iMessage: the secrets of how it works discovered

Yesterday we told you about Beeper Mini, an application that brings iMessage on Android devices allowing the exchange of messages with iOS users as if they were coming, for example, from an Apple iPhone. The one who understood the secrets of Apple’s messaging app is a high school student who managed to send messages to iOS, from terminals Androidmaking iMessage put them in a “blue bubble,” without a hitch.

How Apple iMessage works behind the scenes

It now turns out that the young man capable of achieving what until some time ago seemed impossible, has published the fruit of his work in a GitHub repository, previously shared also with the developers of Beeper. The project pypush is a demonstration (PoC, proof-of-concept) set up downstream of reverse engineering of iMessage. It is in fact a “re-implementation”.

Using the code behind the application, anyone can record on Apple servers a new device, set up encryption keys, send/receive iMessages. And that regardless of the platform: The use of a Mac system or any other Apple device is not required. The software pypush allows you to send and receive messages via iMessage using theID Apple previously registered.

APN, Apple Push Notification Service

For sending and receiving iMessage messages, Apple developed and uses the APN service (Apple Push Notification Service): it allows to route messages through Apple’s servers as well as sending push notifications to Apple devices when they receive a new message. Messages are stored on Apple servers and can be delivered to offline devices as soon as they connect to the network.

After connecting to the APN service, the device receives a “push token“: acts as a key to route notifications directed specifically to that same device. An interesting aspect is the concept of “topic“, used for filter messages.

Il identity service (IDS) of iMessage is a keyserver, involved in the secure exchange of participants’ public keys, essential for ensuring end-to-end (E2E) encryption. Registration on the IDS requires obtaining a authentication token via your Apple ID credentials. Once you have obtained an authorization token, the authentication certificate long-lasting and subsequently exchanged simplifies operations.

After registration, every Apple user receives a “identity keypair” which allows you to search on public keys of other users. These searches allow you to obtain crucial information about other devices, including push token e session token. The latter are necessary to send messages and expire after a certain period, ensuring the security of the sending process.

The functioning of pypushan open source application that reimplements Apple iMessage

pypush makes use of Unicorn, CPU emulator, and a loader Custom MachO during the initial registration. The goal is to call some functions obscured by Apple.

The developer emphasizes that these “dependencies” are in any case limited to one initialization: in fact it is therefore possible to register a device and then copy the file config.json, produced following the operation, on another device that does not support the Unicorn emulator. The repository also contains a file data.plist with information taken from a real Mac, useful in case problems arise rate-limiting or message delivery.

By cloning the GitHub repository, installing the dependencies and by running the demonstration script in Python, you can see how iMessage works on non-Apple devices:

git clone https://github.com/JJTech0130/pypush
pip3 install -r requirements.txt
python3 ./demo.py

For further information, we suggest consulting this post, published by the author of pypushas well as a valuable Beeper consultant.

Opening image credit: iStock.com/picturejohn

LEAVE A REPLY

Please enter your comment!
Please enter your name here