236 comments

[ 3.8 ms ] story [ 246 ms ] thread
I'm afraid to install this. Does it actually work or is it another common fake app found on the Play store?
It's working for me. Sending and receiving messages and pictures. Receiving them faster then Messages for Mac is even!
Does it actually register as an iMessage? I wonder how they pulled it off.
Is this actually running on Apple's iMessage protocol or is it just duplicating/imitating it? That is to say, if you 'iMessage' to an Apple device, does it come up as an iMessage on that device?
It did when I tried with my roommate. He even sent me a picture.
I signed up on my phone and was notified by my iPad that another device had been added to my account. Seems to be a working implementation.
Sadly this will probably be shut down by morning since it didn't come from Apple. What Apple should, but won't do, is buy it and release it for free themselves. But then Apple would have to admit that there just might be another AppStore in the universe and their reality distortion field might show a small dent.
Remember this is Play Store not App Store. Apple can not pull anything out of the Play Store.

What they can do is to shut off the backend because they probably don't have rights to use it anyway.

They don't need to pull anything, just have their lawyers tell Google's lawyers that their iMessage trademark is being infringed. Gone.
Bruce Sewell’s office can always send a letter to Google Play Store. Most likely Google Play store would comply.
You can pull it off for Trademark infringement
Why would Apple buy them? If they wanted to release iMessage for Android, they would. But it's a selling point for them, so it's not likely to happen.
Does this screw up the ordering of messages just like iMessages? Does it make you apart of the same conversation multiple times, so that when you send a message, you get your own reply?
This is going to get shut down so fast from Apple, which is kind of sad given the amount of work that must have gone into this!
Not necessarily. There is many Airplay apps that are working for ages. Maybe they have to rename their app.
Airplay stuff never talked to Apple's servers though, this does.
If Apple wants it gone they have a legal staff that can make life hell for the app author. My guess is the 'iMessage' name and icon design are enough for a takedown order.
In China? Good luck with that.
I understand that with the latest Apple TV update Airplay is now proprietary. Ie. wrapped in Apple's FairPlay DRM spec. So, any third party non-licensed Airplay services are now dead.

With the US' draconian DMCA law in place, it also now illegal to build any devices that Apple hasn't licensed to use Airplay on your Apple TV.

Sounds great, but I’m still worried because this App might hijack the Apple ID and password. If I remember it correctly, Apple does not publish their Apple ID API outside of iOS SDK.
I absolutely agree. This is really impressive if it works, but there's no way I'm giving this my Apple ID.
Not sure if you're wanting this because you're switching devices but for full time android users it shouldn't be a big deal to set up a new apple id to use this app.
They don't even publish the Apple ID API inside the iOS SDK. There is no way to directly use Apple ID as a form of identification. Only 2nd-hand ways, like GameCenter, and iCloud.
That's what I meant, through Game Center and iCloud.
I would love to know how they pulled this off.
Presumably it's Java. Disassembly is quite easy and can even produce quite readable source.
Obfuscated code, auto-downloads APKs, presumably to 'self update' but no one is sure.

Use it with a demo account.

Regardless of whether it'll disappear from the Play store quickly or not this is kinda cool. Hopefully it means there'll be a FOSS implementation of this at some point and we can get other Linuxy stuff talking to iDevices.

(If there already is one I'd love to be pointed at it, I've done some searching previously trying to get a nice solution for getting scripts at home communicating with me - I eventually settled on using push notifications with Prowl http://www.prowlapp.com/)

This is actually talking directly to the iMessage service. It's hitting https://service.ess.apple.com:443 (and https://service2.ess.apple.com:443 when authenticating) and not being proxied through any third-party servers. That being said, it does look like the app reports basic analytics but nothing sensitive.

This is truly impressive!

Indeed! I wonder if Apple will be able to patch this app out while retaining access for their own devices.
They can start by getting Google and other major app stores to pull the app for copyright / trademark infringement on the term "iMessage", then they can sue the developer for the same (he's public with his identity).

Beyond that all they need to do is include some form of digital signing in the login process which he can't duplicate and jobs a good un.

Alternatively they may say that they don't care and leave it alone as it strengthens iMessage as a platform.

