Is this actually running on Apple's iMessage protocol or is it just duplicating/imitating it? That is to say, if you 'iMessage' to an Apple device, does it come up as an iMessage on that device?
Sadly this will probably be shut down by morning since it didn't come from Apple. What Apple should, but won't do, is buy it and release it for free themselves. But then Apple would have to admit that there just might be another AppStore in the universe and their reality distortion field might show a small dent.
Does this screw up the ordering of messages just like iMessages? Does it make you apart of the same conversation multiple times, so that when you send a message, you get your own reply?
If Apple wants it gone they have a legal staff that can make life hell for the app author. My guess is the 'iMessage' name and icon design are enough for a takedown order.
I understand that with the latest Apple TV update Airplay is now proprietary. Ie. wrapped in Apple's FairPlay DRM spec. So, any third party non-licensed Airplay services are now dead.
With the US' draconian DMCA law in place, it also now illegal to build any devices that Apple hasn't licensed to use Airplay on your Apple TV.
Sounds great, but I’m still worried because this App might hijack the Apple ID and password. If I remember it correctly, Apple does not publish their Apple ID API outside of iOS SDK.
Not sure if you're wanting this because you're switching devices but for full time android users it shouldn't be a big deal to set up a new apple id to use this app.
They don't even publish the Apple ID API inside the iOS SDK. There is no way to directly use Apple ID as a form of identification. Only 2nd-hand ways, like GameCenter, and iCloud.
Regardless of whether it'll disappear from the Play store quickly or not this is kinda cool. Hopefully it means there'll be a FOSS implementation of this at some point and we can get other Linuxy stuff talking to iDevices.
(If there already is one I'd love to be pointed at it, I've done some searching previously trying to get a nice solution for getting scripts at home communicating with me - I eventually settled on using push notifications with Prowl http://www.prowlapp.com/)
This is actually talking directly to the iMessage service. It's hitting https://service.ess.apple.com:443 (and https://service2.ess.apple.com:443 when authenticating) and not being proxied through any third-party servers. That being said, it does look like the app reports basic analytics but nothing sensitive.
They can start by getting Google and other major app stores to pull the app for copyright / trademark infringement on the term "iMessage", then they can sue the developer for the same (he's public with his identity).
Beyond that all they need to do is include some form of digital signing in the login process which he can't duplicate and jobs a good un.
Alternatively they may say that they don't care and leave it alone as it strengthens iMessage as a platform.
But my guess is that this won't end well. Isn't it trademarks that you have to defend or you lose them? If that's the case then Apple at the very least need to have him change the name and so on.
Digital signing on the login process? Could you be more specific? I was under the impression that verifying data is coming from an 'approved clients' over a reverse engineered protocol is impossible.
That's crazy. The protocol for iMessage is so complicated that I gave up very quickly after getting IP banned many, many times, it's an incredibly sensitive service to things like this. At the time I just wanted to be able to check if an email address was iMessage-supported, but it required piles of signatures and other authorisation.
It will get banned on Apple's end so quickly, but not before it's used to send mountains of spam.
Haha, same here. Instead I wrote an app that uses the iMessage Mac client to insert a mail address into the to: field and check whether it supports iMessage. And then I use pixelbuffer data to figure out whether the mail address has the correct iMessage supported color in the ui. Works great, but is a bit slow.
> That being said, it does look like the app reports basic analytics but nothing sensitive.
Are you referring to the seemingly-encrypted network connection over port 5332 to a server in China at IP address 222.77.191.206 that has traffic that precisely correlates to me sending and receiving messages using the application? [edit: Which happens to be the value of the resource ServerId in the APK?]
That is just looking for embedded URLs: it totally fails to notice the IP address hardcoded into the APK (222.77.191.206) that seems to be used every time you send/receive a message.
Reminder: iMessage's "encryption" is open to the NSA. (What's more, Apple partners with the NSA.) Not sure why you'd want to submit to the surveillance state.
<sarcasm>
Because if you connect to an iMessage client that also sends your packets to China, the MSS and the NSA get stuck trying to both look at your packets. We call it Two Stooges Syndrome. Your information is safe. No, it doesn't make you invincible
</sarcasm>
There is some truth to your statement. For example, we will never know if PG would shut down HN if required to hand over the private logs. So yes, our posts can be cross-referenced with other online profiles, etc.
Now, should the conclusion be "we should stop communicating electronically"? That would be a severe restriction to free speech and thus advancement of our species. So, no.
