Hacker News new | past | comments | ask | show | jobs | submit login
iMessage for Android (play.google.com)
301 points by robbiet480 on Sept 24, 2013 | hide | past | favorite | 221 comments

I believe that this application actually does connect to Apple's servers from the phone, but it doesn't then interpret the protocol on the device. Instead, it ferries the data to the third-party developer's server, parses everything remotely, figures out what to do with the data, and sends everything back to the client decoded along with responses to send back to Apple.

Doing it this way means that Apple can't just block them by IP address, it avoids them having to distribute their "secret sauce" (understanding the iMessage protocol is clearly very valuable), and it potentially allows them to use actual Apple code on their servers (in case they haven't spent the time to fully break the fairplay obfuscation that Apple is using for some of their keys).

Here's what I'm seeing: every time I send it a message, I get a packet from Apple, and then immediately the app sends a packet of almost exactly the same size to (which is listed in this application's APK as "ServerIp"). It then gets back two packets from the Chinese server, the first of which I'm presuming is the decoded result and the second packet being a response to send Apple (as immediately a packet is sent back to Apple with about the same size).

Additionally, if you read the reviews of this application, the author is making some very weird responses to people with login issues: he's asking for their Apple ID, as apparently that's enough for him to debug their issue. That shouldn't be possible if the application is just directly talking to Apple the entire time.

[edit: The more I stare at this, the more confident I am in this analysis; specifically, the packets that are "about" and "almost exactly" the same size are very deterministic: the packets to/from Apple are precisely 7 bytes larger than the corresponding packets to/from the Chinese server.]

[edit: It also occurred to me to verify the other direction: in fact, if you go to send a message, first the client sends something to the developer's server, which then returns a packet which, along with again the exactly 7 extra bytes, is sent to Apple's server.]

Not that this needs pointing out, but this also means the mysterious Chinese server also gets to read all your iMessages. This is some kind of quasi-MITM, and for that alone Apple would be in the right to block this kind of thing from ever working.

Why is it any worse than only Apple server reading all you messages? You trust one third party with proven track record of spying on its customers, but somehow you are upset that someone else also has access to you messages, thought that someone didn't (yet) do anything wrong with them.

If you are American, you don't have to fear from Chinese espionage, and US agencies already have your data. If you are European, it's more or less the same. If you are from China, well, at least you can prove that you are not doing anything behind the government back ;)

Surely you're joking. I don't doubt you can understand the difference between a government law enforcement agency reading your messages and some guy off the street reading your messages.

Neither Apple nor the NSA will, for example, immediately rack up a string of fraudulent charges on every credit card number that it sees come through its system. Some random guy in China? I'd say there's a pretty high chance that's exactly the reason this app is in the app store.

>> "I don't doubt you can understand the difference between a government law enforcement agency reading your messages and some guy off the street reading your messages."

I'd feel more secure with just some guy off the street reading my messages. Fortunately I don't ever send CC#'s through messaging services so there's very little else he could do.

where is your proof that the guy off the street in this case isn't the chinese government?

I didn't mention this case I was speaking more generally. And I'd personally be more worried with what the US government knows about me than the Chinese. I have many more interactions with American people and businesses and I like to visit there. I don't have much if any interaction with China so it doesn't bother me as much.

That still makes no sense. Your information has been leaked to one party, so you're okay with it leaking to others as well? Also, it's not just what they know, it's what they do with that knowledge. And it seems pretty absurd to make the claim that the US has had worse precedence in this regard than China.

Worry about it when you're important enough for the Chinese government to care what you do? I'm certainly not.

No, it is not a joke. iMessage is not a secure communications channel. With this app in the wild, it is pretty clear it is not a secure communications channel. You should not post CC information along an insecure communications channel.

You may be right that there is more risk involved now, but it is nice to get the point out in the open.

People know who Apple is. Apple has a reputation. Sure they're compromised by NSA, but every communications medium in the world is compromised by NSA.

I don't know who's running this server in China. But unless it's the NSA, you're much worse off using this app than native iMessage, because now in addition to NSA seeing everything, so does this guy--who has no reputation at risk. Adding more eavesdroppers makes communications additively less secure.

How exactly do I have nothing to fear from the Chinese? At least the NSA is unlikely to have any real interest in communications between Americans in America because it's outside their mission, which is not true for Chinese or Russian intelligence.

> Sure they're compromised by NSA, but every communications medium in the world is compromised by NSA.

I do not think that this statement is accurate. The NSA has specifically targeted the largest players.

Also: "encryption works. Properly implemented strong crypto systems are reliable" - Edward Snowden.

Yes but you do have to sacrifice quite a bit to be outside of the NSA's realm of observability. Is iMessage securely encrypted? Wasn't the DEA caught red-handed with a false memo claiming they couldn't MITM iMessage communication?

> Yes but you do have to sacrifice quite a bit to be outside of the NSA's realm of observability.

Very true. That's a consequence of the largest players in winner-take-all markets being targeted.

By MITM you think a guy with a hard drive sitting in the middle of the Apple HQ siphoning data directly to NSA? Yes, I could imagine that.

