with many things, the weakest link in this security chain is between the keyboard and the chair. The most secure, most encrypted API in the world is useless when the user freely and openly hands their credentials over. As long as you don't do that, they can't access your account, plain and simple.

From what Saurik has said, the connection goes:

Android Device > China > Apple

That middleman is the issue. If you first connect to another server, there is nothing to stop that server harvesting login details and messages, regardless of its location.

What baffles me is why this has even been possible. Whilst you can obviously run wireshark and trace where a message goes, there needs to be additional security in place to, for example tie each login down to a device or mac serial number for arguments sake - this then removes the ability for 3rd parties to get access to the API.

By having it public there is little stopping people brute forcing the API and gaining access to accounts.

 

[samcraig]

This is the primary reason why I don't trust Android. The Google Play Store apps are not reviewed for security threats like Apple's App Store. I have seen lots of malware apps this year.

I would say that the Android market is not as safe as the Apple App Store.

However - if you think that the Apple App Store is "safe" and that malicious apps don't make it through review (easily) you're wrong.

I don't install sketchy apps - no matter what the platform. The one think I do like about the Play store is that there's a popup that at least "warns" you before installing what access the app will have to hardware and software. I'd love it if that was standard across all OSes...

 

[Risha]

Both the website and app are unavailable

I can't find them anywhere...the site http://www.huluwa.org is down and I can't find the app on the google play store....

Looks like Apple.inc made some calls

 

[samcraig]

I can't find them anywhere...the site http://www.huluwa.org is down and I can't find the app on the google play store....

Looks like Apple.inc made some calls

Or not. I just went to the website. And the link at the top of the article shows the app still on the play store.

 

[AWTTech]

Am I the only one who noticed he spelt "cancel", "cancle"?

----------

If it uses iMessage protocols, won't they not be able to read the messages because of P2P encryption? At least if sent from a real Apple device?

There is nothing stopping them from intercepting the messages, which is a huge concern with me. I'm just glad I have my iPhone, with the real version of iMessage... and developers who can spell "cancel"

----------

I can't find them anywhere...the site http://www.huluwa.org is down and I can't find the app on the google play store....

Looks like Apple.inc made some calls

The site isn't down on my end, it just has a really long loading time. The application is also still on the Google Play store as of 11:06 CST.

 

[samcraig]

Am I the only one who noticed he spelt "cancel", "cancle"?

If you look at the screen shots - there is a LOT that is misspelled.

And the app description is broken english.

 

[cmwade77]

I can't find them anywhere...the site http://www.huluwa.org is down and I can't find the app on the google play store....

Looks like Apple.inc made some calls

I doubt it was Apple.....contrary to popular belief, Google does have some control over their Play store, they just don't abuse that control like Apple does.

Now I wouldn't use this service for the obvious reasons stated, but Apple has said that it would make Facetime (and I believe iMessage) APIs available for third parties that want to develop clients for it. So, the question is where are these clients?

 

[AWTTech]

So, the question is where are these clients?

I did't hear anything about iMessage APIs being released, and if they are, they will not be out for Android developers, it'd be for iOS.

 

[\-V-/]

If you're dumb enough to give this shady-as-hell app your login-in details, then you deserve whatever crap that ensues. Don't touch this app with a 40 foot pole.

 

[wovel]

If it uses iMessage protocols, won't they not be able to read the messages because of P2P encryption? At least if sent from a real Apple device?

The encryption will end at their server (the simulated mini). They can read all the messages

----------

If this really works it basically means ANYONE can read your iMessages. Even if you have to log in - its the fact that someone has found a publicly accessible API to gain access to accounts.

Apple really are pissing me off now with their sheer stupidity when it comes to real security and reliability.

However, on the other hand. I highly doubt someone DID get access...meaning this is just being used to harvest Apple ID usernames and passwords which can then be used to purchase stuff.

It is Apple's fault people are typing their Apple ID into a random App from the Play store? This seems like a very strange thing to blame Apple for. It's not really a public API they are probably just using the OSX client.

----------

From what Saurik has said, the connection goes:

Android Device > China > Apple

That middleman is the issue. If you first connect to another server, there is nothing to stop that server harvesting login details and messages, regardless of its location.

What baffles me is why this has even been possible. Whilst you can obviously run wireshark and trace where a message goes, there needs to be additional security in place to, for example tie each login down to a device or mac serial number for arguments sake - this then removes the ability for 3rd parties to get access to the API.

By having it public there is little stopping people brute forcing the API and gaining access to accounts.

Well I use iMessage from 4 different devices. Whenever I change one, all the other ones are notified, but in this case the user is on board and would just approve the change...

 

[samcraig]

It is Apple's fault people are typing their Apple ID into a random App from the Play store? This seems like a very strange thing to blame Apple for. It's not really a public API they are probably just using the OSX client.

No - it's not their fault. It's a hack which seems to be working. The question is - will Apple be able to prevent it from working.

 

[wovel]

No - it's not their fault. It's a hack which seems to be working. The question is - will Apple be able to prevent it from working.

That is good question. I was just questioning how pissed off rmswebs claimed to be.

 

[Jessica Lares]

You notice how Android folk all call us iOS users idiots yet this kind of stuff almost happens daily on the Play Store?

We're talking about the same people who pretty much caused thousands of dollars of damage to Blackberry these past few days.

 

[samcraig]

You notice how Android folk all call us iOS users idiots yet this kind of stuff almost happens daily on the Play Store?

We're talking about the same people who pretty much caused thousands of dollars of damage to Blackberry these past few days.

Hyperbole for dramatic sake?

 

[macsrcool1234]

I saw this the other day and tested it out with an empty Apple account (it lets you create one). I ran it through Fiddler and the authentication does indeed happen through Apples servers and the application actually does work.

The third party sever it goes to is running windows however so idk where the Mac mini part came in. In either case, apple will likely ban the serial number of the Apple device in question, rendering it unable to send messages.

 

[Tinmania]

Hyperbole for dramatic sake?

Indeed. The nothing-to-do-with-this-topic Blackberry nonsense was particularly amusing.



Michael

 

[tobyw7]

The link to the Google Play store isn't working for me but the web site http://www.huluwa.org/ is loading, but very very slowly.

My DNS is OpenDNS.

-T

EDIT: The download link from their web site brings up a `Service Unavailable' error; http://www.huluwa.org/imessage/download.html

 

[samcraig]

Indeed. The nothing-to-do-with-this-topic Blackberry nonsense was particularly amusing.



Michael

In addition - I don't think "how Android folk all call us" is an accurate statement either.