Nobody asked for it, but the Sunbird privacy disaster returns

What do you want to know Sunbird, the messaging app that aimed to bring iMessage to Android users, announced its relaunch in beta on Friday. The original app quickly shut down after users exposed critical security and privacy flaws that made user messages susceptible to interception. The company added a page to its website detailing […]

  Technology   Apr 7, 2024   55  Add to Reading List
Nobody asked for it, but the Sunbird privacy disaster returns

What do you want to know

  • Sunbird, the messaging app that aimed to bring iMessage to Android users, announced its relaunch in beta on Friday.
  • The original app quickly shut down after users exposed critical security and privacy flaws that made user messages susceptible to interception.
  • The company added a page to its website detailing what went wrong the first time and what’s changed since.

Sunbird, the messaging app that partnered with Nothing to bring iMessage to Android before quickly being shut down, is now back. The company announcement On Friday, April 5, it would relaunch the beta version of its application after making changes to its backend infrastructure. Sunbird says more than 165,000 users have signed up to the app’s waitlist and invites will be available in small phases.

The first time around, Sunbird brought iMessage to Android through its own app and the Nothing Chats app. Nothing, the Android phone maker behind the Nothing Phone 2 and Phone 2a, wanted to make all of its devices compatible with iMessage through Nothing Chats. However, users quickly discovered that internal messages and processes were not encrypted, leaving user messages and shared files accessible to everyone.

Sunbird explained technical changes to its iMessage architecture on its site, intended to increase security and address privacy issues with the original app. website. If you are curious or skeptical, here they are:

  • Unencrypted messages are never stored on disk or in a database. When messages are decrypted for transmission to the iMessage and RCS/Google Messages network, they only exist in this state in memory for a limited period of time. In the front-end application, messages are only stored in an encrypted state in the in-app database.
  • Static files transmitted through the Service are stored in secure cloud storage buckets that are encrypted in transit and at rest. They are protected by authorized URLs which prevent unauthorized access and are completely deleted from Sunbird systems no later than 48 hours after they are sent or received.
  • All communications from the Sunbird application to the Sunbird API are protected at the transport layer, either via HTTPS or the MQTTS protocol.
  • The MQTTS broker is secured via strict access control lists to ensure that users can only access the broker topics specifically assigned to them and no others.
  • Additionally, the content of the message payload itself is encrypted at the application layer using AES encryption with an encryption key that is completely controlled by the client and held in memory only on the Sunbird side. Messages flow through the Sunbird system in an encrypted state and are only decrypted (in memory) when the messages are transferred to the native messaging platform.

Sunbird also indirectly mentions Beeper in its press release, which discontinued support for its iMessage client – ​​called Beeper Mini – after repeated attempts by Apple to shut it down. The company claims that Sunbird is a solution to the iMessage compatibility issue that does not take steps to provide unauthorized access to Apple’s iMessage servers. Ironically, Sunbird points to “security and privacy issues” with Beeper Mini due to the app’s “unauthorized access to iMessage.”

(Image credit: Andrew Myrick / Android Central)

However, it’s up to end users to decide whether Sunbird actually deserves their trust. For what it’s worth, the company has already found itself in the middle of a gap. 9to5Google noted that Sunbird claimed to have brought in Jared Jordan, Google’s director of engineering, as a formal advisor. However, Jordan’s LinkedIn page reveals that he left the company months ago. Sunbird quietly updated its website to change the wording around Jordan’s past experience, without any mention or acknowledgment of the change.

Sunbird claims that the reason the company pulled the app for months was due to its “unwavering commitment to the privacy and security of our users.” Instead of offering a quick fix, Sunbird chose to completely rebuild its internal architecture.

It remains to be seen whether users will trust Sunbird again. The app still has a long way to go, as it is now starting from scratch in a very limited beta.

Teknory