"In Snowden we trust" - the internet

It's sad that the NSA and government has lost the faith of Americans to the point that the word of one man is taken without question.

Well, Mr "nsashill42334", account under 24 hours old, I don't think that Mr Snowden should be trusted without question. However it seems unlikely that he is setting out to dupe people into using encryption for some reason or other.

Sure they're compromised by NSA, but every communications medium in the world is compromised by NSA.

scary baseling like this

> Why is it any worse than only Apple server reading all you messages?

Not. This. Again.

Because one person can read your messages, it doesn't mean that the whole world should be able to. One happening doesn't mean the other is okay.

Uh... as I read it the point of this app is the the whole world is able to read your messages. This app is just the existence proof that all that is required is access to the raw packet data.

Clearly most people are going to "trust" Apple Computer more than this app vendor. But the point is that such trust isn't worth anything. The data is hanging out there already.

Huh? So, does the existence of an open-source reimplementation of early versions of SSL also imply that if you had access to the raw packets you can read anyone else's SSL stream? How about if we first require the data to be sent in the clear to someone who refuses to tell us how DES works, but is willing to provide a web service that implements it? This app is not by any stretch of imagination proof that the protocol on the wire is not encrypted. Yes, that might be the case, and we might learn some interesting things at pod2g's talk on iMessage at HITB (I'm definitely looking forward to that), but that would be totally unrelated to the existence or possibility of this app.

You seem to misunderstand the OP concerns.

It is not only one person, it is not only Apple servers reading all your messages. It is in fact the whole world. Through Apple gives it to NSA which hands it over to various other agencies, GHCQ, FRA, your data ends up in Israel. Your data is already a goods traded with on the international market.

Why not increase the competitiveness of this Chinese actor, you will get better service in the future? More competitive - better service.

Let me give you an example.

Apple, NSA saw CC number in your chat log, but Apple, NSA, GHCQ, FRA or Israeli Intelligence won't steal your CC and use it.

However, the Chinese vendor could intercept CC info and sell it to blackmarket.

You seem to be confused.

The NSA has already sold your CC on the black market. Its just that the buyer hasnt used it, because they cant use it without getting penalties. Penalties which this Chinese vendor would succumb to as well.

Now are you going to say you trust Israel more than the Chinese, they wont misuse your CC, and if they did, its still better than trusting a Russian vendor?

If you are American, you don't have to fear from Chinese espionage

Citation needed. There are numerous stories (unconfirmed of course, but that's the way these things always are) of Chinese hackers breaking into companies and stealing trade secrets. They aren't just after super spies, you know.

And you don't work in an industry the Chinese would be interested in? Good for you. But do you know anyone that is? This hack might quite possibly allow them to send messages as you to whoever they want.

"The NSA has my information so hey, screw it" isn't really an appropriate reaction.

My server logs suggest I need to fear Chinese espionage. You'd need a hell of a citation to beat that.

Attack surface. When you increase the number of parties capable of decrypting your data, you increase the risk of an exposure.

The Apple server cannot read your messages because it is encrypted client-side. https://www.schneier.com/blog/archives/2013/04/apples_imessa...

If it were a proper "Silicon Valley kid" who did that, you would applause loudly. Does it happen to you that there are talented geeks and developers in China. For one: http://agentzh.org/

What the hell are you on about? I don't care about the nationality of this anonymous person trying to MITM my iMessages, only that some anonymous person is trying to MITM my iMessages.

I agree. The way a couple folks are throwing around their words shows prejudice.

It shows a grounding in reality.

This guy may well be a perfectly responsible entrepreneur, but the fact is that common Chinese business practices can be pretty shocking. My wife in Chinese, her sister works for a bank over there and her husband is a cop. I could tell your stories that would make your hair stand on end, but I don't want to put anyone off ever going there again. I love China, but doing business over there's not for the faint hearted and it's just good sense to be realistic about it.

Current version need server,because Apple have same limits. but in new version , i will not use server. Thanks.

Do you know if iMessages are encrypted to more than one key (i.e. not just with the recipient key)?

How the f* did you made this if you can't even speak English decently? No offense.

> did you made this

Seriously? You're going to complain about his English?

Perhaps he's a non-English speaking coder who is expressing admiration and incredulity? What makes you think he's complaining? He goes so far as to explicitly state "no offence".

There's a boundary between playing devil's advocate and taking the piss outright.

When is "no offense" ever attached to a compliment?

Because he is able to not only master his native tongue but also acquire some fluency in English. You people born with English as native language wouldn't know how hard it is to keep switching between 3-4 languages constantly.

Chances are you're better than him at English... and he's better at programming.

I think you got exactly what they are doing. In fact if you see their "icloud sdk" looks also exactly what you mentioned.


[edit: maybe this is more simple to decrypt https://github.com/huluwateam/icloud/blob/master/DataSyncSDK...]

Ahhh good ol' github. Shows the author email and everything. Finally I can ask the author for his secret ingredients.

And Apple's lawyers can find out how to reach him too.

Not saying that's a good thing, just that it's a likely thing.

In China. Good luck with that.

It's a fair point, though it may depend whether there is any "official support" for his actions.

