iMessage on Android? No, the world is not coming to an end. It is a well-known fact that it is almost impossible to stop an Android Fanatic from pushing their hardware and software to the limit. Weather it is rooting their device, unlocking their bootloader or somehow getting applications designed for another platform running on their device; developers have done it.
Today, we are looking at an application that was just released into the Google Play Store by Daniel Zweigart that allows (most) users to utilize Apple’s proprietary messaging protocol on their Android Devices. The application was designed to mimic iMessage in every way, even scrapping our beloved Holo UI Elements in favor of an iOS6 UI.
Shortly after the release of the application, a well-known third-party application developer, Jay Freeman (a.k.a Saurik) decided to take a peek under the hood of the application in order to try to see how it is able to both mimic the proprietary protocol and fool Apple’s servers into believing the Android device is running iOS. What Jay found out was both clever and disturbing.
The Application does not directly communicate with Apple’s servers, rather relays all traffic to the developers server in China which is then sent to Apple. The developers server is able to masquerade as a Mac Mini, thusly allowing the application to bypass Apple’s ID checks. Whenever a user authenticates, the credentials are sent by the Android Application, over to the developers server and then used again to authenticate into Apple’s iMessage system.
There are a large number of dangers in this method as it technically means that the username and password may be stored in plain text on the developer’s server. As any Android user knows, by obtaining your GMail password, an attacker has the ability to make purchases on your behalf in Google Wallet, read your email, wipe your device, locate your device and worse. A stolen Apple ID carries the same risks. There are further risks that the developer can release code on his server that is then executed on your Android device (backdoor). The other danger to using this method is there is no guarantee that your chat logs are not being stored on the developers server.
If you installed this application, I strongly advise you to stop using it and change your Apple ID Password (not that any of you would have one of those, right?)
Aside from the risks above, there are several ways that Apple can block this application from working. They can start by requesting the applications removal from the application from the Google Play store, which is very likely to happen today. Apple can also block the IP range of the developers server 222.77.191.XXX. Apple can also technically lock any account that was found to be authenticating from that IP address.
While I am sure that this developer meant no harm with his implementation of iMessage, the method that he used is riddled with both security holes, especially if his server was ever compromised by an attacker. I will repeat, it is best to uninstall this application and change all passwords.
There is a very heated Google Plus thread going on where developers are tearing the application apart if you want to read along.