41 comments

[ 2.6 ms ] story [ 79.6 ms ] thread
so erm... they should remove all cloud services that require a 3rd party login (theres quite a few well known ones) and all chinese apps sounds rational!

if youre chinese youre a terrorist anyway - right?

and then there is no mention of which policy it violates. so much for the benefit of the doubt - this all sound very arbitrary at least in tfa

Especially those annoying apps and websites that require you to login with facebook credentials.
"iMessage" is a registered trademark of Apple Inc. in the United States and other countries. "iMessage Chat" violates this trademark. Infringement of intellectual property, such as trademarks, is prohibited by the Google Play Developer Terms Of Service. There is nothing arbitrary about this.
The app also used the iMessage icon from Apple.
Also every emoji from the app.
Other apps (e.g. Whatsapp) use the same emojis.
How do they not get hit with C&Ds?
No. Sending credentials for one service to be used by another service is a bad idea, full stop.
On the first page it's mentioned the fact that the app can download other APKs in the background. This very thing is disallowed. IIRC that's how Facebook got chastised a while back too.
And here was have a prime example of why, despite all the opinion to the contrary[1], there is a clear need for a more stringent review process for Android apps. This is exactly the kind of thing which could have been caught by some kind of run-time analysis, either by hand or through some automated process that's part of the "approval" needed to be on the Play Store. Given Google's technical chops, I doubt they would have a hard time checking for this automatically at submission time, so they wouldn't have to hire a staff of human reviewers like Apple does. It might slow down the process of posting things to the store just slightly, but in the end it would benefit users.

[1] https://news.ycombinator.com/item?id=6329490

No, there should be a more stringent review of the permissions apps request. The dangerous ones should be marked in red and you should approve each one individually.
On the first page it's mentioned the fact that the app can download other APKs in the background. This very thing is disallowed. IIRC that's how Facebook got chastised a while back too.
It was only a matter of time. I think everyone saw this coming from a mile away.
There's an interesting part in the linked article, including a reference to HN:

He found that iMessage Chat for Android essentially inserted itself into the middle of the normal back-and-forth between a user and Apple's iMessage servers. In a thread on Hacker News [https://news.ycombinator.com/item?id=6435902], Freeman spelled out his findings.

At least on iOS, the man-in-the-middle part would not seem unusual:

As far as I know, messaging apps that want to be available to the user all the time, need the user credentials in order to keep the users online since there is no way on iOS for an app to reliably run all the time. And such messaging apps use the user credentials on their own server(s) to keep the users online and reachable. If the app is no longer running and a new message arrives, the server sends a notification to iOS and the user can open the app if he wants to read the new message.

A major difference is of course that the iMessage user credentials are (cannot be?) used only for messaging.

You seem to have everything backwards, which makes me question whether you read the actual comment as opposed to just attempting to guess at things from the snippet :(.

What you said would make some sense if the client connected to someone in the middle who then connected to the server. Instead, the client connects to the server, but when data comes back it is forwarded to someone in the "middle" (really, off to the side) who then processes it and returns results to forward back to the server.

In essence, the device is in the middle of a connection from the developer to the service, as opposed to the developer being in the middle of a connection from the device to the service. In such a configuration you are not getting any of the benefits you are talking about, as if the device isn't online it won't be able to maintain the connection on behalf of the developer's server.

(Also, I must point out the normal situation with such messaging apps on iOS is that you get them from the service itself. In addition to being less common on Android, it is thereby interesting to point out to people who might not realize the app is implemented in this weird way--some people who even analyzed it assumed this was a side-channel for analytics--so they can make the right call for themselves.)

Thats how jabber works afaik having a network of domains and each domain can have a set of transports to connect to various non-jabber networks, this might as well be a proprietary implementation of transport and private service.

Anytime something might smell like a certain lawsuit you bet you will be on the short end of the stick - with corporations.1

This is very standard with web scraping implementations. Honestly, if you are reversing someone's protocol or scraping their web site, you are stupid if you put the implementation on the client because it will break all the time. Instead you put it on a server where you can fix breaks instantly. The server usually delays/shows stale data while things are broken as well, then does what it can to replay once fixed.
On the other hand putting things on the server means that you can get cut (by IP) and also brings the need of dealing with scaling problems.
You can always scale easier on the server platform, as well as spin up new instances with new IPs on any VM platform.

Handling it on the server allows you some control over the chaos. Not so much when all the logic is on your mobile app.

You aren't suggesting that it scales easier on the server than on the mobile client, are you? Nothing would scale better for this app than putting the logic on the client -- it's a customer's phone communication with an Apple server. This leaves nothing for him to scale, anywhere, except for engineering to push out updates.
I wouldn't say you're scaling properly if you have millions of mobile clients failing to make the proper calls to a service because the protocol has been changed. I'd say its damn near irresponsible to do that. It's not scaling if you're just throwing packets against the wall when the protocol or service unexpectedly changes.
The impression I got was that actual requests and responses are still made by the client.
>stupid if you put the implementation on the client because it will break all the time

Makes some sense to do Apk downloads for this unusual implementation of it allows a fix push

AFAIK there is still no way for a messaging app on iOS to reliably run 24/7. As a result, most messaging apps use their own server for new message notifications. If the app is not running, you get a notification and you can open the app to read the new messages. That of course means a MITM-like server …
There isn't any API for iMessage as far as I know, collecting username and password was the only way to do it. It's a lot like many Twitter apps nowadays just ask for username and password since the Twitter API, which is needed for oauth/xauth, is pretty locked down and useless nowadays.
Correct me if I'm wrong but I was under the impression Twitter only supported oauth nowadays with password auth being phased out a few years ago.
I guess that you can always make your own wrapper and act like you were a browser.
The Twitter API only supports OAuth now. There is an API method developers can use to jumpstart the OAuth flow with a password but this is restricted to apps that Twitter allows to use it.
I was not aware of this, thank you for informing me. Do you know if this is like Facebook+Spotify (and only a couple other FB apps that can use password) or is it much wider-spread in the Twitter ecosystem?
Twitter REST Api and oauth login facilities seems to be feature complete and many 3rd party client apps use that. (Tweetbot, at the top of my head)
I'm getting an error in the app now too, "Cant connect to server"
(comment deleted)
For those of you who are unaware, it got pulled the same day it was put on the play store. It did not exist long enough to do any serious damage.
Still waiting for the promise Apple made about opening the Facetime protocol during a Keynote in the Jobs era to be fulfilled.
What was the exact quote? I remember it as him saying that it's using open technology which it is. I think people misunderstood this.
Steve Jobs at the 2010 Worldwide Developer Conference in San Francisco: "We're going to the standards bodies, starting tomorrow, and we're going to make FaceTime an open industry standard."

People seem to forget how frequently Steve Jobs broke his promises to developers over the years.

(comment deleted)