Security Concerns Abound Over Unofficial Android iMessage App That Uses Chinese Servers To Process Data

An unauthorised app that lets Android users chat on Apple’s closed iMessage network is causing a big stir. It’s had viral downloads in the tens of thousands amid claims that it could be spreading malware; but the Chinese developer who developed the app tells us everything is cool.

[TechCrunch has opted not to include a link to the app page because of the security concerns]

It’s the latest security scare for Google’s popular mobile operating system, whose Play store in 2012 accounted for 79% of all smartphone malware — meanwhile Apple’s highly protected iOS App Store consisted of just .7% malicious apps.

While the controversial Android-based iMessage app has successfully bridged the messaging gap between the two disparate ecosystems, developer Jay Freeman discovered the app achieved this in a relatively insecure manner, which includes processing data on a remote third-party server in China. The questionable techniques used to send the messages between the two disconnected platforms are not best practice, and also mean that Apple can’t simply block the app based on its IP address.

“Clearly, this is suboptimal from a security perspective,” Freeman wrote on his Google+ page.

According to the app’s Google Play page, it was released earlier this month by Daniel Zweigart and has been downloaded over 10,000 times and features 132 one-star reviews — almost double the amount of five-star reviews.

TechCrunch contacted the developer Huluwa via an email address listed on the website, and received a response from a Chinese developer, Zengyi, who explained that Zweigart is a friend who lent him his Google Play account.

Zengyi said the app was not malware and he plans to release a new version that will process data on the phone, adding the app required strong permissions, such as the ability to install components in the background, “to ensure a message that can be received at any time.”

“Because some information is difficulty dispose [sic] in android, so we need a server,” Zengyi wrote in broken English. “Now, I find a way, I think it will help me not use server.”

During an iMessage chat (when he used his Android device) Zengyi said he plans to make the source code publicly available on GitHub.

Freeman said the developer’s responses on the Google Play page have raised more questions than answers.

“The developer is even responding to reviews about login issues asking only for user’s Apple IDs, which makes it sound like even the authentication must be under his direct control (where it can be logged and debugged given only the username),” Freeman wrote.

A lengthy discussion on Hacker News flags several security issues about how the app works, and generally warns users against entering their Apple user ID on the app.