Maybe the right direction is to migrate the discussion towards encrypted and distributed forums. RetroShare offers such a feature (amongst others): http://retroshare.sourceforge.net/
Funny how a small app like that can destroy all the hopes a multi-billion dollar company like Blackberry put in their stay relevant by rolling out BB Messenger to iOS and Android plan.
Assuming Apple doesn't kill it of course... There are some good reasons why Apple shouldn't kill it (network effect work both ways) but who knows what they will do.
Apple can just pull this off Google Play and then also reject BB Messenger from iTunes App Store. Boom. Victory through lawyering with no technical work whatsoever. Two competitors down.
It looks a bit obfuscated, but there might be some useful finds. I'm going through it and looking for hardcoded strings that might not be in the resource files.
Kudos to the folk who reverse-engineered it, but I'm not sure this is a good thing in the long run.
Put it this way, just like AirPlay and AirDrop, it keeps the open-source community on the backfoot, always looking to "keep up with the Joneses" when in fact we should let these proprietary protocols wither and die.
The public perception shouldn't be that Apple lead and others follow, it should be that Apple have deliberately isolated themselves from everybody else.
I agree with you. I also suspect Apple's iMessage system is not nearly as secure as they claim it is. So if someone can post the full crypto protocol, others will find bugs/ backdoors* in it and you will have one more reason not to trust closed source secure communication software.
* By backdoor, I mean the protocol isn't actually end to end secure in the way Apple claims(i.e. safe from NSLs) and Apple does actually have access to messages. Not that the protocol looks secure and they picked backdoored primitives or some secrete key escrow scheme, though they may have done the latee at least in other cases[0]
This is really awesome. They should release the method, although obviously there is some value in their not doing so. I'm sure Apple will change the iMessage endpoint to kill this, but that's a cat-and-mouse game they'll lose with the dev community in the long run. If this is a true reverse engineering of the iMessage protocol, this will be very hard to shut down.
It is such a shame and pity that it comes from China. It killed all of the buzz for me in an instant. I have nothing against Chinese people, but an app that has done something never done before with Chinglish in it - nope.
Everybody is talking about high level conspiracies regarding NSA, overseas intelligence agencies and whatsoever.
But the real concern should be about simply getting scammed! Of course our(end user) data is not safe, it was not designed from the very start to be so. I have no problem with NSA and Apple reading my messages because I am sure that they won't use the credit card linked to my account without my consent.
This... thing is a bit different. It is run by a third party provider somewhere outside of European and American jurisdictions. My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment. This, my friends, is a bit different scenario. If people get their accounts compromised and money gets stolen, Apple is not going to do a thing about it for two simple reasons:
1) Who wants to argue with China? What is the chance of even finding the physical location of the server all the data gets relayed back to?
2) Apple never authorised the use of third party apps.
This is my concern about China, nothing else. I would love to use this app for my every day needs, I would even pay for it! But the chance of my account being stolen with no possible outcome positive for me just rustles my jimmies.
> My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment
There's also the possibility of an investigation, court case and punishment in China.
And I wager the chances of you getting any money back in either case is about the same.
I believe that this application actually does connect to Apple's servers from the phone, but it doesn't then interpret the protocol on the device. Instead, it ferries the data to the third-party developer's server, parses everything remotely, figures out what to do with the data, and sends everything back to the client decoded along with responses to send back to Apple.
Doing it this way means that Apple can't just block them by IP address, it avoids them having to distribute their "secret sauce" (understanding the iMessage protocol is clearly very valuable), and it potentially allows them to use actual Apple code on their servers (in case they haven't spent the time to fully break the fairplay obfuscation that Apple is using for some of their keys).
Here's what I'm seeing: every time I send it a message, I get a packet from Apple, and then immediately the app sends a packet of almost exactly the same size to 222.77.191.206 (which is listed in this application's APK as "ServerIp"). It then gets back two packets from the Chinese server, the first of which I'm presuming is the decoded result and the second packet being a response to send Apple (as immediately a packet is sent back to Apple with about the same size).
Additionally, if you read the reviews of this application, the author is making some very weird responses to people with login issues: he's asking for their Apple ID, as apparently that's enough for him to debug their issue. That shouldn't be possible if the application is just directly talking to Apple the entire time.
[edit: The more I stare at this, the more confident I am in this analysis; specifically, the packets that are "about" and "almost exactly" the same size are very deterministic: the packets to/from Apple are precisely 7 bytes larger than the corresponding packets to/from the Chinese server.]
