Yesterday Android Authority’s Bogdan Petrovan highlighted several security concerns about the iMessage Chat app that had appeared in the Play Store. The app was supposedly created to give Android users the ability to chat with users of Apple’s popular messaging service. However this potentially useful app seemed to have a darker side including some surreptitious communications with a server in China. Thankfully Google seems to have taken note and the app has now been removed from the Play Store.
The app was designed in such a way that everything was first sent to a server in China which in turn replied with the correct protocol that the phone should pass on to Apple’s servers. Jay Freeman (Saurik), the creator of the Cydia platform, speculated that this could allow the app’s designer to harvest Apple login credentials and allow attackers to take control of users’s accounts and so on. Another problem with the app is that its permissions allowed it to download and install other apps in the background, a sure way for the app creator to sneak some malware on to a device.
The app first appeared on Google Play on September 12th, however it has now been removed. As you can see from the screenshot an example name used by the app is “HuLuWa” and someone using that moniker did reply to Saurik’s G+ post and offered to release the source code for the app. However further questions directed at them including questions about the stealing of Apple IDs remained unanswered. HuLuWa was also the name of the developer’s site (as listed in Google Play) and at the moment huluwa.org is offline. Messages left on Hu LuWa’s Google+ page have also remained unanswered.
A Google spokeswoman confirmed in an email to Computerworld that the company had pulled the app saying “we remove apps from Google Play that violate our policies.”
However one question now remains, if there was a legitimate iMessage app for Android would you use it?
Like this post? Share it!
I don’t understand all the backlash. Users know the security risk when they install the app, but many people, including me, are willing to take that “risk”. I am an optimist in life…if someone creates something valuable, I make use of that value not question why it exists to the point that it no longer does exist.
A final point I would add is, people can easily create a new Apple ID that is not connected to payment if they feel unsafe using the app.
Most normal users actually don’t know/understand the risks
do you have a cc attached to your apple ID (most do)
do you you this app can download additional apps in the background?
how can you think the permissions for these things are fishy?
It’s not just your Apple ID. It’s the fact that the app has a back door to install anything else on your phone without your knowledge. That’s not just risk, that’s pure stupidity if you know it and do it anyway.
Also, there’s the issue of all your conversations being readily available to the developer (and whoever hacks his unprotected server). You’re not just taking on the risk yourself, but you’re exposing all those with whom you communicate. The messages they THINK are reasonably secure with you are NOT and that’s not fair to them for you to put THEM at risk.
Do I need to talk about the complete and total failure of privacy and security of absolutely everything on your phone and absolutely everything your phone accesses because of the back door to installing whatever the hell they want?
Use some common sense man!
I just hope that those who downloaded and used this app change their apple ID password and whatever credit card info they had linked to it before its too late….That is if it isn’t too late yet….or at least for some damage control….
“if there was a legitimate iMessage app for Android would you use it?”
Yes. I have friends who have iPhones and it will be great to use iMessage with them. Some use whatsapp, but not all.
I would love an imessage app for android. Only because my Father used it on his Ipad. Email works fine but he likes getting the messages from my brother who is an Apple junkie.
google hangouts…. whatsapp… you have several options