If it's just someone acting on their own for fun, the amount of money Apple invest in China might suggest that they have some sway should they choose to use it.

the code there makes no mention of the iMessage protocol. everything there can be done using other publicly avaiable API's such as the CalDAV/CardDAV api.

Really, can you have direct access to things like photostream?

That makes sense with my very limited experience messing with the iMessage protocol. Stands to reason that passwords are being ferried back to them though, there's got to be some financial reason for going to all this trouble.

ED: Their obfuscation isn't actually that severe once you get used to it.

I came to the same conclusion as Saurik, (though didn't go as far as looking up the Server and seeing it was from China).

I had hoped that I could decompile it, get the special sauce, and make a client for Qt-based OSes and also Windows Phone. Looks like I won't make any progress today

You likely won't be able to do anything at all, as the client is fairly dumb. It just takes requests from Apple's server, encrypts with CTR AES and a static key, then fires them off to the Chinese server for actual processing. Unless you want to use their server in your own application, you're just as snookered as before; you still need the secret sauce.

I'm aware of that, hence why I said I won't be making any progress. I've tried using the Mac version and iOS versions, no luck either way.

I'll try BBM too once its on Android. Trying to get it off my Z10 has proven just as difficult

However since this protocol is really strong:

1) They are using a workaround like a vm running osx where a program add the requested account on Message.app and then send back the I/O.

2) Second solution they got from an insider the protocol description and decryption.

I would be surprised if #1 was the case. Given the amount of volume of traffic that this app will generate, the traffic for identifying a rapidly signing in Message.app will be pretty unique and easily blockable by Apple.

Additionally, I know that recent efforts in the hackintosh community had problems with Message.app because the latest protocols incorporate being able to access the serial number of your machine (or something along those lines). Apple goes through some extensive hoops verifying that access to OS X -only and iOS-only services really does come from their devices.

This remembers me how an interoperability fiasco iMessage is. Just for the interoperability issue many iOS users are slowly switching to Whatsapp: you start using it to message your Android buddies at first, then eventually you want to just use a single app... the limiting factor for iMessage to be dismissed completely by some user is the fact that there is no way to message iPad users from Whatsapp, something they should fix IMHO.

The most humorous thing I've seen about iMessage is how it's automatically opt in, with no opt-out should you lose your device or switch to a new (Android) phone.

Our head of IT switched from iPhone and got a new Android phone. Suddenly he found that none of this Apple-using friends were messaging him anymore.

Actually they were, but Apple re-routed their SMSes through iMessage to a dead Apple-account. Without telling anyone about it.

Until he discovered what happened (due to a very angry and ignored-feeling Apple-using wife), he just assumed SMS was broken on Android.

iMessage really shows Apple at its core: So utterly self-centered that it's unable to comprehend that it even needs a interoperability story with the rest of the world.

You're kidding right? It's trivial to turn off iMessage; it's one toggle switch in the settings.

On top of that I've had friends switch away from iPhone to Android; iOS switched to using SMS not but a day later (and I know at least some of them didn't turn it off manually because their iPhone was broken).

it's one toggle switch in the settings.

If you know it needs to be done. If you still have the device.

According to our head of IT, he said if you didn't (as most people don't) it gets a whole lot worse.

He's wrong. I just swapping my iPhone5 for a MotoX a couple weeks ago. iMessage was definitely a pain since I left the (SIM-less) iPhone on at home and my wife's messages went there since it was on the WiFi.

Turn the old phone off and problem solved.

iMessage specifically confirms delivery. That's why you occasionally get the "Send as SMS" prompt if it can't go through for whatever reason.

If there's no device actively logged into iMessage, no attempt is made to send through iMessage. You don't have to "deactivate" anything.

That said, when iOS7 came out, and I logged back into my iPad, and my wife on her iPad Mini, and her iPhone 5, iMessage reenabled on all of them with my phone number.

So that was a bit inconvenient.

That obviously wouldn't happen if you had reset and sold the device.

If you sold the device without a reset you have a lot more to worry about than iMessage I think. Though a password change to your Apple ID, or managing the associated phone numbers there should address the issue.

BTW, SMS on Android... wow. That's probably the shittiest thing about switching. It's hard to appreciate how unreliable, low quality and all around bad SMS/MMS is if you've been using iMessage for a few years.

Messages get split up over 140 characters. You can't forward vCards. MMS take forever and you're lucky if you even get half the messages in a timely fashion in-sequence. It's really truly awful.

I haven't used straight SMS for many years now. I use Google Voice. But before I started using Google Voice, I used to use Handcent SMS which does all of that. Check it out if you are interested - https://play.google.com/store/apps/details?id=com.handcent.n...

Thanks. I really want to keep my (10 year old) number. Transferring it to Google Voice sounds a little scary. Is that unfounded? Is it really pretty seamless? I want to cancel my contract and go to a prepaid plan anyways. Which is apparently too difficult for AT&T to do over the phone without risk of losing my number. :-/

So... I could go get a GoPhone plan with a new number. Transfer my existing number to Google Voice. When the transfer is complete my old plan will be cancelled, I can swap in the GoPhone SIM, add it's number to Google Voice as a forwarding number, and I've got it all done with improved text/group-messaging? Does that sound about right?

