Experts are warning Android users to avoid the iMessage Chat app, which claims to be an Android version of Apple's iMessage technology.
The app is credited to a Daniel Zweigart, who placed the app onto third-party sites. Although the app does what it claims to - allow Android users to message Apple users and vice versa - experts warn it does a whole lot more than just that.
Jay Freeman, a mobile developer who runs a consultancy called SaurikIT, warns that over and above connecting these users, all the data used with the app is processed on the developer's server, hosted in China.
In his blog, Freeman says: "This not only means that Apple can't just block them by IP address, but also that they get to keep the 'secret sauce' on their servers, and potentially just run Apple code."
He explains: "Every packet from Apple is forwarded to 222.77.191.206, which then sends back exactly what data to send to Apple. Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected."
Freeman added that the developer is responding to reviews about login issues, asking only for the user's Apple IDs, which would suggest that even the authentication would be under his direct control.
"Clearly, this is suboptimal from a security perspective," Freeman comments.
According to Threatpost, the developer could be collecting not only message content on their end, but user names, passwords and possible Apple ID account information, including credit card numbers.
The app had been available for under a month on Google Play, but was downloaded at least 10 000 times. It has been removed from Google Play, but is still available on several third-party sites.
Share