But my guess is that this won't end well. Isn't it trademarks that you have to defend or you lose them? If that's the case then Apple at the very least need to have him change the name and so on.

very much agreed this won't end well
Digital signing on the login process? Could you be more specific? I was under the impression that verifying data is coming from an 'approved clients' over a reverse engineered protocol is impossible.
It's not impossible, but it requires either secure hardware or homomorphic encryption.
That's crazy. The protocol for iMessage is so complicated that I gave up very quickly after getting IP banned many, many times, it's an incredibly sensitive service to things like this. At the time I just wanted to be able to check if an email address was iMessage-supported, but it required piles of signatures and other authorisation.

It will get banned on Apple's end so quickly, but not before it's used to send mountains of spam.

(comment deleted)
Haha, same here. Instead I wrote an app that uses the iMessage Mac client to insert a mail address into the to: field and check whether it supports iMessage. And then I use pixelbuffer data to figure out whether the mail address has the correct iMessage supported color in the ui. Works great, but is a bit slow.
Haha, that's a great hack for checking if an email is an iMessage account. Can you gist the code :)
They seem into cloning many of Apple's services to the other side: http://www.huluwa.org/

(eg. iCloud for PC)

iCloud isn't nearly as exciting as iMessage, with the majority of iCloud services just being WebDAV (bookmarks, etc), CardDAV, CalDAV, IMAP, etc.
I'm wondering if they have friends inside of Apple that can tell them the protocol... or even copy code.
> That being said, it does look like the app reports basic analytics but nothing sensitive.

Are you referring to the seemingly-encrypted network connection over port 5332 to a server in China at IP address 222.77.191.206 that has traffic that precisely correlates to me sending and receiving messages using the application? [edit: Which happens to be the value of the resource ServerId in the APK?]

Try sending a picture--surely the size of the Chinese body would scale with the picture
No, pictures sent using iMessage are uploaded directly to Microsoft Azure when using a true iOS device.

http://i.imgur.com/W3QitN6.png

They're encrypted, though, right? Do they need to be sent to this third party to decrypt?
I don't quite remember, but I think the images are just passed over SSL with no other encryption.
Why does Apple use Microsoft Azure though? I would have thought that they have enough server capacity for that.
Storing files in the cloud is a commodity service. Why wouldn't they outsource it? They use AWS too.
That is just looking for embedded URLs: it totally fails to notice the IP address hardcoded into the APK (222.77.191.206) that seems to be used every time you send/receive a message.
Reminder: iMessage's "encryption" is open to the NSA. (What's more, Apple partners with the NSA.) Not sure why you'd want to submit to the surveillance state.
<sarcasm> Because if you connect to an iMessage client that also sends your packets to China, the MSS and the NSA get stuck trying to both look at your packets. We call it Two Stooges Syndrome. Your information is safe. No, it doesn't make you invincible </sarcasm>
And here you are, posting messages in plain text to a public forum...
There is some truth to your statement. For example, we will never know if PG would shut down HN if required to hand over the private logs. So yes, our posts can be cross-referenced with other online profiles, etc.

Now, should the conclusion be "we should stop communicating electronically"? That would be a severe restriction to free speech and thus advancement of our species. So, no.

Maybe the right direction is to migrate the discussion towards encrypted and distributed forums. RetroShare offers such a feature (amongst others): http://retroshare.sourceforge.net/

(comment deleted)
It would definitely seem less shady if the dev didn't copy iOS UI and icons. Still I downloaded it and hope to test it.
Anyone manage to sign into the app? I just get 'Password or Apple ID error' with a Chinese 'OK' button
the app only supports passwords up to 16 characters in length and mine was ... a lot longer.
Is 16 characters exactly the length of a whole block of AES 128 input?
Funny how a small app like that can destroy all the hopes a multi-billion dollar company like Blackberry put in their stay relevant by rolling out BB Messenger to iOS and Android plan.

Assuming Apple doesn't kill it of course... There are some good reasons why Apple shouldn't kill it (network effect work both ways) but who knows what they will do.

