Doing it this way means that Apple can't just block them by IP address, it avoids them having to distribute their "secret sauce" (understanding the iMessage protocol is clearly very valuable), and it potentially allows them to use actual Apple code on their servers (in case they haven't spent the time to fully break the fairplay obfuscation that Apple is using for some of their keys).
Here's what I'm seeing: every time I send it a message, I get a packet from Apple, and then immediately the app sends a packet of almost exactly the same size to 184.108.40.206 (which is listed in this application's APK as "ServerIp"). It then gets back two packets from the Chinese server, the first of which I'm presuming is the decoded result and the second packet being a response to send Apple (as immediately a packet is sent back to Apple with about the same size).
Additionally, if you read the reviews of this application, the author is making some very weird responses to people with login issues: he's asking for their Apple ID, as apparently that's enough for him to debug their issue. That shouldn't be possible if the application is just directly talking to Apple the entire time.
[edit: The more I stare at this, the more confident I am in this analysis; specifically, the packets that are "about" and "almost exactly" the same size are very deterministic: the packets to/from Apple are precisely 7 bytes larger than the corresponding packets to/from the Chinese server.]
[edit: It also occurred to me to verify the other direction: in fact, if you go to send a message, first the client sends something to the developer's server, which then returns a packet which, along with again the exactly 7 extra bytes, is sent to Apple's server.]
If you are American, you don't have to fear from Chinese espionage, and US agencies already have your data. If you are European, it's more or less the same. If you are from China, well, at least you can prove that you are not doing anything behind the government back ;)
Neither Apple nor the NSA will, for example, immediately rack up a string of fraudulent charges on every credit card number that it sees come through its system. Some random guy in China? I'd say there's a pretty high chance that's exactly the reason this app is in the app store.
I'd feel more secure with just some guy off the street reading my messages. Fortunately I don't ever send CC#'s through messaging services so there's very little else he could do.
You may be right that there is more risk involved now, but it is nice to get the point out in the open.
I don't know who's running this server in China. But unless it's the NSA, you're much worse off using this app than native iMessage, because now in addition to NSA seeing everything, so does this guy--who has no reputation at risk. Adding more eavesdroppers makes communications additively less secure.
How exactly do I have nothing to fear from the Chinese? At least the NSA is unlikely to have any real interest in communications between Americans in America because it's outside their mission, which is not true for Chinese or Russian intelligence.
I do not think that this statement is accurate. The NSA has specifically targeted the largest players.
Also: "encryption works. Properly implemented strong crypto systems are reliable" - Edward Snowden.
Very true. That's a consequence of the largest players in winner-take-all markets being targeted.
It's sad that the NSA and government has lost the faith of Americans to the point that the word of one man is taken without question.
scary baseling like this
Not. This. Again.
Because one person can read your messages, it doesn't mean that the whole world should be able to. One happening doesn't mean the other is okay.
Clearly most people are going to "trust" Apple Computer more than this app vendor. But the point is that such trust isn't worth anything. The data is hanging out there already.
It is not only one person, it is not only Apple servers reading all your messages. It is in fact the whole world. Through Apple gives it to NSA which hands it over to various other agencies, GHCQ, FRA, your data ends up in Israel. Your data is already a goods traded with on the international market.
Why not increase the competitiveness of this Chinese actor, you will get better service in the future? More competitive - better service.
Apple, NSA saw CC number in your chat log, but Apple, NSA, GHCQ, FRA or Israeli Intelligence won't steal your CC and use it.
However, the Chinese vendor could intercept CC info and sell it to blackmarket.
The NSA has already sold your CC on the black market. Its just that the buyer hasnt used it, because they cant use it without getting penalties. Penalties which this Chinese vendor would succumb to as well.
Now are you going to say you trust Israel more than the Chinese, they wont misuse your CC, and if they did, its still better than trusting a Russian vendor?
Citation needed. There are numerous stories (unconfirmed of course, but that's the way these things always are) of Chinese hackers breaking into companies and stealing trade secrets. They aren't just after super spies, you know.
And you don't work in an industry the Chinese would be interested in? Good for you. But do you know anyone that is? This hack might quite possibly allow them to send messages as you to whoever they want.
"The NSA has my information so hey, screw it" isn't really an appropriate reaction.
This guy may well be a perfectly responsible entrepreneur, but the fact is that common Chinese business practices can be pretty shocking. My wife in Chinese, her sister works for a bank over there and her husband is a cop. I could tell your stories that would make your hair stand on end, but I don't want to put anyone off ever going there again. I love China, but doing business over there's not for the faint hearted and it's just good sense to be realistic about it.
Seriously? You're going to complain about his English?
[edit: maybe this is more simple to decrypt https://github.com/huluwateam/icloud/blob/master/DataSyncSDK...]
Not saying that's a good thing, just that it's a likely thing.
If it's just someone acting on their own for fun, the amount of money Apple invest in China might suggest that they have some sway should they choose to use it.
ED: Their obfuscation isn't actually that severe once you get used to it.