I can confirm this exact thing happened to me. A year ago I switched back to Android and after a week of not receiving messages from most of my friends and numerous calls to AT&T/Apple I figured this out.

Really was one of the most frustrating experiences I've had with customer service.

Changing your Apple ID password should be enough.

Better yet, unregister your device through https://supportprofile.apple.com/MySupportProfile.do

Yes. You have to alter your Apple-iD or go to Apple's website to "unbreak" SMS on your new non-Apple phone. I'm sure that makes sense and is everyone's first guess when they first end up in a situation like this.

Sarcasm aside: There are comments unlike like yours, which takes it as a granted that everyone should know about these things and how Apple does everything internally.

Ironically enough, they perfectly highlight the self-centeredness of the Apple community and ecosystem. Which was the one thing I complaining about in the first place.

It's not so trivial when your phone breaks and you're stuck with an old Nokia for two weeks. I managed to disable iMessage through some weird lost/stolen procedure through Apple support but that required human intervention. iMessage was pretty new back then, I hope they've since then improved on this (e.g. an option on icloud.com or something).

It is not trivial for my girlfriend. It took her long enough just to work out SMS. To her that settings icon is a scarey place where all kinds of complex life threatening buttons and switches lurk..

Everyone refuting this is missing the point. No one, not even geeks would realize you have to specifically de-activate iMessage before you switch to any other phone.

This exact thing happened to me. I switched back to Android and after a week of not receiving messages from my friends and family it took me hours and quite a few calls (sadly) to both AT&T and Apple before it was figured out.

In fact at first Apple had denied that anything should be wrong, thus all the wasted time figuring this out. Left a really poor taste in my mouth from the whole experience.

Your comment history shows that you tend to lean towards Apple bashing comments, but I was curious about this one and tried it out myself. I was unable to reproduce this. Took girlfriend's SIM card from iPhone and put it back in her old Android phone. Sent a couple text messages. When it couldn't send it as an iMessage, it failed on my end and asked me to send it as a text message.

Worked just fine.

You pay a delivery delay every time somebody with an Apple device tries to send you an SMS... not great.

In fairness (insofar as all three totally deserve the ill will), Google & Microsoft have done the same things with Hangouts & Skype, respectively.

No, actually. Hangouts on Android currently doesn't integrate SMS with their messaging system.

Seconded. I had the exact same problem jumping between devices when iMessage first launched.

To opt-out I had to unregister my devices from my Apple Account, and at start this did not worked because I had an iMessage client in my MBA, even if it was configured to just receive iMessage targeting my email address. A Nightmare.

I think a better way to think of iMessage something that seamlessly replaces text messages when some conditions are met. I mean, you can still text your Android user friends, can't you?

Inability to send rich media types make text messages basically broken with today's smartphones.

Um, I can send both video and photos through MMS all through the same messages app as SMS. I don't think there is an inability at all.

Whatsapp is even worse, AFAIK the protocol is still a jabbered one but closed source.

I write/read my messages mostly from my mac (usually where I'm most of the day -.-) so I'm still using iMessage to chat with the 99% of my friends which owns an iphone/ipad.

Indeed I see what you mean and I agree with you.

Security-wise, yes, Whatsapp is terrible, but as a product, is a pretty impressive success. The lack of a desktop client is indeed an issue, I switched to Android recently and when I need to do plain SMS messaging there is AirDroid for that, but for Whatsapp no good solutions so far.

Um, how is it an interoperability fiasco? If I message someone who doesn't have iMessage it just falls back to SMS.

Try being a user of iMessage then switching to another phone without disabling iMessage in advance. Any Apple user who messaged you through iMessage will continue to send messages to a dead iMessage account.

I'm pretty sure I did this recently - it sent as an iMessage and after a minute or two when the message still hadn't been delivered to the destination phone it fell back on SMS (I'm assuming the iMessage registration times out after a while, though?)

I can confirm this happened to me a year ago and it was extremely frustrating.

I had to call back and forth from Apple/AT&T over the period of two days before they figured out what was happening and disabled it. Missed tons of messages.

How is Apple magically supposed to know that you've switched phones?

I think the point is that it shouldn't try taking control of my SMS.

uhhhh.... iMessage is opt-in and isn't enabled until you actively sign up for it in settings. You don't want it taking over your SMS & MMS - don't opt-in to it.

In my opinion the way iMessage works natively on an iphone/pad is awesome[1]. You don't ever have to think about it. No separate apps, just one place for communication.

I wish there could be some commonly agreed standard that would include all of the smartphone OS and be implemented similarly.

[1] except when I forget to check 3g before sending a photo and get charged for an MMS :(

There are such standards, they're called SMS and MMS, it's just unfortunate that some greedy bastards are charging through the nose for them, not unlike printer ink.

Even if SMS/MMS were free, the way it operates targets a single device that must have cell service: it is highly convenient to be able to have someone send me a message and have it arrive both on my phone and on my laptop, and have it arrive at my phone even if I am on a plane with a WiFi connection and have no cellular service.

iPads without a cell connection can't use them, though. iMessage has the advantage of being usable over WiFi.