Apple can just pull this off Google Play and then also reject BB Messenger from iTunes App Store. Boom. Victory through lawyering with no technical work whatsoever. Two competitors down.
How could Apple convince Google to pull this from the Play Store?
C&D because of trademark infringement.
Yes. Also because the computer crime laws are vague about unauthorized access and Google isn't interested in subjecting itself to test cases.
As a hackintosh user, I hope the blast radius on Apple's response doesn't kill iMessage here too...
I don't dare to try an app like this!

Good work on reverse engineering the protocol though.

Does this mean someone actually RE'd the entire iMessage cryptographic protocol. I know of several people who have wanted to analyze it.

If so, if they or someone could put up the source or even a protocol spec, that would be amazing.

I'm sure someone will download the APK and decompile it. Hopefully the source hasn't been obfuscated.
It looks a bit obfuscated, but there might be some useful finds. I'm going through it and looking for hardcoded strings that might not be in the resource files.

I posted the APKTool output on Github for anyone that wants a quick look - https://github.com/mdp/iMessageChatDecompile

if someone can reverse-engineered the protocol,then it is not very much difficult to reverse-engineered the obfuscated apk.
Kudos to the folk who reverse-engineered it, but I'm not sure this is a good thing in the long run.

Put it this way, just like AirPlay and AirDrop, it keeps the open-source community on the backfoot, always looking to "keep up with the Joneses" when in fact we should let these proprietary protocols wither and die.

The public perception shouldn't be that Apple lead and others follow, it should be that Apple have deliberately isolated themselves from everybody else.

I agree with you. I also suspect Apple's iMessage system is not nearly as secure as they claim it is. So if someone can post the full crypto protocol, others will find bugs/ backdoors* in it and you will have one more reason not to trust closed source secure communication software.

* By backdoor, I mean the protocol isn't actually end to end secure in the way Apple claims(i.e. safe from NSLs) and Apple does actually have access to messages. Not that the protocol looks secure and they picked backdoored primitives or some secrete key escrow scheme, though they may have done the latee at least in other cases[0]

[0]http://www.nosuchcon.org/talks/D1_02_Alex_Ninjas_and_Harry_P...

This is really awesome. They should release the method, although obviously there is some value in their not doing so. I'm sure Apple will change the iMessage endpoint to kill this, but that's a cat-and-mouse game they'll lose with the dev community in the long run. If this is a true reverse engineering of the iMessage protocol, this will be very hard to shut down.
It is such a shame and pity that it comes from China. It killed all of the buzz for me in an instant. I have nothing against Chinese people, but an app that has done something never done before with Chinglish in it - nope.
Those can be easily fixed with a translator.
It's not the use of the characters per se, it's the fact that this app came from a country with a history of state-sponsored hacking and censorship.
(comment deleted)
(comment deleted)
Heard of NSA? You bias stereotype peeps.
Oh god... Where do you hide a tree? In the woods.

Everybody is talking about high level conspiracies regarding NSA, overseas intelligence agencies and whatsoever.

But the real concern should be about simply getting scammed! Of course our(end user) data is not safe, it was not designed from the very start to be so. I have no problem with NSA and Apple reading my messages because I am sure that they won't use the credit card linked to my account without my consent.

This... thing is a bit different. It is run by a third party provider somewhere outside of European and American jurisdictions. My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment. This, my friends, is a bit different scenario. If people get their accounts compromised and money gets stolen, Apple is not going to do a thing about it for two simple reasons: 1) Who wants to argue with China? What is the chance of even finding the physical location of the server all the data gets relayed back to? 2) Apple never authorised the use of third party apps.

This is my concern about China, nothing else. I would love to use this app for my every day needs, I would even pay for it! But the chance of my account being stolen with no possible outcome positive for me just rustles my jimmies.

> My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment

There's also the possibility of an investigation, court case and punishment in China.

And I wager the chances of you getting any money back in either case is about the same.

Looks like someone inside the Blackberry deal, trying to demonstrate how irrelevant BBM is.
I believe that this application actually does connect to Apple's servers from the phone, but it doesn't then interpret the protocol on the device. Instead, it ferries the data to the third-party developer's server, parses everything remotely, figures out what to do with the data, and sends everything back to the client decoded along with responses to send back to Apple.

