Sunbird is Shutting Down Its iMessage App for Android (theverge.com) 12
Sunbird, the app that brings iMessage to Android, has temporarily shut down the service over "security concerns." From a report: In a notice to users, Sunbird says it has "decided to pause Sunbird usage for now" while it investigates reports that its messages aren't actually end-to-end encrypted. Sunbird launched in 2022 as a messaging app that attempts to put the blue versus green bubble battle to rest. It has only been available to those who sign up for its waitlist, touting numerous privacy features, like end-to-end encryption, no message data collection, and no ads.
Last week, Sunbird partnered with Nothing, the phone brand owned by OnePlus co-founder Carl Pei, on the launch of Nothing Chats. The Sunbird-powered messaging service is supposed to let owners of the Phone 2 send texts via iMessage, but it was pulled from the Google Play Store just one day after its launch. At the time, Nothing said it had to fix "several bugs" within the app. However, its removal from the Play Store came around the same time a post from Texts.blog revealed that messages sent via Sunbird may not be end-to-end encrypted.
Last week, Sunbird partnered with Nothing, the phone brand owned by OnePlus co-founder Carl Pei, on the launch of Nothing Chats. The Sunbird-powered messaging service is supposed to let owners of the Phone 2 send texts via iMessage, but it was pulled from the Google Play Store just one day after its launch. At the time, Nothing said it had to fix "several bugs" within the app. However, its removal from the Play Store came around the same time a post from Texts.blog revealed that messages sent via Sunbird may not be end-to-end encrypted.
Ton of security cock-ups (Score:2)
According to other articles I've read today on this:
- The app required you to store your Apple credentials in their cloud
- Everything (tokens and traffic) was both unencrypted and stored plain text in their databases and logs
- Whatever security they promised didn't exist, instead they used Google Firebase to store your texts unencrypted
Re: (Score:2)
This is why you do a security audit, including a 3rd party review from a security audit specialist BEFORE you ship. Qualys and other companies who regularly do this are more than happy to take some money to show you just how completely and utterly you fucked up on security, with a nice list of deficiencies and suggested remediations.
So congratulations on saving that one-time 5-digit sum of money - now you get to shutter your entire platform until you've spent that 5-digit sum of money anyway, all while the
Re: (Score:2)
This is why you do a security audit, including a 3rd party review from a security audit specialist BEFORE you ship.
Problem is, as numerous folks were quick to point out when Nothing announced this feature, it is impossible for a 3rd party to implement iMessage on Android in a secure manner. As Apple will never give such a service their blessing, it's always going to involve using hacky means of gaining access to iMessage (running multiple macOS instances in VMs is how it's typically accomplished). Such an implementation will always require your credentials and will retain unencrypted copies of anything you send/receiv
Re: (Score:2)
Sure. But there's inherent security issues that can be documented and trust can be built up; and then there's bone-headed dipshittery such as what is on display here - using HTTP instead of HTTPS for credential exchange, storing sensitive data in 3rd party publicly accessible databases (Google FireBase), etc.
Sometimes you can get away with imperfect security if you have client trust. Sunbird has none and has actively shown they are completely clueless in an incredibly public way, which means they never wi
Re: (Score:2)
The problem here is the communication between the app and the servers, the Android app itself talked over HTTP rather than HTTPS, the Android app itself leaked data like a sieve and then the promises they made (running super-secure servers in super-secure datacenters) turned out to be untrue (they were just using Google Firebase, which is in the Google Cloud).
The iMessage -> RCS issue is irrelevant as RCS is closed source itself and Google's encryption layer is closed source itself. If they wanted to, th
Again? (Score:2)
Funny, they did that yesterday, too. https://it.slashdot.org/story/... [slashdot.org]
Re: (Score:2)
To be fair (queue a Letterkenny gif), yesterday's was specifically about the downstream app, "Nothing Chats," where as this article is about the Sunbird specific app and service. Guessing that Nothing Chats's launch is what shone a light on the security failures inherent to Sunbird's service, but they are technically different.
Analogously, the post from your link is like saying Red Hat closed down, and this post is saying Linux closed down.
Re: (Score:2)
Nope, yesterday's story had "the Sunbird app, which Nothing Chat is a clone of, was put "on pause." in the summary.
Re: (Score:2)
Actually, yesterday it was about Nothing's app, which was based on the Sunbird app. Nothing is a phone manufacturer.
Today's story, while nearly identical, is about Sunbird's app. This is considered to be the first sort of response by Sunbird themselves.
The funny thing is, there's a third app that does the same thing but it's been around a long while already.
check out his business card (Score:2)
Carl Pei Nothing Chats
( It wasn't supposed to be on a single line, he said, and he never went back to get it fixed. The next batch better be perfect he muttered but it didn't matter
"*may* not be end-to-end encrypted" (Score:1)
Why "may"? Isn't it rather trivial to find out without any doubt?
This app still works (Score:1)