I've heard a lot about Whatsapp and iMessage... Can someone explain why I would want to use either instead of text messaging? Is this basically just MSN/ICQ style messaging on your phone? Why would I need that when I can just use SMS?

SMS costs money and requires a phone. Some people cannot afford texting plans or might not have a cell phone at all (think a teenager). Even if you are capable of receiving SMS, they are destined for a single device: with these alternatives, you get the notification on all of your devices, including your computer (which has a real keyboard and is more convenient for longer conversations). The benefit of iMessage is then to solve these problems in a seamless fashion (assuming you buy Apple hardware, as that's how Apple makes all of their money: hardware): if someone with an iPhone sends a message to someone else with an iPhone, it just notices "oh, hey, this could have been an iMessage", and the result is cheaper and more convenient (as the message goes everywhere, not just to their phone); if the message cannot be sent via iMessage for any reason, it gracefully degrades to SMS.

because it uses mobile internet (gprs, edge, 3G, HSDPA, LTE, etc.) , you can share photos, also you can have chat groups and more stuff, also it's linked to your phone number, instead of a device(BBM) or an email account(iMessage). In some countries that's 10x cheaper than SMS or MMS.


> In some countries that's 10x cheaper than SMS or MMS.

As a Canadian that's the real shocker to me, it's basically the opposite up here.

Group chat, photos, and phone number are all part of MMS too.

iMessage also uses your phone number, but can use an email address as well.

There's also no way to message Mac users from Whatsapp. When I'm at my computer, I don't want to have to use my phone to IM people.

Viber, an alternative to whatsapp, has a desktop client.

This is actually talking directly to the iMessage service. It's hitting https://service.ess.apple.com:443 (and https://service2.ess.apple.com:443 when authenticating) and not being proxied through any third-party servers. That being said, it does look like the app reports basic analytics but nothing sensitive.

This is truly impressive!

> That being said, it does look like the app reports basic analytics but nothing sensitive.

Are you referring to the seemingly-encrypted network connection over port 5332 to a server in China at IP address that has traffic that precisely correlates to me sending and receiving messages using the application? [edit: Which happens to be the value of the resource ServerId in the APK?]

Try sending a picture--surely the size of the Chinese body would scale with the picture

No, pictures sent using iMessage are uploaded directly to Microsoft Azure when using a true iOS device.


Why does Apple use Microsoft Azure though? I would have thought that they have enough server capacity for that.

Storing files in the cloud is a commodity service. Why wouldn't they outsource it? They use AWS too.

They're encrypted, though, right? Do they need to be sent to this third party to decrypt?

I don't quite remember, but I think the images are just passed over SSL with no other encryption.

That's crazy. The protocol for iMessage is so complicated that I gave up very quickly after getting IP banned many, many times, it's an incredibly sensitive service to things like this. At the time I just wanted to be able to check if an email address was iMessage-supported, but it required piles of signatures and other authorisation.

It will get banned on Apple's end so quickly, but not before it's used to send mountains of spam.

Haha, same here. Instead I wrote an app that uses the iMessage Mac client to insert a mail address into the to: field and check whether it supports iMessage. And then I use pixelbuffer data to figure out whether the mail address has the correct iMessage supported color in the ui. Works great, but is a bit slow.

Haha, that's a great hack for checking if an email is an iMessage account. Can you gist the code :)

That is just looking for embedded URLs: it totally fails to notice the IP address hardcoded into the APK ( that seems to be used every time you send/receive a message.

Thanks - I also downloaded it directly from the developers site, which appears to be an older version (v1.2.1) http://www.huluwa.org/imessage/

So I wasn't sure if things had changed in later versions of the app.

They seem into cloning many of Apple's services to the other side: http://www.huluwa.org/

(eg. iCloud for PC)

iCloud isn't nearly as exciting as iMessage, with the majority of iCloud services just being WebDAV (bookmarks, etc), CardDAV, CalDAV, IMAP, etc.

Indeed! I wonder if Apple will be able to patch this app out while retaining access for their own devices.

They can start by getting Google and other major app stores to pull the app for copyright / trademark infringement on the term "iMessage", then they can sue the developer for the same (he's public with his identity).

Beyond that all they need to do is include some form of digital signing in the login process which he can't duplicate and jobs a good un.

Alternatively they may say that they don't care and leave it alone as it strengthens iMessage as a platform.

But my guess is that this won't end well. Isn't it trademarks that you have to defend or you lose them? If that's the case then Apple at the very least need to have him change the name and so on.

Digital signing on the login process? Could you be more specific? I was under the impression that verifying data is coming from an 'approved clients' over a reverse engineered protocol is impossible.

It's not impossible, but it requires either secure hardware or homomorphic encryption.

very much agreed this won't end well

Reminder: iMessage's "encryption" is open to the NSA. (What's more, Apple partners with the NSA.) Not sure why you'd want to submit to the surveillance state.

<sarcasm> Because if you connect to an iMessage client that also sends your packets to China, the MSS and the NSA get stuck trying to both look at your packets. We call it Two Stooges Syndrome. Your information is safe. No, it doesn't make you invincible </sarcasm>

And here you are, posting messages in plain text to a public forum...

