• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Saurik Addresses Fake iMessage App, Potential Security Issues


    A new messaging app has landed on Android and some are urging users to proceed with caution if they opt to download or use this obviously spoofed iMessage platform now available through Google Play.

    Called "iMessage Chat," the app is taking fire today and seeing intense and understandable scrutiny.

    Early this morning, Jay Freeman (Saurik) commented at length on the Android app and broached no shortage of valid points as to why prudence should be exercised when it comes to using the controversial app in question.

    "As far as I can tell the way it works is that the client does directly connect to Apple, but the data is all processed on the developer's server in China," Freeman posted on Google+. "This not only means that Apple can't just block them by IP address, but also that they get to keep the "secret sauce" on their servers (and potentially just run Apple code: there are some parts of the process in Apple's client code that is highly obfuscated)."

    Every packet from Apple is forwarded to 222.77.191.206, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what's happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.
    "Clearly," he deduced, "this is suboptimal from a security perspective."

    To read the complete post, click here.

    Source: Jay Freeman's Google+
    This article was originally published in forum thread: Saurik Addresses Fake iMessage App, Potential Security Issues started by Michael Essany View original post
    Comments 14 Comments
    1. smith01's Avatar
      smith01 -
      Didn't they say the same thing when Siri was ported to the iPhone4 and people freaked out saying it was going through Russian servers and that turned out to be fine. So whats the difference here?
      It works, you can access imessages on the Android so it works so its not a big scam everyone thinks it is.
      If it was a huge scam it wouldn't work to start with but it does work.
      I'm thinking it'll be like the Siri port. It needs to tell the Apple servers its coming from an iPhone instead of an Android thats why the server is there.
      And who says its not an Apple server in China its going through?

      I say when someone gets their Apple ID hacked then ok its a scam but as its working and doing what it says I say its not.
    1. slim.jim's Avatar
      slim.jim -
      Quote Originally Posted by smith01 View Post
      Didn't they say the same thing when Siri was ported to the iPhone4 and people freaked out saying it was going through Russian servers and that turned out to be fine. So whats the difference here?
      It works, you can access imessages on the Android so it works so its not a big scam everyone thinks it is.
      If it was a huge scam it wouldn't work to start with but it does work.
      I'm thinking it'll be like the Siri port. It needs to tell the Apple servers its coming from an iPhone instead of an Android thats why the server is there.
      And who says its not an Apple server in China its going through?

      I say when someone gets their Apple ID hacked then ok its a scam but as its working and doing what it says I say its not.
      there is nothing stopping them from sending modified data back to your phone. Potentially a HUGE security risk if they find an exploit that will execute code embedded within the message. I would say it is more of a risk for the Android user but they could still use it to send something to an iOS or OS X user potentially infecting the receiving device.
    1. luvmytj's Avatar
      luvmytj -
      Wait... am I in the wrong forum? Android apps? Who cares, we don't use no stinkin' Android here?
    1. slim.jim's Avatar
      slim.jim -
      Quote Originally Posted by luvmytj View Post
      Wait... am I in the wrong forum? Android apps? Who cares, we don't use no stinkin' Android here?
      It allows an Android phone to send an iOS user an iMessage which bypasses the iMessage security by spoofing the originating device. So I think you missed the point.
    1. reznor9's Avatar
      reznor9 -
      I think another valid point is that in order to use iMessage on the android you have to provide your Apple ID and password. Now I'm pretty sure people don't realize they are giving this info to a 3rd party in order to spoof it on their android. This means they have access to your payment info via the apple AppStore. I would proceed with caution.
    1. bigboyz's Avatar
      bigboyz -
      Hmm. Interesting. You don't hear him say much about anything except Cydia related items. I would take him seriously. At the same time, you are free to make the choice. Time will tell.
    1. wolverinemarky's Avatar
      wolverinemarky -
      Quote Originally Posted by reznor9 View Post
      I think another valid point is that in order to use iMessage on the android you have to provide your Apple ID and password. Now I'm pretty sure people don't realize they are giving this info to a 3rd party in order to spoof it on their android. This means they have access to your payment info via the apple AppStore. I would proceed with caution.
      thats what i was thinking when i first heard this story. Apps on android are iffy as well for malware but giving something access to your credit card info off your account could fraud millions of people out of millions of dollars if a bunch of people on android downloaded this app and it wasnt on the up and up
    1. vikrants's Avatar
      vikrants -
      It's already removed? I can't find it.
    1. slim.jim's Avatar
      slim.jim -
      Quote Originally Posted by vikrants View Post
      It's already removed? I can't find it.
      Im sure you can find the APK file on the net somewhere
    1. ThatOneProfile's Avatar
      ThatOneProfile -
      Can't wait to try iMessage on windows! (Slowly getting there)
    1. XweAponX's Avatar
      XweAponX -
      I wonder if I can install this on BlueStaxx? If the app is still there I may try it and see what it does, I have an extra apple account with no card so it should b safe.
    1. PokemonDesigner's Avatar
      PokemonDesigner -
      This wouldn't be too big of a problem for most people unless you are not only storing you credit card on iTunes but also not running some form of protection on your android. Like. Those are two big no-nos.
    1. smith01's Avatar
      smith01 -
      BTW, its gone now. Its been deleted from the store.
    1. wiipro's Avatar
      wiipro -
      That's why I stick with gift cards...