Consumer Threat Notices

iMessage for Android: a Security Risk in Sheep’s Clothing?

0
By on Oct 01, 2013

For some, the communication between iPhone and Android devices can seem like apples to oranges. Among Android users, envy might be the only sufficient word when it comes to Apple’s iMessage program that allows users to send texts, documents, photos, videos, contact information, and group messages without using their text plan to other Apple mobile devices on iOS 5 or later. This service provides an alternative to standard text/picture messaging, and until recently was an exclusive function between Apple device users. However, a new app may have found a way to bridge the gap, bringing iMessage to Android users, and essentially opening up lines for speedier, more convenient communication between devices on the two platforms. But at what cost?

This third-party app, called iMessage Chat, which opened the iMessage network to Android users, received tens of thousands of almost immediate downloads. Unfortunately, the app’s rise to fame was almost as quickly followed by it coming under fire after a number of concerning security flaws were discovered, including numerous complaints of it opening the door for mobile malware.

Last week it was discovered that iMessage Chat routes messages through a third-party server in China and then forwards the data to Apple. The messages sent through iMessage Chat arrive unaltered, but the sender’s personal data was vulnerable to being compromised in the process. In order to sign up for the iMessage Chat app, Android users are asked to create (or use an already existing) Apple ID that will be used to fool the Apple servers into thinking their chat messages originated from an Apple device. Even two Android phones could communicate across the app, but both would still need to first provide an Apple ID, which would in turn expose both users once the data was sent through the server in China.

Many Android users have likely used Apple’s iTunes service at one point or another – and if they’ve purchased music or movies through this virtual store, their credit card may be tied to their Apple ID. Herein lies the risk of handing over this sensitive login information to an unverified third party app. The exposure of one’s Apple ID and associated password could give hackers access to a user’s personal data, credit card information, and perhaps even stored iCloud documents – if the Apple ID had previously been associated with an iPhone or Apple computer. Furthermore, it was found that iMessage Chat could also be manipulated to download and install software on your phone in the background.

The app’s developers, Daniel Zweigart and Luo Wangyi, have responded to the controversy stating that the app did not contain any malware and they would be releasing an updated version requiring stronger permissions. However, the app has since been taken down from the Google Play store by Android. Although it is no longer available for download, and the risk for now removed, this incident raises a number of questions about how apps without malicious intent can still pose a risk to users due to unsuitable (or lax) permissions. Android has been cracking down on all apps in the Google Play store of late with increased regulations and more stringent guidelines to help protect users from risky downloads. And this latest occurrence highlights why such protocols are necessary when even a seemingly innocuous and useful app could still open the door to attacks on your smartphone or tablet.

Mobile device users represent a growing target for hackers. Most users are hooked to their smartphones all day, relying on them for any number of activities from checking email to banking, playing games to calling home, and everything in between. This means they are constantly sharing, downloading, uploading, and browsing—any of which could open the door to a cyber attack under the wrong circumstances. Staying safe on your mobile device does not mean having to cut back on your usage. It’s all about exercising caution and awareness when it comes to the information you access on your smartphone. Here are a few tips to help you get started.

  • Download with extreme prejudice. Just because an app sounds like fun, or a superb convenience doesn’t mean that it is safe. Be cautious when it comes to the permissions of the apps you download on mobile devices, so that you can continue to enjoy all their benefits and convenience.
  • Start at the source. Make sure that your apps come from trusted app stores such as Google Play where programs are vetted by a team who knows what to look for in risky apps. The phone you save could be your own.
  • Don’t give out permission to any old app. If an app is requesting for more access then it should need, it could be taking that data and sending it back to a not-too-honest developer. Most popular apps, including entertainment and game apps, shouldn’t need access to data on your device such as email passwords.
  • Routinely change your passwords. It’s easy to become comfortable with using the same old passwords over and over again. But that simply opens the door to someone getting more access to your valuable data than you would want. Be proactive and help thwart thieves by updating your passwords on a regular basis. Use strong passwords with multiple variants such as capital letters, numbers and special characters to make them harder to crack. Additionally, don’t use pets’ names or birthdays or other items of public record as your password
  • Protect your devices with complete security. Even with the best precautions, and the safest apps, hackers could still get into your phone. Protect your identity and data across all of your devices (PCs, Macs, smartphones and tablets) with McAfee LiveSafe™ service. Safeguard your identity and devices against malware, phishing attacks, viruses, spam and more with this comprehensive service.

As an active smartphone user, it’s important to be aware of widespread trends in cybercrime. Keep up to date with consumer security threats and mobile safety by following us on Twitter @McAfeeConsumer and Facebook.

Gary Davis

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>