People who have come across to Android from an iOS platform may have wanted a means to use Apple’s proprietary iMessage system to communicate with their iOS-wielding friends, and may have thought that the arrival of a working iMessage app on the Play Store was a godsend.
Most things that seem too good to be true often are, and this probably was.
Computerworld reports this morning that Google has removed the app from the Play Store for violating store policies. iMessage Chat came under fire earlier this week from other app developers keen to work out how the app did what it did, when they discovered that users’ AppleID usernames and passwords were passed through a server based in China.
While the app did what it was supposed to do — it did actually work — there’s a real risk that passing this information through a third party server could lead to things like harvesting usernames and passwords for other purposes. Why’s this risky? Well, with your username and password, a nefarious type could purchase any content from Apple’s iTunes store, including apps, music, videos, and even desktop apps for Macs through the Mac App Store. Things could get expensive, and fast.
Not only this, but the iMessage Chat application also contained code for downloading Android APK files in the background, which seems completely unnecessary for an Android application. Well known iOS developers and hacker (in the friendly sense, not the nasty sense) Jay Freeman had this to say:
“I believe that this application actually does connect to Apple’s servers from the phone, but it doesn’t then interpret the protocol on the device,” Freeman wrote on the thread. “Instead, it ferries the data to the third-party developer’s server, parses everything remotely, figures out what to do with the data, and sends everything back to the client decoded along with responses to send back to Apple.”
Ausdroid doesn’t like to engage in scaremongering, but we think anyone who’s used this app would be remiss if they didn’t change their AppleID password immediately. There’s probably a minimal risk.. but given the consequences of what could happen if that risk were exploited… well… I wouldn’t be taking it.