I had hoped that I could decompile it, get the special sauce, and make a client for Qt-based OSes and also Windows Phone. Looks like I won't make any progress today
I'll try BBM too once its on Android. Trying to get it off my Z10 has proven just as difficult
1) They are using a workaround like a vm running osx where a program add the requested account on Message.app and then send back the I/O.
2) Second solution they got from an insider the protocol description and decryption.
Additionally, I know that recent efforts in the hackintosh community had problems with Message.app because the latest protocols incorporate being able to access the serial number of your machine (or something along those lines). Apple goes through some extensive hoops verifying that access to OS X -only and iOS-only services really does come from their devices.
Our head of IT switched from iPhone and got a new Android phone. Suddenly he found that none of this Apple-using friends were messaging him anymore.
Actually they were, but Apple re-routed their SMSes through iMessage to a dead Apple-account. Without telling anyone about it.
Until he discovered what happened (due to a very angry and ignored-feeling Apple-using wife), he just assumed SMS was broken on Android.
iMessage really shows Apple at its core: So utterly self-centered that it's unable to comprehend that it even needs a interoperability story with the rest of the world.
On top of that I've had friends switch away from iPhone to Android; iOS switched to using SMS not but a day later (and I know at least some of them didn't turn it off manually because their iPhone was broken).
If you know it needs to be done. If you still have the device.
According to our head of IT, he said if you didn't (as most people don't) it gets a whole lot worse.
Turn the old phone off and problem solved.
iMessage specifically confirms delivery. That's why you occasionally get the "Send as SMS" prompt if it can't go through for whatever reason.
If there's no device actively logged into iMessage, no attempt is made to send through iMessage. You don't have to "deactivate" anything.
That said, when iOS7 came out, and I logged back into my iPad, and my wife on her iPad Mini, and her iPhone 5, iMessage reenabled on all of them with my phone number.
So that was a bit inconvenient.
That obviously wouldn't happen if you had reset and sold the device.
If you sold the device without a reset you have a lot more to worry about than iMessage I think. Though a password change to your Apple ID, or managing the associated phone numbers there should address the issue.
BTW, SMS on Android... wow. That's probably the shittiest thing about switching. It's hard to appreciate how unreliable, low quality and all around bad SMS/MMS is if you've been using iMessage for a few years.
Messages get split up over 140 characters. You can't forward vCards. MMS take forever and you're lucky if you even get half the messages in a timely fashion in-sequence. It's really truly awful.
So... I could go get a GoPhone plan with a new number. Transfer my existing number to Google Voice. When the transfer is complete my old plan will be cancelled, I can swap in the GoPhone SIM, add it's number to Google Voice as a forwarding number, and I've got it all done with improved text/group-messaging? Does that sound about right?
Really was one of the most frustrating experiences I've had with customer service.
Better yet, unregister your device through https://supportprofile.apple.com/MySupportProfile.do
Sarcasm aside: There are comments unlike like yours, which takes it as a granted that everyone should know about these things and how Apple does everything internally.
Ironically enough, they perfectly highlight the self-centeredness of the Apple community and ecosystem. Which was the one thing I complaining about in the first place.
Worked just fine.
This exact thing happened to me. I switched back to Android and after a week of not receiving messages from my friends and family it took me hours and quite a few calls (sadly) to both AT&T and Apple before it was figured out.
In fact at first Apple had denied that anything should be wrong, thus all the wasted time figuring this out. Left a really poor taste in my mouth from the whole experience.
I write/read my messages mostly from my mac (usually where I'm most of the day -.-) so I'm still using iMessage to chat with the 99% of my friends which owns an iphone/ipad.
Indeed I see what you mean and I agree with you.
I had to call back and forth from Apple/AT&T over the period of two days before they figured out what was happening and disabled it. Missed tons of messages.
I wish there could be some commonly agreed standard that would include all of the smartphone OS and be implemented similarly.
 except when I forget to check 3g before sending a photo and get charged for an MMS :(
> In some countries that's 10x cheaper than SMS or MMS.
As a Canadian that's the real shocker to me, it's basically the opposite up here.
iMessage also uses your phone number, but can use an email address as well.
This is truly impressive!
Are you referring to the seemingly-encrypted network connection over port 5332 to a server in China at IP address 220.127.116.11 that has traffic that precisely correlates to me sending and receiving messages using the application? [edit: Which happens to be the value of the resource ServerId in the APK?]
It will get banned on Apple's end so quickly, but not before it's used to send mountains of spam.
Only connects to Apple itself, And
Which is 'apparently' a chinese analytics provider.
So I wasn't sure if things had changed in later versions of the app.
(eg. iCloud for PC)
Beyond that all they need to do is include some form of digital signing in the login process which he can't duplicate and jobs a good un.
Alternatively they may say that they don't care and leave it alone as it strengthens iMessage as a platform.
But my guess is that this won't end well. Isn't it trademarks that you have to defend or you lose them? If that's the case then Apple at the very least need to have him change the name and so on.
Now, should the conclusion be "we should stop communicating electronically"? That would be a severe restriction to free speech and thus advancement of our species. So, no.