[edit: It also occurred to me to verify the other direction: in fact, if you go to send a message, first the client sends something to the developer's server, which then returns a packet which, along with again the exactly 7 extra bytes, is sent to Apple's server.]
That makes sense with my very limited experience messing with the iMessage protocol. Stands to reason that passwords are being ferried back to them though, there's got to be some financial reason for going to all this trouble.
ED: Their obfuscation isn't actually that severe once you get used to it.
Not that this needs pointing out, but this also means the mysterious Chinese server also gets to read all your iMessages. This is some kind of quasi-MITM, and for that alone Apple would be in the right to block this kind of thing from ever working.
Why is it any worse than only Apple server reading all you messages? You trust one third party with proven track record of spying on its customers, but somehow you are upset that someone else also has access to you messages, thought that someone didn't (yet) do anything wrong with them.
If you are American, you don't have to fear from Chinese espionage, and US agencies already have your data. If you are European, it's more or less the same. If you are from China, well, at least you can prove that you are not doing anything behind the government back ;)
It is not only one person, it is not only Apple servers reading all your messages. It is in fact the whole world. Through Apple gives it to NSA which hands it over to various other agencies, GHCQ, FRA, your data ends up in Israel. Your data is already a goods traded with on the international market.
Why not increase the competitiveness of this Chinese actor, you will get better service in the future? More competitive - better service.
The NSA has already sold your CC on the black market. Its just that the buyer hasnt used it, because they cant use it without getting penalties. Penalties which this Chinese vendor would succumb to as well.
Now are you going to say you trust Israel more than the Chinese, they wont misuse your CC, and if they did, its still better than trusting a Russian vendor?
Uh... as I read it the point of this app is the the whole world is able to read your messages. This app is just the existence proof that all that is required is access to the raw packet data.
Clearly most people are going to "trust" Apple Computer more than this app vendor. But the point is that such trust isn't worth anything. The data is hanging out there already.
Huh? So, does the existence of an open-source reimplementation of early versions of SSL also imply that if you had access to the raw packets you can read anyone else's SSL stream? How about if we first require the data to be sent in the clear to someone who refuses to tell us how DES works, but is willing to provide a web service that implements it? This app is not by any stretch of imagination proof that the protocol on the wire is not encrypted. Yes, that might be the case, and we might learn some interesting things at pod2g's talk on iMessage at HITB (I'm definitely looking forward to that), but that would be totally unrelated to the existence or possibility of this app.
People know who Apple is. Apple has a reputation. Sure they're compromised by NSA, but every communications medium in the world is compromised by NSA.
I don't know who's running this server in China. But unless it's the NSA, you're much worse off using this app than native iMessage, because now in addition to NSA seeing everything, so does this guy--who has no reputation at risk. Adding more eavesdroppers makes communications additively less secure.
How exactly do I have nothing to fear from the Chinese? At least the NSA is unlikely to have any real interest in communications between Americans in America because it's outside their mission, which is not true for Chinese or Russian intelligence.
Yes but you do have to sacrifice quite a bit to be outside of the NSA's realm of observability. Is iMessage securely encrypted? Wasn't the DEA caught red-handed with a false memo claiming they couldn't MITM iMessage communication?
Well, Mr "nsashill42334", account under 24 hours old, I don't think that Mr Snowden should be trusted without question. However it seems unlikely that he is setting out to dupe people into using encryption for some reason or other.
Surely you're joking. I don't doubt you can understand the difference between a government law enforcement agency reading your messages and some guy off the street reading your messages.
Neither Apple nor the NSA will, for example, immediately rack up a string of fraudulent charges on every credit card number that it sees come through its system. Some random guy in China? I'd say there's a pretty high chance that's exactly the reason this app is in the app store.
No, it is not a joke. iMessage is not a secure communications channel. With this app in the wild, it is pretty clear it is not a secure communications channel. You should not post CC information along an insecure communications channel.
You may be right that there is more risk involved now, but it is nice to get the point out in the open.
>> "I don't doubt you can understand the difference between a government law enforcement agency reading your messages and some guy off the street reading your messages."
I'd feel more secure with just some guy off the street reading my messages. Fortunately I don't ever send CC#'s through messaging services so there's very little else he could do.
I didn't mention this case I was speaking more generally. And I'd personally be more worried with what the US government knows about me than the Chinese. I have many more interactions with American people and businesses and I like to visit there. I don't have much if any interaction with China so it doesn't bother me as much.
