Privacy News Nothing Chat app removed from Play Store - Your Apple ID may be at risk as Sunbird forgets to encrypt messages

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,393
Nothing Chat will be powered by Sunbird, an app developer that has claimed to be able to send iMessage chats for about a year now, with no public launch. According to a Washington Post article with quotes from the CEOs of Nothing and Sunbird, Nothing will "start" rolling out "an early version" of Nothing Chats with iMessage compatibility on Friday. The only catch, supposedly, is that you'll need a Nothing Phone 2.

The many red flags of Sunbird​

Sunbird has claimed to be able to send iMessages on Android for a long time, has missed its deadline for launch, and generally doesn't come off as a serious company. The company announced itself to the world with the promise of iMessage on Android during a press briefing in December 2022. I attended this meeting and did not write about it because Sunbird's suspect presentation did not meet my standards for a story. To me, the purpose of a press meeting like this would be to overcome the skepticism about the claim that you could imperviously, permanently hack into iMessage. Being honest with the press would have helped, but Sunbird refused to take open questions in its big debut. Sunbird's PR person approved and asked all the questions, the Zoom chat was turned off, and the company didn't answer a single one of the basic technical questions.

Account security and Open-source alternative
"Beeper" is an open source app that connects to iMessage by forwarding your iMessage through a Mac (there are a few services like this already). Beeper will let you host this yourself on your own Mac or you can do it via a Mac in Beeper's data center. It's fair to raise your security concerns with Beeper's use of an Apple ID, but Beeper is a great example of how to do things in a way that doesn't feel like a phishing scam. There's a clear explanation of how it works: iMessage - Getting Started Guide | Beeper
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,393
Copilot said:
The current web page context is an article from Android Central that discusses the following:
  • Nothing Chats app: A new app that claims to bring iMessage to Android devices by using a bridge service called Sunbird.
  • Privacy issues: The app is found to be insecure and unencrypted, exposing users’ messages and media to Sunbird and anyone who can access its server.
  • App removal: Nothing has pulled the app from the Play Store and delayed its launch until further notice to fix the bugs. Users are advised to delete the app and change their Apple ID passwords.
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,393
Frightening new findings reveal that Sunbird and Nothing Chats are, in fact, not fully end-to-end encrypted, as user data can be accessed in plain text.

“Wukko” on Twitter/X published findings that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, “all” data is sent and stored through Firebase, and it’s also completely unencrypted.

9to5Google can independently confirm Wukko’s findings.

In our Dylan Roussel’s research, we found that once a user authenticates with the JSON Web Tokens (JWT) that are insecure in transit, they can access Nothing Chat’s Firebase database and see messages and files from other users sent in real-time and in plain text. He particularly calls out that vCards are accessible, as these directly include user names, phone numbers, email addresses, and sometimes even more personal data.

He mentions that over 630,000 media files are currently stored by Sunbird via Firebase including images, videos, PDFs, audio, and more. So, while it’s true that Sunbird doesn’t store user data on its own servers, data is very much being stored.
Source: Nothing Chats, the Sunbird-based iMessage app, is a privacy nightmare with unencrypted messages and images
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top