Doing it this way means that Apple can't just block them by IP address, it avoids them having to distribute their "secret sauce" (understanding the iMessage protocol is clearly very valuable), and it potentially allows them to use actual Apple code on their servers (in case they haven't spent the time to fully break the fairplay obfuscation that Apple is using for some of their keys).

Here's what I'm seeing: every time I send it a message, I get a packet from Apple, and then immediately the app sends a packet of almost exactly the same size to 222.77.191.206 (which is listed in this application's APK as "ServerIp"). It then gets back two packets from the Chinese server, the first of which I'm presuming is the decoded result and the second packet being a response to send Apple (as immediately a packet is sent back to Apple with about the same size).

Additionally, if you read the reviews of this application, the author is making some very weird responses to people with login issues: he's asking for their Apple ID, as apparently that's enough for him to debug their issue. That shouldn't be possible if the application is just directly talking to Apple the entire time.

[edit: The more I stare at this, the more confident I am in this analysis; specifically, the packets that are "about" and "almost exactly" the same size are very deterministic: the packets to/from Apple are precisely 7 bytes larger than the corresponding packets to/from the Chinese server.]

[edit: It also occurred to me to verify the other direction: in fact, if you go to send a message, first the client sends something to the developer's server, which then returns a packet which, along with again the exactly 7 extra bytes, is sent to Apple's server.]

That makes sense with my very limited experience messing with the iMessage protocol. Stands to reason that passwords are being ferried back to them though, there's got to be some financial reason for going to all this trouble.

ED: Their obfuscation isn't actually that severe once you get used to it.

Not that this needs pointing out, but this also means the mysterious Chinese server also gets to read all your iMessages. This is some kind of quasi-MITM, and for that alone Apple would be in the right to block this kind of thing from ever working.
Why is it any worse than only Apple server reading all you messages? You trust one third party with proven track record of spying on its customers, but somehow you are upset that someone else also has access to you messages, thought that someone didn't (yet) do anything wrong with them.

If you are American, you don't have to fear from Chinese espionage, and US agencies already have your data. If you are European, it's more or less the same. If you are from China, well, at least you can prove that you are not doing anything behind the government back ;)

> Why is it any worse than only Apple server reading all you messages?

Not. This. Again.

Because one person can read your messages, it doesn't mean that the whole world should be able to. One happening doesn't mean the other is okay.

You seem to misunderstand the OP concerns.

It is not only one person, it is not only Apple servers reading all your messages. It is in fact the whole world. Through Apple gives it to NSA which hands it over to various other agencies, GHCQ, FRA, your data ends up in Israel. Your data is already a goods traded with on the international market.

Why not increase the competitiveness of this Chinese actor, you will get better service in the future? More competitive - better service.

Let me give you an example.

Apple, NSA saw CC number in your chat log, but Apple, NSA, GHCQ, FRA or Israeli Intelligence won't steal your CC and use it.

However, the Chinese vendor could intercept CC info and sell it to blackmarket.

You seem to be confused.

The NSA has already sold your CC on the black market. Its just that the buyer hasnt used it, because they cant use it without getting penalties. Penalties which this Chinese vendor would succumb to as well.

Now are you going to say you trust Israel more than the Chinese, they wont misuse your CC, and if they did, its still better than trusting a Russian vendor?

Uh... as I read it the point of this app is the the whole world is able to read your messages. This app is just the existence proof that all that is required is access to the raw packet data.

Clearly most people are going to "trust" Apple Computer more than this app vendor. But the point is that such trust isn't worth anything. The data is hanging out there already.

Huh? So, does the existence of an open-source reimplementation of early versions of SSL also imply that if you had access to the raw packets you can read anyone else's SSL stream? How about if we first require the data to be sent in the clear to someone who refuses to tell us how DES works, but is willing to provide a web service that implements it? This app is not by any stretch of imagination proof that the protocol on the wire is not encrypted. Yes, that might be the case, and we might learn some interesting things at pod2g's talk on iMessage at HITB (I'm definitely looking forward to that), but that would be totally unrelated to the existence or possibility of this app.
People know who Apple is. Apple has a reputation. Sure they're compromised by NSA, but every communications medium in the world is compromised by NSA.

