
Google yanks sketchy iMessage clone for Android from app store - dotmanish
http://www.computerworld.com/s/article/9242634/Google_yanks_sketchy_iMessage_clone_for_Android_from_app_store
======
stedaniels
On the first page it's mentioned the fact that the app can download other APKs
in the background. This very thing is disallowed. IIRC that's how Facebook got
chastised a while back too.

~~~
wakkalakka
And here was have a prime example of why, despite all the opinion to the
contrary[1], there is a clear need for a more stringent review process for
Android apps. This is exactly the kind of thing which could have been caught
by some kind of run-time analysis, either by hand or through some automated
process that's part of the "approval" needed to be on the Play Store. Given
Google's technical chops, I doubt they would have a hard time checking for
this automatically at submission time, so they wouldn't have to hire a staff
of human reviewers like Apple does. It might slow down the process of posting
things to the store just slightly, but in the end it would benefit users.

[1]
[https://news.ycombinator.com/item?id=6329490](https://news.ycombinator.com/item?id=6329490)

~~~
BitMastro
There is an automated process, even though it's very very far from perfect,
called Google Bouncer [http://googlemobile.blogspot.com/2012/02/android-and-
securit...](http://googlemobile.blogspot.com/2012/02/android-and-
security.html) but I doubt this kind of case could be automated.

------
chmars
There's an interesting part in the linked article, including a reference to
HN:

 _He found that iMessage Chat for Android essentially inserted itself into the
middle of the normal back-and-forth between a user and Apple 's iMessage
servers. In a thread on Hacker News
[[https://news.ycombinator.com/item?id=6435902](https://news.ycombinator.com/item?id=6435902)],
Freeman spelled out his findings._

At least on iOS, the man-in-the-middle part would not seem unusual:

As far as I know, messaging apps that want to be available to the user all the
time, need the user credentials in order to keep the users online since there
is no way on iOS for an app to reliably run all the time. And such messaging
apps use the user credentials on their own server(s) to keep the users online
and reachable. If the app is no longer running and a new message arrives, the
server sends a notification to iOS and the user can open the app if he wants
to read the new message.

A major difference is of course that the iMessage user credentials are (cannot
be?) used only for messaging.

~~~
saurik
You seem to have everything backwards, which makes me question whether you
read the actual comment as opposed to just attempting to guess at things from
the snippet :(.

What you said would make some sense if the client connected to someone in the
middle who then connected to the server. Instead, the client connects to the
server, but when data comes back it is forwarded to someone in the "middle"
(really, off to the side) who then processes it and returns results to forward
back to the server.

In essence, the device is in the middle of a connection from the developer to
the service, as opposed to the developer being in the middle of a connection
from the device to the service. In such a configuration you are not getting
any of the benefits you are talking about, as if the device isn't online it
won't be able to maintain the connection on behalf of the developer's server.

(Also, I must point out the normal situation with such messaging apps on iOS
is that you get them from the service itself. In addition to being less common
on Android, it is thereby interesting to point out to people who might not
realize the app is implemented in this weird way--some people who even
analyzed it assumed this was a side-channel for analytics--so they can make
the right call for themselves.)

~~~
lnanek2
This is very standard with web scraping implementations. Honestly, if you are
reversing someone's protocol or scraping their web site, you are stupid if you
put the implementation on the client because it will break all the time.
Instead you put it on a server where you can fix breaks instantly. The server
usually delays/shows stale data while things are broken as well, then does
what it can to replay once fixed.

~~~
elyase
On the other hand putting things on the server means that you can get cut (by
IP) and also brings the need of dealing with scaling problems.

~~~
toomuchtodo
You can always scale easier on the server platform, as well as spin up new
instances with new IPs on any VM platform.

Handling it on the server allows you some control over the chaos. Not so much
when all the logic is on your mobile app.

~~~
marcc
You aren't suggesting that it scales easier on the server than on the mobile
client, are you? Nothing would scale better for this app than putting the
logic on the client -- it's a customer's phone communication with an Apple
server. This leaves nothing for him to scale, anywhere, except for engineering
to push out updates.

~~~
toomuchtodo
I wouldn't say you're scaling properly if you have millions of mobile clients
failing to make the proper calls to a service because the protocol has been
changed. I'd say its damn near irresponsible to do that. It's not scaling if
you're just throwing packets against the wall when the protocol or service
unexpectedly changes.

------
pavanky
For those of you who are unaware, it got pulled the same day it was put on the
play store. It did not exist long enough to do any serious damage.

------
lnanek2
There isn't any API for iMessage as far as I know, collecting username and
password was the only way to do it. It's a lot like many Twitter apps nowadays
just ask for username and password since the Twitter API, which is needed for
oauth/xauth, is pretty locked down and useless nowadays.

~~~
joshstrange
Correct me if I'm wrong but I was under the impression Twitter only supported
oauth nowadays with password auth being phased out a few years ago.

~~~
abraham
The Twitter API only supports OAuth now. There is an API method developers can
use to jumpstart the OAuth flow with a password but this is restricted to apps
that Twitter allows to use it.

~~~
joshstrange
I was not aware of this, thank you for informing me. Do you know if this is
like Facebook+Spotify (and only a couple other FB apps that can use password)
or is it much wider-spread in the Twitter ecosystem?

------
chanux
Pardon my ignorance but doesn't apple own rights to the term 'app store'?

Update: apparently I'm wrong [http://www.mobilemarketer.com/cms/news/legal-
privacy/15714.h...](http://www.mobilemarketer.com/cms/news/legal-
privacy/15714.html)

~~~
codeka
Google calls theirs the Play Store. Of course, that's not going to stop
everybody else calling it an "app store".

------
DigitalSea
It was only a matter of time. I think everyone saw this coming from a mile
away.

------
tmzt
Still waiting for the promise Apple made about opening the Facetime protocol
during a Keynote in the Jobs era to be fulfilled.

~~~
xal
What was the exact quote? I remember it as him saying that it's using open
technology which it is. I think people misunderstood this.

~~~
tbenst
Steve Jobs at the 2010 Worldwide Developer Conference in San Francisco: "We're
going to the standards bodies, starting tomorrow, and we're going to make
FaceTime an open industry standard."

People seem to forget how frequently Steve Jobs broke his promises to
developers over the years.

------
gagabity
I'm getting an error in the app now too, "Cant connect to server"

------
zobzu
so erm... they should remove all cloud services that require a 3rd party login
(theres quite a few well known ones) and all chinese apps sounds rational!

if youre chinese youre a terrorist anyway - right?

and then there is no mention of which policy it violates. so much for the
benefit of the doubt - this all sound very arbitrary at least in tfa

~~~
DrJokepu
"iMessage" is a registered trademark of Apple Inc. in the United States and
other countries. "iMessage Chat" violates this trademark. Infringement of
intellectual property, such as trademarks, is prohibited by the Google Play
Developer Terms Of Service. There is nothing arbitrary about this.

~~~
saurik
The app also used the iMessage icon from Apple.

~~~
nwh
Also every emoji from the app.

~~~
seabee
Other apps (e.g. Whatsapp) use the same emojis.

~~~
jevinskie
How do they not get hit with C&Ds?