There is some truth to your statement. For example, we will never know if PG would shut down HN if required to hand over the private logs. So yes, our posts can be cross-referenced with other online profiles, etc.

Now, should the conclusion be "we should stop communicating electronically"? That would be a severe restriction to free speech and thus advancement of our species. So, no.

Maybe the right direction is to migrate the discussion towards encrypted and distributed forums. RetroShare offers such a feature (amongst others): http://retroshare.sourceforge.net/

I'm wondering if they have friends inside of Apple that can tell them the protocol... or even copy code.

At first, when I read the post's title, I thought Apple had created iMessage for Android and put it up on the Play store. Now, that would be a really big deal because that would mean that Apple finally gets that communication is between people and not one family of computers. The current Apple attitude to communication and sharing (like PhotoStream) is akin to a telco saying you can only call other users on their network, or Google saying you can only send and receive emails from other gmail users. Apple finally getting communication would be a really big deal.

I saw, to my great disappointment, that the program was not Apple's.

Somewhat unrelated -- SMS seriously needs to die.

Any phone carrier call center employee can check your inbox, supposedly that's an audited procedure but having worked in a call center I would tell you that I'd believe that nobody's watching anything. Just like email, SMS is a poor protocol/medium that has been contorted to doing way more than anyone ever intended originally.

But there is definitely a need for a commodity, cross-platform secure messaging protocol that can be implemented by anyone. It hardly seems like there's anyone incentivized to do that though -- why would Apple, for example, want to ferry traffic to/from non Apple phones. And why would they want to step aside and let someone else replace their seamless, secure-ish messaging experience with something else? None of the other messaging apps can achieve the level of integration with the rest of the phone that iMessage can.

The mere facts that iMessage is a) so good (integrated so well into the OS by way of unfair advantage) and b) closed, are probably sufficient to make sure that there won't ever be a common, secure messaging platform. It couldn't penetrate far enough into the iOS user base even if every Android user installed it.

I agree. But, the carriers love charging for text messaging bundles, so I can't imagine them pushing for something else, unless its equally as bad like MMS. So we are left with this crappy state of fragmented and proprietary messaging systems.

We even have standard messaging protocols (XMPP), so it is not a technical hurdle. Merely there is no business opportunity to commoditize messaging, so it hasn't happened.

The prejudice here is amazing. Has no one here ever made a free app? Has anyone heard of Linux? Is it possible that out of all the people in China, at least one talented developer just thought that this would be a fun project that they could contribute?

I still don't recommend allowing your conversation to be MITM'd, but the assertions that China = steal your password and charge your CC are a bit crazy. Propaganda works I see!


but the assertions that China = steal your password and charge your CC are a bit crazy.

The assertion that sending the password for an account tied to your credit card to a completely unknown recipient is a bad idea... is not crazy in the least. And has nothing to do with it being in China.

Linux wouldn't have quite the uptake it does today if it was Torvalds was the only coder and the source code was closed.

This is going to get shut down so fast from Apple, which is kind of sad given the amount of work that must have gone into this!

Not necessarily. There is many Airplay apps that are working for ages. Maybe they have to rename their app.

Airplay stuff never talked to Apple's servers though, this does.

If Apple wants it gone they have a legal staff that can make life hell for the app author. My guess is the 'iMessage' name and icon design are enough for a takedown order.

In China? Good luck with that.

I understand that with the latest Apple TV update Airplay is now proprietary. Ie. wrapped in Apple's FairPlay DRM spec. So, any third party non-licensed Airplay services are now dead.

With the US' draconian DMCA law in place, it also now illegal to build any devices that Apple hasn't licensed to use Airplay on your Apple TV.

I think it just got shut down.

Does this mean someone actually RE'd the entire iMessage cryptographic protocol. I know of several people who have wanted to analyze it.

If so, if they or someone could put up the source or even a protocol spec, that would be amazing.

Kudos to the folk who reverse-engineered it, but I'm not sure this is a good thing in the long run.

Put it this way, just like AirPlay and AirDrop, it keeps the open-source community on the backfoot, always looking to "keep up with the Joneses" when in fact we should let these proprietary protocols wither and die.

The public perception shouldn't be that Apple lead and others follow, it should be that Apple have deliberately isolated themselves from everybody else.

I agree with you. I also suspect Apple's iMessage system is not nearly as secure as they claim it is. So if someone can post the full crypto protocol, others will find bugs/ backdoors* in it and you will have one more reason not to trust closed source secure communication software.

* By backdoor, I mean the protocol isn't actually end to end secure in the way Apple claims(i.e. safe from NSLs) and Apple does actually have access to messages. Not that the protocol looks secure and they picked backdoored primitives or some secrete key escrow scheme, though they may have done the latee at least in other cases[0]


I'm sure someone will download the APK and decompile it. Hopefully the source hasn't been obfuscated.

It looks a bit obfuscated, but there might be some useful finds. I'm going through it and looking for hardcoded strings that might not be in the resource files.

I posted the APKTool output on Github for anyone that wants a quick look - https://github.com/mdp/iMessageChatDecompile

if someone can reverse-engineered the protocol,then it is not very much difficult to reverse-engineered the obfuscated apk.

