Sunbird Halts iMessage for Android Project Over Security Concerns

Sunbird, a venture with the goal of bringing iMessage to Android users, has pressed pause on its development efforts and removed the app from the Play Store due to recent security apprehensions.

In a notification to users earlier this week, Sunbird acknowledged the halt in app development to conduct a thorough security analysis. The company stated on its Discord channel on November 19, "We have temporarily shut down the Sunbird app while we do a detailed security analysis. We will revert back to the community as soon as we are aware of the exact occurrences and our plan to mitigate them going forward."

here's a PoC that will show you your unencrypted messages if you used sunbird/nothing chats: https://t.co/othGKsP3va — Kishan Bagaria (@KishanBagaria) November 18, 2023

Numerous users on the Sunbird subreddit reported receiving notifications about the app's sudden shutdown. The company addressed concerns in an update on Tuesday, noting, "We have been working around the clock on the app to address the concerns that were raised and improve the experience. Navigating the press and our partner obligations kept us from sending a message sooner. Lots going on still, and we’re committed to Sunbird’s success."

Thread time!

Summary:
- Sunbird has access to every message sent and received through the app on your device.

- All of the documents (images, videos, audios, pdfs, vCards...) sent through Nothing Chat AND Sunbird are public.

- Nothing Chats is not end-to-end encrypted. — Dylan Roussel (@evowizz) November 18, 2023

nothing chats app (skinned sunbird) is an absolute privacy nightmare that sends/stores ALL data unencrypted on firebase

and for whatever reason it also sends ALL messages and attachments to sentry (again, in plain text) pic.twitter.com/CxBS7TZwCl — wukko (@uwukko) November 18, 2023

Founded in 2021, Sunbird Messaging secured a total of $2.9 million in funding, according to Crunchbase data. The app was initially released in a closed program last December and gained attention when Nothing, founded by OnePlus co-founder Carl Pei, announced its collaboration with Sunbird to bring iMessage to Android through Nothing Chats.

However, following the announcement, security researchers uncovered flaws within the app, such as messages being sent in plain text, as detailed in a blog post from Texts.com. Researcher Dylan Roussel also pointed out that all messages and media sent through Nothing Chats and Sunbird are public.

In response to these concerns, Nothing removed the Nothing Chats beta from the Play Store and committed to working with Sunbird to address several bugs.

The competition to bridge the blue bubble/green bubble divide has prompted various message aggregator apps to offer iMessage integration. For instance, Texts.com and Eric Migicovsky's Beeper have presented solutions, although questions regarding the privacy and security impact persist.

We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.

We apologise for the delay and will do right by our users. — Nothing (@nothing) November 18, 2023

These developments coincide with Apple's recent announcement that it will adopt Rich Communication Standards (RCS) next year—a potent alternative to SMS that enables multimedia messaging with additional features. While this may not resolve the blue and green bubble divide, Android users will gain the ability to send high-res photos and videos to iPhone users.