Maybe the right direction is to migrate the discussion towards encrypted and distributed forums. RetroShare offers such a feature (amongst others): http://retroshare.sourceforge.net/
I saw, to my great disappointment, that the program was not Apple's.
Any phone carrier call center employee can check your inbox, supposedly that's an audited procedure but having worked in a call center I would tell you that I'd believe that nobody's watching anything. Just like email, SMS is a poor protocol/medium that has been contorted to doing way more than anyone ever intended originally.
But there is definitely a need for a commodity, cross-platform secure messaging protocol that can be implemented by anyone. It hardly seems like there's anyone incentivized to do that though -- why would Apple, for example, want to ferry traffic to/from non Apple phones. And why would they want to step aside and let someone else replace their seamless, secure-ish messaging experience with something else? None of the other messaging apps can achieve the level of integration with the rest of the phone that iMessage can.
The mere facts that iMessage is a) so good (integrated so well into the OS by way of unfair advantage) and b) closed, are probably sufficient to make sure that there won't ever be a common, secure messaging platform. It couldn't penetrate far enough into the iOS user base even if every Android user installed it.
We even have standard messaging protocols (XMPP), so it is not a technical hurdle. Merely there is no business opportunity to commoditize messaging, so it hasn't happened.
I still don't recommend allowing your conversation to be MITM'd, but the assertions that China = steal your password and charge your CC are a bit crazy. Propaganda works I see!
but the assertions that China = steal your password and charge your CC are a bit crazy.
The assertion that sending the password for an account tied to your credit card to a completely unknown recipient is a bad idea... is not crazy in the least. And has nothing to do with it being in China.
With the US' draconian DMCA law in place, it also now illegal to build any devices that Apple hasn't licensed to use Airplay on your Apple TV.
If so, if they or someone could put up the source or even a protocol spec, that would be amazing.
Put it this way, just like AirPlay and AirDrop, it keeps the open-source community on the backfoot, always looking to "keep up with the Joneses" when in fact we should let these proprietary protocols wither and die.
The public perception shouldn't be that Apple lead and others follow, it should be that Apple have deliberately isolated themselves from everybody else.
* By backdoor, I mean the protocol isn't actually end to end secure in the way Apple claims(i.e. safe from NSLs) and Apple does actually have access to messages. Not that the protocol looks secure and they picked backdoored primitives or some secrete key escrow scheme, though they may have done the latee at least in other cases
I posted the APKTool output on Github for anyone that wants a quick look - https://github.com/mdp/iMessageChatDecompile
Seriously? Not to mention all the data that can be mined from your associated messages. And for argument's sake, since, again the passwords are in cleartext, let's just say that a small percentage of users also use the same email and password for their Facebook or their Gmail (or whatever else email they have) -- let's just brute force some bank accounts, send a forgot password request, then scour their facebook for the security question. Nightmare scenario, but considering you're passing some random guy in china all this information, not entirely infeasible.
Assuming Apple doesn't kill it of course... There are some good reasons why Apple shouldn't kill it (network effect work both ways) but who knows what they will do.
1) It appears that the iMessage responses received from Apple's servers are forwarded as-is to a remote server for decoding and decryption. Is this correct? If so, why isn't this process performed in the application itself?
2) Now that you've clearly reverse-engineered the iMessage protocol, will you be publishing it so that others can benefit from interoperability? If not, why not?
Why did you use Apple's graphics instead of your own? It will make it easier for Apple to have your app taken down.
Classifying and stereotyping (even in a passive-agressive sense) is a relic of the past you need to get over.
Good work on reverse engineering the protocol though.
(If there already is one I'd love to be pointed at it, I've done some searching previously trying to get a nice solution for getting scripts at home communicating with me - I eventually settled on using push notifications with Prowl http://www.prowlapp.com/)
Use it with a demo account.
What they can do is to shut off the backend because they probably don't have rights to use it anyway.
Also, it's sure that they are intentionally copying Apple's copyrighted material.
I just tried it out myself, and my boss who uses an iPhone is in total shock.
(adjusts tin-foil lined colander on head)
Everybody is talking about high level conspiracies regarding NSA, overseas intelligence agencies and whatsoever.
But the real concern should be about simply getting scammed! Of course our(end user) data is not safe, it was not designed from the very start to be so. I have no problem with NSA and Apple reading my messages because I am sure that they won't use the credit card linked to my account without my consent.
This... thing is a bit different. It is run by a third party provider somewhere outside of European and American jurisdictions. My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment. This, my friends, is a bit different scenario. If people get their accounts compromised and money gets stolen, Apple is not going to do a thing about it for two simple reasons:
1) Who wants to argue with China? What is the chance of even finding the physical location of the server all the data gets relayed back to?
2) Apple never authorised the use of third party apps.
This is my concern about China, nothing else. I would love to use this app for my every day needs, I would even pay for it! But the chance of my account being stolen with no possible outcome positive for me just rustles my jimmies.
There's also the possibility of an investigation, court case and punishment in China.
And I wager the chances of you getting any money back in either case is about the same.