I don't know who's running this server in China. But unless it's the NSA, you're much worse off using this app than native iMessage, because now in addition to NSA seeing everything, so does this guy--who has no reputation at risk. Adding more eavesdroppers makes communications additively less secure.

How exactly do I have nothing to fear from the Chinese? At least the NSA is unlikely to have any real interest in communications between Americans in America because it's outside their mission, which is not true for Chinese or Russian intelligence.

(comment deleted)
> Sure they're compromised by NSA, but every communications medium in the world is compromised by NSA.

I do not think that this statement is accurate. The NSA has specifically targeted the largest players.

Also: "encryption works. Properly implemented strong crypto systems are reliable" - Edward Snowden.

Yes but you do have to sacrifice quite a bit to be outside of the NSA's realm of observability. Is iMessage securely encrypted? Wasn't the DEA caught red-handed with a false memo claiming they couldn't MITM iMessage communication?
By MITM you think a guy with a hard drive sitting in the middle of the Apple HQ siphoning data directly to NSA? Yes, I could imagine that.
> Yes but you do have to sacrifice quite a bit to be outside of the NSA's realm of observability.

Very true. That's a consequence of the largest players in winner-take-all markets being targeted.

"In Snowden we trust" - the internet

It's sad that the NSA and government has lost the faith of Americans to the point that the word of one man is taken without question.

Well, Mr "nsashill42334", account under 24 hours old, I don't think that Mr Snowden should be trusted without question. However it seems unlikely that he is setting out to dupe people into using encryption for some reason or other.
Sure they're compromised by NSA, but every communications medium in the world is compromised by NSA.

scary baseling like this

(comment deleted)
Attack surface. When you increase the number of parties capable of decrypting your data, you increase the risk of an exposure.
Surely you're joking. I don't doubt you can understand the difference between a government law enforcement agency reading your messages and some guy off the street reading your messages.

Neither Apple nor the NSA will, for example, immediately rack up a string of fraudulent charges on every credit card number that it sees come through its system. Some random guy in China? I'd say there's a pretty high chance that's exactly the reason this app is in the app store.

No, it is not a joke. iMessage is not a secure communications channel. With this app in the wild, it is pretty clear it is not a secure communications channel. You should not post CC information along an insecure communications channel.

You may be right that there is more risk involved now, but it is nice to get the point out in the open.

>> "I don't doubt you can understand the difference between a government law enforcement agency reading your messages and some guy off the street reading your messages."

I'd feel more secure with just some guy off the street reading my messages. Fortunately I don't ever send CC#'s through messaging services so there's very little else he could do.

where is your proof that the guy off the street in this case isn't the chinese government?
I didn't mention this case I was speaking more generally. And I'd personally be more worried with what the US government knows about me than the Chinese. I have many more interactions with American people and businesses and I like to visit there. I don't have much if any interaction with China so it doesn't bother me as much.
That still makes no sense. Your information has been leaked to one party, so you're okay with it leaking to others as well? Also, it's not just what they know, it's what they do with that knowledge. And it seems pretty absurd to make the claim that the US has had worse precedence in this regard than China.
Worry about it when you're important enough for the Chinese government to care what you do? I'm certainly not.
If you are American, you don't have to fear from Chinese espionage

Citation needed. There are numerous stories (unconfirmed of course, but that's the way these things always are) of Chinese hackers breaking into companies and stealing trade secrets. They aren't just after super spies, you know.

And you don't work in an industry the Chinese would be interested in? Good for you. But do you know anyone that is? This hack might quite possibly allow them to send messages as you to whoever they want.

"The NSA has my information so hey, screw it" isn't really an appropriate reaction.

My server logs suggest I need to fear Chinese espionage. You'd need a hell of a citation to beat that.
If it were a proper "Silicon Valley kid" who did that, you would applause loudly. Does it happen to you that there are talented geeks and developers in China. For one: http://agentzh.org/
I agree. The way a couple folks are throwing around their words shows prejudice.
It shows a grounding in reality.

This guy may well be a perfectly responsible entrepreneur, but the fact is that common Chinese business practices can be pretty shocking. My wife in Chinese, her sister works for a bank over there and her husband is a cop. I could tell your stories that would make your hair stand on end, but I don't want to put anyone off ever going there again. I love China, but doing business over there's not for the faint hearted and it's just good sense to be realistic about it.

