Privacy News Nothing Chat app removed from Play Store - Your Apple ID may be at risk as Sunbird forgets to encrypt messages

Ink

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Content source
https://arstechnica.com/gadgets/2023/11/nothing-phone-says-it-will-hack-into-imessage-bring-blue-bubbles-to-android/
Nothing Chat will be powered by Sunbird, an app developer that has claimed to be able to send iMessage chats for about a year now, with no public launch. According to a Washington Post article with quotes from the CEOs of Nothing and Sunbird, Nothing will "start" rolling out "an early version" of Nothing Chats with iMessage compatibility on Friday. The only catch, supposedly, is that you'll need a Nothing Phone 2.
Click to expand...

The many red flags of Sunbird​

Sunbird has claimed to be able to send iMessages on Android for a long time, has missed its deadline for launch, and generally doesn't come off as a serious company. The company announced itself to the world with the promise of iMessage on Android during a press briefing in December 2022. I attended this meeting and did not write about it because Sunbird's suspect presentation did not meet my standards for a story. To me, the purpose of a press meeting like this would be to overcome the skepticism about the claim that you could imperviously, permanently hack into iMessage. Being honest with the press would have helped, but Sunbird refused to take open questions in its big debut. Sunbird's PR person approved and asked all the questions, the Zoom chat was turned off, and the company didn't answer a single one of the basic technical questions.
Click to expand...

Account security and Open-source alternative
"Beeper" is an open source app that connects to iMessage by forwarding your iMessage through a Mac (there are a few services like this already). Beeper will let you host this yourself on your own Mac or you can do it via a Mac in Beeper's data center. It's fair to raise your security concerns with Beeper's use of an Apple ID, but Beeper is a great example of how to do things in a way that doesn't feel like a phishing scam. There's a clear explanation of how it works: iMessage - Getting Started Guide | Beeper
Click to expand...
arstechnica.com

Nothing Phone says it will hack into iMessage, bring blue bubbles to Android

Upstart Android OEM hopes Apple won't immediately shut the project down.
arstechnica.com arstechnica.com
 
  • Like
  • Wow
Reactions: Nevi, CyberTech, silversurfer and 2 others
Ink

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Copilot said:
The current web page context is an article from Android Central that discusses the following:
  • Nothing Chats app: A new app that claims to bring iMessage to Android devices by using a bridge service called Sunbird.
  • Privacy issues: The app is found to be insecure and unencrypted, exposing users’ messages and media to Sunbird and anyone who can access its server.
  • App removal: Nothing has pulled the app from the Play Store and delayed its launch until further notice to fix the bugs. Users are advised to delete the app and change their Apple ID passwords.
Click to expand...
www.androidcentral.com

Nothing Chats pulled from Play Store amidst privacy blunder

Seriously, avoid Nothing Chats and check your Apple ID.
www.androidcentral.com www.androidcentral.com
 
  • Like
  • +Reputation
Reactions: Nevi, Gandalf_The_Grey, ZeroDay and 1 other person
Ink

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Frightening new findings reveal that Sunbird and Nothing Chats are, in fact, not fully end-to-end encrypted, as user data can be accessed in plain text.

“Wukko” on Twitter/X published findings that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, “all” data is sent and stored through Firebase, and it’s also completely unencrypted.

9to5Google can independently confirm Wukko’s findings.

In our Dylan Roussel’s research, we found that once a user authenticates with the JSON Web Tokens (JWT) that are insecure in transit, they can access Nothing Chat’s Firebase database and see messages and files from other users sent in real-time and in plain text. He particularly calls out that vCards are accessible, as these directly include user names, phone numbers, email addresses, and sometimes even more personal data.

He mentions that over 630,000 media files are currently stored by Sunbird via Firebase including images, videos, PDFs, audio, and more. So, while it’s true that Sunbird doesn’t store user data on its own servers, data is very much being stored.
Click to expand...
Source: Nothing Chats, the Sunbird-based iMessage app, is a privacy nightmare with unencrypted messages and images
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, ZeroDay and CyberTech

Similar threads

CyberTech
    • Like
Technology Sunbird shutdown after security and privacy concerns
Replies
0
Views
430
Technology News
CyberTech
CyberTech
upnorth
    • +Reputation
    • Like
Security News Fake LastPass lookalike made it into Apple App Store
Replies
1
Views
900
Security News
Ink
Ink
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Apple threatens to pull iMessage and FaceTime from UK
Replies
6
Views
746
News Archive
nicolaasjan
nicolaasjan

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top