An unauthorised app that lets Android users chat on Apple’s closed iMessage network is causing a big stir. It’s had viral downloads in the tens of thousands amid claims that it could be spreading malware; but the Chinese developer who developed the app tells us everything is cool.
[TechCrunch has opted not to include a link to the app page because of the security concerns]
It’s the latest malware scare for Google’s popular mobile operating system, whose Play store in 2012 accounted for 79% of all malware – meanwhile Apple’s highly protected iOS App Store consisted of just .7% malware.
While the controversial Android iMessage app has successfully bridged the messaging gap between the two disparate ecosystems, developer Jay Freeman discovered the app achieved this in a relatively insecure manner: by processing data on a remote third-party server in China. The techniques used to send the messages between the two disconnected platforms mean that Apple can’t simply block the app based on its IP address.
“Clearly, this is suboptimal from a security perspective,” Freeman wrote on his Google+ page.
According to the app’s Google Play page, it was released earlier this month by Daniel Zweigart and has been downloaded over 10,000 times and features 132 one-star reviews — almost double the amount of five-star reviews.
TechCrunch contacted the developer Huluwa via an email address listed on the website. A Chinese developer, Zengyi, responded, and explained that Zweigart is a friend who lent him his Google Play account. Zengyi said the app was not malware and will soon release a new version that will process data on the phone, adding the app required strong permissions, such as the ability to install components in the background, “to ensure a message that can be received at any time.”
“It is all free, not contains any malware or ads,” Zengyi wrote in an emailed response. “Because some information is difficulty dispose in android, so we need a server, now, i find a way, i think it will help me not use server.”
During an iMessage chat (when he used his Android device) Zengyi said he plans to make the source code publicly available on GitHub.
Freeman said the developer’s responses on the Google Play page have raised more questions than answers.
“The developer is even responding to reviews about login issues asking only for user’s Apple IDs, which makes it sound like even the authentication must be under his direct control (where it can be logged and debugged given only the username),” Freeman wrote.
A lengthy discussion on Hacker News flags several security issues about how the app works, and generally warns users against entering their Apple user ID on the app.
