I don't know if anyone else has seen this program yet, but as far as I can tell the way it works is that the client does directly connect to Apple, but the data is all processed on the developer's server in China. This not only means that Apple can't just block them by IP address, but also that they get to keep the "secret sauce" on their servers (and potentially just run Apple code: there are some parts of the process in Apple's client code that is highly obfuscated).

Every packet from Apple is forwarded to, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what's happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.

Clearly, this is suboptimal from a security perspective. Is this the kind of thing that Google gets involved in? (+Nick Kralevich: I'm legitimately curious about that.) The developer is even responding to reviews about login issues asking only for user's Apple IDs, which makes it sound like even the authentication must be under his direct control (where it can be logged and debugged given only the username). Arguably, though, the app does do what it claims to do ;P.
Shared publiclyView activity