Sunbird iMessage app shuts down temporarily due to security concerns
Nothing Tech launched and pulled its Nothing Chats app after just one day, when security experts pointed out the security issues in the app. And now, Sunbird, the original app with which Nothing had partnered, has also been shut down, albeit temporarily.
Nothing Chats was hyped to be a revolutionary app, which added iMessage compatibility for Android devices, and an end to the Green Bubble vs Blue Bubble argument. Nothing and Sunbird had promised that no user data was stored on the cloud, it was all being saved locally on the user's devices, and that all messages between users are end-to-end encrypted.
While Nothing, and it's CEO Carl Pei, called it a victory against Apple's walled garden, it turned out to be a privacy nightmare. Several tech blogs called the usage of Apple ID via the app as a huge security risk. So did I, and we were not wrong. Security experts at Texts Blog who analyzed the app's behavior revealed that it sends an unencrypted HTTP request for the user's credentials. The JSON Web Tokens which the app sent to its servers were signed but not encrypted, meaning the data that it contained could be accessed quite easily. This included usernames, phone numbers, email addresses, and other personal data. The researchers said that over 630,000 files were accessible through these vulnerabilities.
In the aftermath of this alarming discovery, Nothing Chats was pulled from the Google Play Store. Many people blamed Nothing for its lack of responsibility in checking the app's security measures, and rightfully so. But it was not the main problem, the real culprit was Sunbird. Nothing had partnered with Sunbird to work on its own version of an Android app that adds compatibility with iMessage, and Nothing Chats was essentially a reskinned version of Sunbird. The servers and the infrastructure behind the service belong to Sunbird.
Sunbird iMessage app shuts down temporarily
Sunbird has pulled its app from the Google Play Store. Users of the app are unable to access the service. According to some screenshots shared by users on reddit, a notification from the Sunbird app says that the service has been paused temporarily, as the company is investigating the security issues that have been raised recently. Prior to this, the app had displayed a notification to say that Sunbird was turning off the sharing of media via its app. But it turns out that the service has been paused entirely. It is worth mentioning that Nothing Chat users had received a similar notification.
It is unclear whether Sunbird would resume its services, and there has been no public announcement from the company. One might assume Sunbird is in damage control, but as 9to5Google points out the messaging app's website is up, and still claims to offer end-to-end encryption, without storing messages.
Sunbird is not open source, and here is the reason given by the developers. They say that "The more visibility there is into the infrastructure and code, the easier it is to penetrate it".
I find this stance to be laughable. If the app had been open source this whole fiasco could have been avoided, because security experts would have spotted the issues sooner, and the privacy and security of users would not have been exposed to risk.
Like I said before, it is never a good idea to provide your Apple ID to a third-party app, least of all to one that openly admits that your account is being used to sign in on to a Mac Mini on a server farm somewhere. No, iMessage isn't worth risking your account and its data. Just use a different app like WhatsApp, Telegram, etc., if you need to communicate with other people.
On a side note, Apple recently announced that it would add support for RCS in iMessage in 2024. So things could change for the better next year as far as interoperability between iOS and Android is concerned.
