Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,460
30,674


Sunbird, an app that is designed to deliver iMessages to Android devices, has been temporarily shut down due to security concerns. Sunbird this week sent out a notification to users letting them know about the shutdown (via 9to5Google).

sunbird-app.jpg

Sunbird said that it was investigating security issues that had been raised by the Nothing Chats iMessage app, and shortly after, told users that Sunbird usage had been paused. "We will update you when we are ready to proceed," read the notification.

The Sunbird app was first introduced in late 2022, and it has been limited to customers that signed up for the waitlist. The Sunbird website describes the app as unifying "the world's most popular messaging apps" into a single app, with support for iMessage, SMS/MMS, Facebook Messenger, and WhatsApp.

Using Sunbird on an Android device allowed Android users to send messages to iPhone users that were delivered as iMessage "blue bubbles" rather than green text messages. The app claimed to have end-to-end encryption and confidential messaging for these Android to iPhone conversations, but those claims have been in question, leading to the pause in service.

Last week, Sunbird teamed up with smartphone manufacturer Nothing to launch "Nothing Chats," a messaging app that promised iMessage compatibility. The high-profile announcement led to a deep dive into how Nothing Chats worked and how Sunbird, as the backbone for the feature, functioned.

The Nothing Chats app required users to log in with their Apple ID, one of many red flags raised over Sunbird's security. Text.com looked into how Sunbird works, and found that it is sending a user's Apple ID credentials to a Sunbird server, where those credentials are authenticated using a virtual machine running macOS. Apple ID credentials were being sent over HTTP, which is unencrypted.

Nothing ended up pulling the Nothing Chats app from the Google Play Store less than 24 hours after it was announced, but Sunbird insisted that its service was secure and that Apple ID credentials and messages were "encrypted at all times." This turned out to be inaccurate, and there are vulnerabilities that could allow an attacker to intercept all Sunbird messages and media attachments. Sunbird employees also had direct access to a platform that stored message contents, contact information, and attachment URLs. 9to5Google discovered that Sunbird is storing more than 630,000 media files like images, videos, and PDFs from its users.

Texts.com ended up releasing a proof-of-concept app demonstrating how easy it was for iMessage conversations sent through Sunbird and Nothing Chats to be intercepted and viewed because the content was being sent in plain text.

Nothing said that the Nothing Chats app has been pulled "until further notice" as it works with Sunbird to "fix several bugs," but Sunbird has been quiet about the situation aside from the notification sent out to users. As Ars Technica points out, Sunbird's initial response to the security concerns does not seem to have come from "a competent developer," raising questions about Sunbird's ability to address the security problems.

Existing Sunbird and Nothing Chats users are advised to change their Apple ID passwords, remove the apps, and follow additional steps to remove their data. If the apps are reinstated, it is recommended that users do not download them.

Article Link: Sunbird Shuts Down iMessage App for Android Over Security Concerns
 

Vega20

macrumors member
Apr 11, 2022
38
55
This is their statement on Open Source and security from the website,

"Some of the messaging community believes that software that is open source is more secure. It is our view that it is not. The more visibility there is into the infrastructure and code, the easier it is to penetrate it. By design, open source software is distributed in nature. There is no central authority to ensure quality and maintenance and by putting that responsibility on Sunbird, development would not be feasible. Open source vulnerabilities typically stem from poorly written code that leave gaps, which attackers can use to carryout malicious activities. To help satisfy our own ambitious goals of providing total privacy and security, we are currently undergoing a third party audit that will validate our security, encryption and data policies and plan on receiving ISO 27001 certification after launch."

Aged like fine wine that did...
 

CookItOff

macrumors member
Jun 11, 2023
58
240
Curious if this is the new future for side loading? A bunch of unvetted apps promising security but failing. And when used with those who don’t side load both systems get compromised. As noted: iMessage users who received messages from One Phone user became compromised.
 

CarAnalogy

macrumors 601
Jun 9, 2021
4,191
7,719
Apple ID credentials were being sent over HTTP, which is unencrypted.

Uh what? This whole idea is risky but theoretically possible to do securely if you trust the provider. But that’s security 101 for anyone attempting to do it publicly like this.

I forget the name of the software but it is possible to proxy iMessage from your own Mac, but pretty much defeats the point of the security of iMessage unless you write it all yourself and are certain that the whole chain is secure.

All you technically need to do is securely send the text and destination to your Mac which is then fully and legitimately logged in to iMessage to send it to where you want it.
 
  • Like
Reactions: EmotionalSnow
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.