What you need to know
- Sunbird, the messaging app that aimed to bring iMessage to Android users, announced Friday that it is relaunching in beta.
- The original app quickly shut down after users exposed critical security and privacy flaws that left user messages susceptible to being intercepted.
- The company added a page to its website detailing what went wrong the first time around and what has been changed since.
Sunbird, the messaging app that infamously partnered with Nothing to bring iMessage to Android before being swiftly shut down, is now returning. The company announced Friday, April 5, that it would relaunch the beta version of its app after making changes to its backend infrastructure. Sunbird says that over 165,000 users have registered for the app's waitlist and that invitations will become available in small phases.
The first time around, Sunbird brought iMessage to Android through its own app and the Nothing Chats app. Nothing, the Android phone manufacturer behind the Nothing Phone 2 and Phone 2a, wanted to make all of its devices compatible with iMessage through Nothing Chats. However, users quickly discovered that the messages and internal processes were unencrypted, leaving user messages and shared files available for anyone to access.
Sunbird explained the technical changes to its iMessage architecture, intended to increase security and fix the original app's privacy woes, on its website. If you're curious or skeptical, here they are:
- Unencrypted messages are never stored anywhere on disk or in a database. When messages are decrypted to be passed to the iMessage and RCS/Google Messages network, they exist in that state only within memory for a limited period of time. In the front-end app, messages are only stored in an encrypted state within the in-app database.
- Static files transmitted through the service are stored in secure cloud storage buckets that are encrypted in transit and at rest. They are protected through permissioned URLs that prevent unauthorized access and are completely expunged from the Sunbird systems no later than 48 hours after sending or receiving them.
- All communication from the Sunbird app to the Sunbird API is protected at the transport layer, either through HTTPS or the MQTTS protocol.
- The MQTTS broker is secured via strict access control lists to ensure that users are only able to access broker topics specifically assigned to them and no others.
- Further, the contents of the message payload itself is encrypted at the application layer using AES encryption with an encryption key controlled completely by the client and only held in memory on the Sunbird side. Messages flow through the Sunbird system in an encrypted state and are only decrypted (in memory) at the moment of transfer of messages to the native messaging platform.
Sunbird also indirectly mentions Beeper in its press release, which discontinued support for its iMessage client — called Beeper Mini — after repeated moves by Apple to shut it down. The company claims that Sunbird is a solution to the iMessage compatibility problem that doesn't take steps to provide unauthorized access to Apple's iMessage servers. Ironically, Sunbird points out the "security and privacy concerns" related to Beeper Mini due to the app's "unauthorized access to iMessage."
However, it's up to end users to decide whether Sunbird is actually worth trusting. For what it's worth, the company has already been caught in the middle of a discrepancy again. 9to5Google noticed that Sunbird claimed that it brought on Jared Jordan, a Google engineering director, as a formal advisor. However, Jordan's LinkedIn page reveals that he left the company months ago. Sunbird quietly updated its website to change the wording around Jordan's past experience, with no mention or acknowledgment of the change.
Sunbird says that the reason the company pulled the app for months was due to its "unwavering commitment to the privacy and security of our users." Instead of shipping a quick fix, Sunbird opted to rebuild its internal architecture entirely.
Still, it remains to be seen whether users trust Sunbird again. The app still has a long way to go, as it is now starting over from scratch in a very limited beta.