That still makes no sense. Your information has been leaked to one party, so you're okay with it leaking to others as well? Also, it's not just what they know, it's what they do with that knowledge. And it seems pretty absurd to make the claim that the US has had worse precedence in this regard than China.
If you are American, you don't have to fear from Chinese espionage
Citation needed. There are numerous stories (unconfirmed of course, but that's the way these things always are) of Chinese hackers breaking into companies and stealing trade secrets. They aren't just after super spies, you know.
And you don't work in an industry the Chinese would be interested in? Good for you. But do you know anyone that is? This hack might quite possibly allow them to send messages as you to whoever they want.
"The NSA has my information so hey, screw it" isn't really an appropriate reaction.
If it were a proper "Silicon Valley kid" who did that, you would applause loudly.
Does it happen to you that there are talented geeks and developers in China.
For one: http://agentzh.org/
This guy may well be a perfectly responsible entrepreneur, but the fact is that common Chinese business practices can be pretty shocking. My wife in Chinese, her sister works for a bank over there and her husband is a cop. I could tell your stories that would make your hair stand on end, but I don't want to put anyone off ever going there again. I love China, but doing business over there's not for the faint hearted and it's just good sense to be realistic about it.
What the hell are you on about? I don't care about the nationality of this anonymous person trying to MITM my iMessages, only that some anonymous person is trying to MITM my iMessages.
I came to the same conclusion as Saurik, (though didn't go as far as looking up the Server and seeing it was from China).
I had hoped that I could decompile it, get the special sauce, and make a client for Qt-based OSes and also Windows Phone. Looks like I won't make any progress today
You likely won't be able to do anything at all, as the client is fairly dumb. It just takes requests from Apple's server, encrypts with CTR AES and a static key, then fires them off to the Chinese server for actual processing. Unless you want to use their server in your own application, you're just as snookered as before; you still need the secret sauce.
It's a fair point, though it may depend whether there is any "official support" for his actions.
If it's just someone acting on their own for fun, the amount of money Apple invest in China might suggest that they have some sway should they choose to use it.
the code there makes no mention of the iMessage protocol. everything there can be done using other publicly avaiable API's such as the CalDAV/CardDAV api.
I would be surprised if #1 was the case. Given the amount of volume of traffic that this app will generate, the traffic for identifying a rapidly signing in Message.app will be pretty unique and easily blockable by Apple.
Additionally, I know that recent efforts in the hackintosh community had problems with Message.app because the latest protocols incorporate being able to access the serial number of your machine (or something along those lines). Apple goes through some extensive hoops verifying that access to OS X -only and iOS-only services really does come from their devices.
Perhaps he's a non-English speaking coder who is expressing admiration and incredulity? What makes you think he's complaining? He goes so far as to explicitly state "no offence".
OMG! I'm so embarrassed! Yes I'm a non-English speaker and I can see my mistake now but I didn't last night when I was falling asleep. And yes, I'm showing admiration and curiosity because I feel stupid reading programming books and so when I don't know how this guy went that far without reading that much English books/sources. Because I'm almost sure that the most of information is available in English only.
I was thinking as I was writing the comment that it would be embarrassing to judge his English and make a mistake myself since I'm a non-English speaker but still I didn't double-check the comment because I was falling asleep. Ups! :P
Because he is able to not only master his native tongue but also acquire some fluency in English. You people born with English as native language wouldn't know how hard it is to keep switching between 3-4 languages constantly.
This is blowing up all over the internet right now.. It is pretty amazing that there is an app like this which works, but it is even more surprising that this has been around for a bit, and it flew relatively under the radar.
I just tried it out myself, and my boss who uses an iPhone is in total shock.
236 comments
[ 3.8 ms ] story [ 246 ms ] threadWhat they can do is to shut off the backend because they probably don't have rights to use it anyway.
With the US' draconian DMCA law in place, it also now illegal to build any devices that Apple hasn't licensed to use Airplay on your Apple TV.
Use it with a demo account.
(If there already is one I'd love to be pointed at it, I've done some searching previously trying to get a nice solution for getting scripts at home communicating with me - I eventually settled on using push notifications with Prowl http://www.prowlapp.com/)
This is truly impressive!
Beyond that all they need to do is include some form of digital signing in the login process which he can't duplicate and jobs a good un.
Alternatively they may say that they don't care and leave it alone as it strengthens iMessage as a platform.
