A new Android app that clearly spoofs Apple’s iMessage is creating a lot of buzz today and not in a positive way.
In fact, some mobile security and operating system experts are urging caution to those who wish to download the new app, which is called “iMessage Chat.”
Jay Freeman (also known as “saurik”) is a developer best known for his work on jailbroken iPhones. Today, Freeman was among those explaining why caution should be taken with this app, even though it works as intended.
“As far as I can tell the way it works is that the client does directly connect to Apple, but the data is all processed on the developer’s server in China,” Freeman posted on Google+. “This not only means that Apple can’t just block them by IP address, but also that they get to keep the “secret sauce” on their servers (and potentially just run Apple code: there are some parts of the process in Apple’s client code that is highly obfuscated).”
Every packet from Apple is forwarded to 22.214.171.124, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what’s happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.
“Clearly, this is suboptimal from a security perspective,” he added.