What the hell are you on about? I don't care about the nationality of this anonymous person trying to MITM my iMessages, only that some anonymous person is trying to MITM my iMessages.
I came to the same conclusion as Saurik, (though didn't go as far as looking up the Server and seeing it was from China).

I had hoped that I could decompile it, get the special sauce, and make a client for Qt-based OSes and also Windows Phone. Looks like I won't make any progress today

You likely won't be able to do anything at all, as the client is fairly dumb. It just takes requests from Apple's server, encrypts with CTR AES and a static key, then fires them off to the Chinese server for actual processing. Unless you want to use their server in your own application, you're just as snookered as before; you still need the secret sauce.
I'm aware of that, hence why I said I won't be making any progress. I've tried using the Mac version and iOS versions, no luck either way.

I'll try BBM too once its on Android. Trying to get it off my Z10 has proven just as difficult

I think you got exactly what they are doing. In fact if you see their "icloud sdk" looks also exactly what you mentioned.

https://github.com/huluwateam/icloud

[edit: maybe this is more simple to decrypt https://github.com/huluwateam/icloud/blob/master/DataSyncSDK...]

Ahhh good ol' github. Shows the author email and everything. Finally I can ask the author for his secret ingredients.
And Apple's lawyers can find out how to reach him too.

Not saying that's a good thing, just that it's a likely thing.

In China. Good luck with that.
It's a fair point, though it may depend whether there is any "official support" for his actions.

If it's just someone acting on their own for fun, the amount of money Apple invest in China might suggest that they have some sway should they choose to use it.

the code there makes no mention of the iMessage protocol. everything there can be done using other publicly avaiable API's such as the CalDAV/CardDAV api.
Really, can you have direct access to things like photostream?
However since this protocol is really strong:

1) They are using a workaround like a vm running osx where a program add the requested account on Message.app and then send back the I/O.

2) Second solution they got from an insider the protocol description and decryption.

I would be surprised if #1 was the case. Given the amount of volume of traffic that this app will generate, the traffic for identifying a rapidly signing in Message.app will be pretty unique and easily blockable by Apple.

Additionally, I know that recent efforts in the hackintosh community had problems with Message.app because the latest protocols incorporate being able to access the serial number of your machine (or something along those lines). Apple goes through some extensive hoops verifying that access to OS X -only and iOS-only services really does come from their devices.

Current version need server,because Apple have same limits. but in new version , i will not use server. Thanks.
Do you know if iMessages are encrypted to more than one key (i.e. not just with the recipient key)?
How the f* did you made this if you can't even speak English decently? No offense.
> did you made this

Seriously? You're going to complain about his English?

Perhaps he's a non-English speaking coder who is expressing admiration and incredulity? What makes you think he's complaining? He goes so far as to explicitly state "no offence".
There's a boundary between playing devil's advocate and taking the piss outright.
When is "no offense" ever attached to a compliment?
OMG! I'm so embarrassed! Yes I'm a non-English speaker and I can see my mistake now but I didn't last night when I was falling asleep. And yes, I'm showing admiration and curiosity because I feel stupid reading programming books and so when I don't know how this guy went that far without reading that much English books/sources. Because I'm almost sure that the most of information is available in English only.
I was thinking as I was writing the comment that it would be embarrassing to judge his English and make a mistake myself since I'm a non-English speaker but still I didn't double-check the comment because I was falling asleep. Ups! :P
Because he is able to not only master his native tongue but also acquire some fluency in English. You people born with English as native language wouldn't know how hard it is to keep switching between 3-4 languages constantly.
Chances are you're better than him at English... and he's better at programming.
just tested it with my account, and it works! even sending and receiving images works... very impressive :) let's see how long will it work :)
This explained all the iMessage spam…
Can confirm that it works here.
First screenshot. Cancle.
This is blowing up all over the internet right now.. It is pretty amazing that there is an app like this which works, but it is even more surprising that this has been around for a bit, and it flew relatively under the radar.

I just tried it out myself, and my boss who uses an iPhone is in total shock.

Insane. They even have a way to create an Apple ID in the app!