But my guess is that this won't end well. Isn't it trademarks that you have to defend or you lose them? If that's the case then Apple at the very least need to have him change the name and so on.
It will get banned on Apple's end so quickly, but not before it's used to send mountains of spam.
(eg. iCloud for PC)
Are you referring to the seemingly-encrypted network connection over port 5332 to a server in China at IP address 222.77.191.206 that has traffic that precisely correlates to me sending and receiving messages using the application? [edit: Which happens to be the value of the resource ServerId in the APK?]
http://i.imgur.com/W3QitN6.png
Only connects to Apple itself, And
http://alog.umeng.com/app_logs http://alog.umeng.co/app_logs http://oc.umeng.com/check_config_update http://oc.umeng.co/check_config_update
Which is 'apparently' a chinese analytics provider.
So I wasn't sure if things had changed in later versions of the app.
Now, should the conclusion be "we should stop communicating electronically"? That would be a severe restriction to free speech and thus advancement of our species. So, no.
Maybe the right direction is to migrate the discussion towards encrypted and distributed forums. RetroShare offers such a feature (amongst others): http://retroshare.sourceforge.net/
Assuming Apple doesn't kill it of course... There are some good reasons why Apple shouldn't kill it (network effect work both ways) but who knows what they will do.
Good work on reverse engineering the protocol though.
If so, if they or someone could put up the source or even a protocol spec, that would be amazing.
I posted the APKTool output on Github for anyone that wants a quick look - https://github.com/mdp/iMessageChatDecompile
Put it this way, just like AirPlay and AirDrop, it keeps the open-source community on the backfoot, always looking to "keep up with the Joneses" when in fact we should let these proprietary protocols wither and die.
The public perception shouldn't be that Apple lead and others follow, it should be that Apple have deliberately isolated themselves from everybody else.
* By backdoor, I mean the protocol isn't actually end to end secure in the way Apple claims(i.e. safe from NSLs) and Apple does actually have access to messages. Not that the protocol looks secure and they picked backdoored primitives or some secrete key escrow scheme, though they may have done the latee at least in other cases[0]
[0]http://www.nosuchcon.org/talks/D1_02_Alex_Ninjas_and_Harry_P...
Everybody is talking about high level conspiracies regarding NSA, overseas intelligence agencies and whatsoever.
But the real concern should be about simply getting scammed! Of course our(end user) data is not safe, it was not designed from the very start to be so. I have no problem with NSA and Apple reading my messages because I am sure that they won't use the credit card linked to my account without my consent.
This... thing is a bit different. It is run by a third party provider somewhere outside of European and American jurisdictions. My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment. This, my friends, is a bit different scenario. If people get their accounts compromised and money gets stolen, Apple is not going to do a thing about it for two simple reasons: 1) Who wants to argue with China? What is the chance of even finding the physical location of the server all the data gets relayed back to? 2) Apple never authorised the use of third party apps.
This is my concern about China, nothing else. I would love to use this app for my every day needs, I would even pay for it! But the chance of my account being stolen with no possible outcome positive for me just rustles my jimmies.
There's also the possibility of an investigation, court case and punishment in China.
And I wager the chances of you getting any money back in either case is about the same.
Doing it this way means that Apple can't just block them by IP address, it avoids them having to distribute their "secret sauce" (understanding the iMessage protocol is clearly very valuable), and it potentially allows them to use actual Apple code on their servers (in case they haven't spent the time to fully break the fairplay obfuscation that Apple is using for some of their keys).
Here's what I'm seeing: every time I send it a message, I get a packet from Apple, and then immediately the app sends a packet of almost exactly the same size to 222.77.191.206 (which is listed in this application's APK as "ServerIp"). It then gets back two packets from the Chinese server, the first of which I'm presuming is the decoded result and the second packet being a response to send Apple (as immediately a packet is sent back to Apple with about the same size).
Additionally, if you read the reviews of this application, the author is making some very weird responses to people with login issues: he's asking for their Apple ID, as apparently that's enough for him to debug their issue. That shouldn't be possible if the application is just directly talking to Apple the entire time.
[edit: The more I stare at this, the more confident I am in this analysis; specifically, the packets that are "about" and "almost exactly" the same size are very deterministic: the packets to/from Apple are precisely 7 bytes larger than the corresponding packets to/from the Chinese server.]
[edit: It also occurred to me to verify the other direction: in fact, if you go to send a message, first the client sends something to the developer's server, which then returns a packet which, along with again the exactly 7 extra bytes, is sent to Apple's server.]