Sounds great, but I’m still worried because this App might hijack the Apple ID and password. If I remember it correctly, Apple does not publish their Apple ID API outside of iOS SDK.

They don't even publish the Apple ID API inside the iOS SDK. There is no way to directly use Apple ID as a form of identification. Only 2nd-hand ways, like GameCenter, and iCloud.

That's what I meant, through Game Center and iCloud.

I absolutely agree. This is really impressive if it works, but there's no way I'm giving this my Apple ID.

Not sure if you're wanting this because you're switching devices but for full time android users it shouldn't be a big deal to set up a new apple id to use this app.

As a hackintosh user, I hope the blast radius on Apple's response doesn't kill iMessage here too...

Has anybody else here forgotten you're passing on your Apple ID and password here in cleartext? There's a lot of information you can grab with that, and let's just assume that this guy also puts an app out for IOS-- and buys it with your account.

Seriously? Not to mention all the data that can be mined from your associated messages. And for argument's sake, since, again the passwords are in cleartext, let's just say that a small percentage of users also use the same email and password for their Facebook or their Gmail (or whatever else email they have) -- let's just brute force some bank accounts, send a forgot password request, then scour their facebook for the security question. Nightmare scenario, but considering you're passing some random guy in china all this information, not entirely infeasible.

Funny how a small app like that can destroy all the hopes a multi-billion dollar company like Blackberry put in their stay relevant by rolling out BB Messenger to iOS and Android plan.

Assuming Apple doesn't kill it of course... There are some good reasons why Apple shouldn't kill it (network effect work both ways) but who knows what they will do.

Apple can just pull this off Google Play and then also reject BB Messenger from iTunes App Store. Boom. Victory through lawyering with no technical work whatsoever. Two competitors down.

How could Apple convince Google to pull this from the Play Store?

C&D because of trademark infringement.

Yes. Also because the computer crime laws are vague about unauthorized access and Google isn't interested in subjecting itself to test cases.

Is this actually running on Apple's iMessage protocol or is it just duplicating/imitating it? That is to say, if you 'iMessage' to an Apple device, does it come up as an iMessage on that device?

It did when I tried with my roommate. He even sent me a picture.

I signed up on my phone and was notified by my iPad that another device had been added to my account. Seems to be a working implementation.

hi everybody,i am android message developer.

Hi, thanks for joining! Some questions:

1) It appears that the iMessage responses received from Apple's servers are forwarded as-is to a remote server for decoding and decryption. Is this correct? If so, why isn't this process performed in the application itself?

2) Now that you've clearly reverse-engineered the iMessage protocol, will you be publishing it so that others can benefit from interoperability? If not, why not?

Awesome work so far. I think I speak for everyone here when I say we can't wait to see if you publish the protocol specs; everyone's hands are itching :)

Do you think your app can be blocked by Apple?

Why did you use Apple's graphics instead of your own? It will make it easier for Apple to have your app taken down.

Hi there - I sent you an email a few days ago regarding lengthening the password field for login. Thanks for the prompt reply: I was now able to login. Good to see you on HN!

Fellow Americans, take your snakeskin boots off your redwood desk, adjust the brim of your stetson hat, and shift the piece of grass you are chewing to the other side of your mouth; what I'm about to say is important:

Classifying and stereotyping (even in a passive-agressive sense) is a relic of the past you need to get over.

I don't dare to try an app like this!

Good work on reverse engineering the protocol though.

Direct link to the APK since it was taken down from play store: http://www.huluwa.org/imessage/download/platfrom/android/iMe...

Any idea why it was taken down?

It would definitely seem less shady if the dev didn't copy iOS UI and icons. Still I downloaded it and hope to test it.

Regardless of whether it'll disappear from the Play store quickly or not this is kinda cool. Hopefully it means there'll be a FOSS implementation of this at some point and we can get other Linuxy stuff talking to iDevices.

(If there already is one I'd love to be pointed at it, I've done some searching previously trying to get a nice solution for getting scripts at home communicating with me - I eventually settled on using push notifications with Prowl http://www.prowlapp.com/)

This is really awesome. They should release the method, although obviously there is some value in their not doing so. I'm sure Apple will change the iMessage endpoint to kill this, but that's a cat-and-mouse game they'll lose with the dev community in the long run. If this is a true reverse engineering of the iMessage protocol, this will be very hard to shut down.

I would love to know how they pulled this off.

Presumably it's Java. Disassembly is quite easy and can even produce quite readable source.

Obfuscated code, auto-downloads APKs, presumably to 'self update' but no one is sure.

Use it with a demo account.

Sadly this will probably be shut down by morning since it didn't come from Apple. What Apple should, but won't do, is buy it and release it for free themselves. But then Apple would have to admit that there just might be another AppStore in the universe and their reality distortion field might show a small dent.

Remember this is Play Store not App Store. Apple can not pull anything out of the Play Store.

What they can do is to shut off the backend because they probably don't have rights to use it anyway.

They don't need to pull anything, just have their lawyers tell Google's lawyers that their iMessage trademark is being infringed. Gone.

