People who have come across to Android from an iOS platform may have wanted a means to use Apple’s proprietary iMessage system to communicate with their iOS-wielding friends, and may have thought that the arrival of a working iMessage app on the Play Store was a godsend.
Most things that seem too good to be true often are, and this probably was.
Computerworld reports this morning that Google has removed the app from the Play Store for violating store policies. iMessage Chat came under fire earlier this week from other app developers keen to work out how the app did what it did, when they discovered that users’ AppleID usernames and passwords were passed through a server based in China.
While the app did what it was supposed to do — it did actually work — there’s a real risk that passing this information through a third party server could lead to things like harvesting usernames and passwords for other purposes. Why’s this risky? Well, with your username and password, a nefarious type could purchase any content from Apple’s iTunes store, including apps, music, videos, and even desktop apps for Macs through the Mac App Store. Things could get expensive, and fast.
Not only this, but the iMessage Chat application also contained code for downloading Android APK files in the background, which seems completely unnecessary for an Android application. Well known iOS developers and hacker (in the friendly sense, not the nasty sense) Jay Freeman had this to say:
“I believe that this application actually does connect to Apple’s servers from the phone, but it doesn’t then interpret the protocol on the device,” Freeman wrote on the thread. “Instead, it ferries the data to the third-party developer’s server, parses everything remotely, figures out what to do with the data, and sends everything back to the client decoded along with responses to send back to Apple.”
Ausdroid doesn’t like to engage in scaremongering, but we think anyone who’s used this app would be remiss if they didn’t change their AppleID password immediately. There’s probably a minimal risk.. but given the consequences of what could happen if that risk were exploited… well… I wouldn’t be taking it.
“downloading Android APK files” is now against Google Play policy. So apart from the inherent privacy concerns of sending username and password elsewhere this had the capability of downloading code on the fly that would not have been vetted by Google Play.
Lol!
Good to see it has been pulled. Shame it wasn’t pulled sooner, like before it could go live on the Play Store.
Are Google doing the RightThing and remotely pulling this piece of malware from users devices as well?
Considering Ausdroid pretty much endorsed this yesterday…I was a lil disappointed tbh…like this wasnt gonna happen…
I don’t see how you think Ausdroid endorsed it?
I read the same article and if anything they alerted me to the issues! I could have easily ‘just installed it’ but they alerted me to the potential problems with it!
I think the warnings and caveats were enough and if you chose to still install it then you should accept the consequences!