ED: Their obfuscation isn't actually that severe once you get used to it.
If you are American, you don't have to fear from Chinese espionage, and US agencies already have your data. If you are European, it's more or less the same. If you are from China, well, at least you can prove that you are not doing anything behind the government back ;)
Not. This. Again.
Because one person can read your messages, it doesn't mean that the whole world should be able to. One happening doesn't mean the other is okay.
It is not only one person, it is not only Apple servers reading all your messages. It is in fact the whole world. Through Apple gives it to NSA which hands it over to various other agencies, GHCQ, FRA, your data ends up in Israel. Your data is already a goods traded with on the international market.
Why not increase the competitiveness of this Chinese actor, you will get better service in the future? More competitive - better service.
Apple, NSA saw CC number in your chat log, but Apple, NSA, GHCQ, FRA or Israeli Intelligence won't steal your CC and use it.
However, the Chinese vendor could intercept CC info and sell it to blackmarket.
The NSA has already sold your CC on the black market. Its just that the buyer hasnt used it, because they cant use it without getting penalties. Penalties which this Chinese vendor would succumb to as well.
Now are you going to say you trust Israel more than the Chinese, they wont misuse your CC, and if they did, its still better than trusting a Russian vendor?
Clearly most people are going to "trust" Apple Computer more than this app vendor. But the point is that such trust isn't worth anything. The data is hanging out there already.
I don't know who's running this server in China. But unless it's the NSA, you're much worse off using this app than native iMessage, because now in addition to NSA seeing everything, so does this guy--who has no reputation at risk. Adding more eavesdroppers makes communications additively less secure.
How exactly do I have nothing to fear from the Chinese? At least the NSA is unlikely to have any real interest in communications between Americans in America because it's outside their mission, which is not true for Chinese or Russian intelligence.
I do not think that this statement is accurate. The NSA has specifically targeted the largest players.
Also: "encryption works. Properly implemented strong crypto systems are reliable" - Edward Snowden.
Very true. That's a consequence of the largest players in winner-take-all markets being targeted.
It's sad that the NSA and government has lost the faith of Americans to the point that the word of one man is taken without question.
scary baseling like this
Neither Apple nor the NSA will, for example, immediately rack up a string of fraudulent charges on every credit card number that it sees come through its system. Some random guy in China? I'd say there's a pretty high chance that's exactly the reason this app is in the app store.
You may be right that there is more risk involved now, but it is nice to get the point out in the open.
I'd feel more secure with just some guy off the street reading my messages. Fortunately I don't ever send CC#'s through messaging services so there's very little else he could do.
Citation needed. There are numerous stories (unconfirmed of course, but that's the way these things always are) of Chinese hackers breaking into companies and stealing trade secrets. They aren't just after super spies, you know.
And you don't work in an industry the Chinese would be interested in? Good for you. But do you know anyone that is? This hack might quite possibly allow them to send messages as you to whoever they want.
"The NSA has my information so hey, screw it" isn't really an appropriate reaction.
This guy may well be a perfectly responsible entrepreneur, but the fact is that common Chinese business practices can be pretty shocking. My wife in Chinese, her sister works for a bank over there and her husband is a cop. I could tell your stories that would make your hair stand on end, but I don't want to put anyone off ever going there again. I love China, but doing business over there's not for the faint hearted and it's just good sense to be realistic about it.
I had hoped that I could decompile it, get the special sauce, and make a client for Qt-based OSes and also Windows Phone. Looks like I won't make any progress today
I'll try BBM too once its on Android. Trying to get it off my Z10 has proven just as difficult
https://github.com/huluwateam/icloud
[edit: maybe this is more simple to decrypt https://github.com/huluwateam/icloud/blob/master/DataSyncSDK...]
Not saying that's a good thing, just that it's a likely thing.
If it's just someone acting on their own for fun, the amount of money Apple invest in China might suggest that they have some sway should they choose to use it.
1) They are using a workaround like a vm running osx where a program add the requested account on Message.app and then send back the I/O.
2) Second solution they got from an insider the protocol description and decryption.
Additionally, I know that recent efforts in the hackintosh community had problems with Message.app because the latest protocols incorporate being able to access the serial number of your machine (or something along those lines). Apple goes through some extensive hoops verifying that access to OS X -only and iOS-only services really does come from their devices.
Seriously? You're going to complain about his English?
I just tried it out myself, and my boss who uses an iPhone is in total shock.