Apple iMessages can now be used by Android devices with Google Play store app, iMessage Chat but it comes with some grave security concerns. (Photo: Google Play)

Apple's iMessage Chat is now available on the Android Google Play store. Sounds awesome right? Right. Except the fact it poses a frightening security and privacy concern for those who use it.

iMessage Chat for Android is an unofficial third-party app by developer Daniel Zweigart, and appeared on the Google Play store on Tuesday. Though it's been available less than 12 hours, already the app has been downloaded by over 10,000 Android users. The app, which appears to work flawlessly, allows Android device users to send messages from their Android devices to an iPhone, iPad, iPod etc. All that is required is to download the app and set up an Apple ID. Though certainly the ability to use Apple's unique messaging system across a variety of platforms is something many consumers will want, few have stopped to consider or may not even be aware that there are some grave security implications for those who choose to download this app.

A well-known Apple and Android hacker/developer, Jay Freeman aka @Saurik, was one of the first to investigate the app to discover how it works. According to @Saurik, iMessage Chat for Android basically connects to Apple's server from the device by using the Apple ID given, but instead of just directly delivering messages, it takes the data and sends it to a third party server, analyzes or parses it there and then sends the data back to your device. In other words, rather than just delivering the iMessages back and forth between the people sending them, it's actually taking your lovely little iMessage packages home, unwrapping them, looking at what you got, and then rewrapping them and delivering them to the intended receiver.

Upon looking at this research I immediately thought to myself. "This is bad. Very, very bad." To make sure, however, that I wasn't just giving in to some kind of invalidated hysteria, I decided to consult a security researcher who has done extensive research on Apple security and recently exposed a flaw in the Apple iMessaging service, Cyril Cattiaux aka @pod2g. Many who are familiar with this name know @pod2g is an iOS hacker responsible for finding and exploiting multiple iOS vulnerabilities, which have been used in a number of recent public jailbreaks for iPhones, iPads and iPods. @Pod2g was one of many security researcher and developers who responded who posted a warning on Twitter to be wary of this new Google Play app.

What I asked him how the app worked and what exactly it meant in terms of security, this is how he responded.

"It's probably too early to make statements about how they're doing it [but]... we can't really consider that they hacked anything as they are interfacing the iMessage protocol with Apple binaries ... We'll probably reverse it today at QuarksLab (depending on time). What is clear is that the whole authentication system of the iMessage service is so obfuscated that nobody (?) could reverse it fully. It's state of the art white box cryptography here. They certainly just ripped the authentication library / binary of and put that on their server and interfaced it, which means that your Android app will send your credentials to their servers, probably with a SSL / cyphered communication, but the credentials (AppleID + password) needs to be received in clear by the server in order to send them to the binary and do the authentication with Apple servers."

For those who aren't developers or programmers, basically what this means is that this is not a "hack" per se. The reason is because it does require willful handing over of information by the user in the form of an Apple ID. However, it does not make this any less of a security and privacy concern for those who download and use the iMessages for Android app. When I asked Cyril Cattiaux if this app and the way it functions seems concerning, here is how he replied.

"Saurik says that their app sends back every packet received from Apple to their server in china. I don't see the point. Why do they do that? I mean, when you're authenticated (the obfuscated part of the iMessage protocol), you can basically communicate with Apple directly. That's why I don't see the requirement of sending every packet back to their servers in China." To that thought the security researcher added this: "When you have the AppleID + password, you can basically do anything ... It is the main security issue with this app. They could even add a new fake device attached to your AppleID and receive every Message you are sending. You will have a popup on your devices saying "Device x is now connected on iMessage" (I don't remember the exact sentence) but if they make the x looking like another of your devices, you won't notice. It will say something like 'iPod of Cyril'."

At this point most reading this should understand, this is clearly a security concern. Even if the developer of the iMessage Chat for Android app had no malicious intentions whatsoever, there are other concerns, says Cattiaux which could extend the possible danger even further.

"It can't be worse, really. Also, depending on the security of their servers, a hacker could hack their server, set some software of his on it, and grab everything. And, maybe they save these credentials to a database."

Of course in looking around the web, I have seen some stating that they used a fake Apple ID to set up their iMessages for Android, but even with this "security measure" in place, Cattiaux says there could still be further risks.

"The problem is how they choose the password ... also, Apple asks for your Address, phone number, and all when you create an AppleID. You can fill in wrong information, but who's doing this? Plus these guys will be able to use the account to spam / scam."

But what about users on the receiving end? What about someone like me who has an Apple iPhone or iPad, use the authentic iMessage service and then suddenly I start receiving iMessages from a friend on an Android device. Is my security in Jeopardy?

According to Cattiaux aka @Pod2g, no. But my privacy is.

"They can't grab your Apple ID + password if you don't use the app yourself, but they can read what's sent by the user of the app and what he receives."

In other words for Apple users this is not a security concern necessarily, but it is certainly a privacy concern.

In looking at all the evidence here, we certainly cannot recommend anyone download or use this iMessages Chat for Android to send or receive messages. 

WATCH iMessage For Android: Yes It Works, But Beware

Like this article?

Follow Cammy on Twitter, or Facebook for latest stories and updates.


For More Apple Security And Jailbreak Related News See:

Apple iPhone 5S Fingerprint Database Given To NSA? Claims Of Government Involvement In The Biometric Technology Fill The Internet But Are They True? [REPORT] 

iPhone Fingerprint Scanner Hacked But Should We Worry? Touch ID Cracked By Chaos Computer Club But Method Not Practical

Can Apple Read Your iMessages? Yes! iOS Hacker @Pod2g Reveals The Truth About Apple Encryption Services And What It Means For Your Privacy [EXCLUSIVE INTERVIEW]  

iOS 7 Jailbreak Already Being Worked On By Evad3rs: @Planetbeing And @Pod2g Share Their Progress So Far: How Long Before A Release? [INTERVIEW] 

New iPhone Charger Hack Could Be A Throwback To 2011: iOS Hackers David Wang and Jonathan Zdziarski Weigh In [EXCLUSIVE]