Google Pulls Android iMessage App Over Data-Harvesting Issue

Google may have pulled the app, called iMessage Chat, but the download is available online through rogue application stores – a simple search turned it up. Consumers would be wise to stay far, far away from the app, and, as ever, should stick with official Google Play fare in order to stay safe.

The app was released Sept. 12 and quickly came under fire, initially from Jay Freeman, the developer of Cydia, the open-source app store for jailbroken iPhones. When someone initiates a chat on their phones, every packet from Apple is forwarded to, he uncovered.

“I believe that this application actually does connect to Apple's servers from the phone, but it doesn't then interpret the protocol on the device,” he noted in a discussion forum. “Instead, it ferries the data to the third-party developer's server, parses everything remotely, figures out what to do with the data, and sends everything back to the client decoded along with responses to send back to Apple.”

Likewise, if the client wants to send a message, the app first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.

“I don't know if anyone else has seen this program yet, but as far as I can tell the way it works is that the client does directly connect to Apple, but the data is all processed on the developer's server in China,” added Freeman, writing on his Google+ page. “This not only means that Apple can't just block them by IP address, but also that they get to keep the ‘secret sauce’ on their servers (and potentially just run Apple code: there are some parts of the process in Apple's client code that is highly obfuscated).”

He added, “Clearly, this is suboptimal from a security perspective.”

Freeman noted that the developer was also responding to reviews about login issues asking only for user's Apple IDs, which indicates that even the authentication must be under his direct control, where it can be logged and debugged given only the username.

“Additionally, if you read the reviews of this application, the author is making some very weird responses to people with login issues: he's asking for their Apple ID, as apparently that's enough for him to debug their issue,” Freeman said. “That shouldn't be possible if the application is just directly talking to Apple the entire time.”

There’s obviously a privacy dimension to this as well. As one commentator pointed out in the discussion forum comment thread, “This also means the mysterious Chinese server also gets to read all your iMessages. This is some kind of quasi-MITM [man in the middle], and for that alone Apple would be in the right to block this kind of thing from ever working.”

While Apple has not, to our knowledge, blocked the app, the situation does point out a potential flaw in the Android ecosystem. As an open-source affair, Google maintains much less official control over what users do with their devices than Apple does. Android phones are easily “rooted,” which is the equivalent of jailbreaking an iPhone, and are thus opened up to the plethora of unofficial apps that flourish thickly in the wilds of the internet. It means that while rooting offers a lot more choice, consumer security awareness needs to be on high alert when browsing through the options.

What’s Hot on Infosecurity Magazine?