Bruce Sewell’s office can always send a letter to Google Play Store. Most likely Google Play store would comply.

You can pull it off for Trademark infringement

Why would Apple buy them? If they wanted to release iMessage for Android, they would. But it's a selling point for them, so it's not likely to happen.

I'm afraid to install this. Does it actually work or is it another common fake app found on the Play store?

It's working for me. Sending and receiving messages and pictures. Receiving them faster then Messages for Mac is even!

Does it actually register as an iMessage? I wonder how they pulled it off.

Before of all, using of the trademark iMessage is enough to get lawsuit from Apple lawyers.

Also, it's sure that they are intentionally copying Apple's copyrighted material.

Anyone manage to sign into the app? I just get 'Password or Apple ID error' with a Chinese 'OK' button

the app only supports passwords up to 16 characters in length and mine was ... a lot longer.

Is 16 characters exactly the length of a whole block of AES 128 input?

Having the same problem here...

I'm not familiar enough with Apple products, iOS, iMessage, etc. to understand why this is such an impressive feat. Can someone fill me in on why this is so amazing? It's a closed protocol I guess, but if this guy could pull this together under the radar like this how hasn't it been done before?

Amazing because the iMessage protocol is surprisingly complicated and seemed to be almost unintelligible to anyone outside of Apple:


This is blowing up all over the internet right now.. It is pretty amazing that there is an app like this which works, but it is even more surprising that this has been around for a bit, and it flew relatively under the radar.

I just tried it out myself, and my boss who uses an iPhone is in total shock.

Has Apple already striked ? "We're sorry, the requested URL was not found on this server."

Here's a tin-foil-hat needing random theory of the day: Apple gave keys (and protocol) to decode iMessages to PRC Government, in return for being allowed to sell iPhones in China. Somehow they leaked, and now someone in China is offering this service.

(adjusts tin-foil lined colander on head)

Even though the technical achievement is really impressive, the iOS6 design just looks out of place. It simply does not look right, it's a shame that implementing an iOS service led them to implement an iOS design, I would rather prefer a well integrated Android experience.

So, the magic of some Chinese companies which been used to send advertisement finally be public. Will there be more iMessage advertisements after this? Maybe it is time for Apple to change their iMessage protocol.

This will surely be pulled very quickly. For a start it's using the name iMessage. Secondly this is a big selling point for iDevices. Apple gets no benefit from it being available on other platforms.

Does this screw up the ordering of messages just like iMessages? Does it make you apart of the same conversation multiple times, so that when you send a message, you get your own reply?

Insane. They even have a way to create an Apple ID in the app!

I hope the protocol specs leak soon... would be nice to write a Windows Phone client that can do iMessage; kik messenger sucks and whatsapp is buggy :-/

just tested it with my account, and it works! even sending and receiving images works... very impressive :) let's see how long will it work :)

This explained all the iMessage spam…

They're dev website is unavailable which makes me question the stability of this... HA

Looks like someone inside the Blackberry deal, trying to demonstrate how irrelevant BBM is.

I'm on Android and I think the last thing I want to install is an iSomething.

Now all they have to do to get people to use it is create a QR code for it ;)

Noooo, what if the Chinese server is hacked by someone.

already got pulled.

How has this been up for 10 days?

One less reason to buy an iDevice, at least until Apple issues the inevitable takedown, Cease-and-Desist, iSueYou, etc.

Can confirm that it works here.

Look at them one star ratings.

can someone post a mirror, looks like it has already been taken down.

at what point does Apple deploy their lawyers

First screenshot. Cancle.

It is such a shame and pity that it comes from China. It killed all of the buzz for me in an instant. I have nothing against Chinese people, but an app that has done something never done before with Chinglish in it - nope.

Those can be easily fixed with a translator.

It's not the use of the characters per se, it's the fact that this app came from a country with a history of state-sponsored hacking and censorship.

And USA isn't?

Heard of NSA? You bias stereotype peeps.

Oh god... Where do you hide a tree? In the woods.

Everybody is talking about high level conspiracies regarding NSA, overseas intelligence agencies and whatsoever.

But the real concern should be about simply getting scammed! Of course our(end user) data is not safe, it was not designed from the very start to be so. I have no problem with NSA and Apple reading my messages because I am sure that they won't use the credit card linked to my account without my consent.

This... thing is a bit different. It is run by a third party provider somewhere outside of European and American jurisdictions. My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment. This, my friends, is a bit different scenario. If people get their accounts compromised and money gets stolen, Apple is not going to do a thing about it for two simple reasons: 1) Who wants to argue with China? What is the chance of even finding the physical location of the server all the data gets relayed back to? 2) Apple never authorised the use of third party apps.

This is my concern about China, nothing else. I would love to use this app for my every day needs, I would even pay for it! But the chance of my account being stolen with no possible outcome positive for me just rustles my jimmies.

> My concern is that if this app was created by Europeans or Americans, I would trust it my password and account, because I would have a tiny fraction of luck in case my account gets compromised and I loose money. There would be a possibility of an investigation, a court and a punishment

There's also the possibility of an investigation, court case and punishment in China.

And I wager the chances of you getting any money back in either case is about the same.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact