Disgraced iMessage-on-Android app can't take the hint, is back for more

Remember the whole Nothing Chats debacle from last year? It was an app built on top of Sunbird’s architecture, which had so many security flaws Nothing Chats and Sunbird’s own messaging app were taken down from the Google Play Store. Well, Sunbird is back, hoping users will forget the past and will give it a second chance.

Through a press release, Sunbird announced it plans to relaunch its beta iMessage for Android app. The company says it is sending out invitations to those on its waitlist in small phases starting today.

Sunbird was launched in 2022, promising to bring iMessage compatibility to Android. It claimed to provide end-to-end encryption and iMessage features while not collecting users’ data. However, it was quickly discovered that the software was woefully insecure and not as private as advertised. The company subsequently announced it would temporarily shut the service down as it investigates the security issues that were brought up.

In a blog post, also published today, Sunbird acknowledges the security vulnerabilities it was called out for. However, it claims some of the allegations were incorrect and denies that it ever used the “BlueBubblesApp” as part of its infrastructure.

The company adds that it has swapped out its old architecture (AV1) “that leveraged Firestore for temporarily storing messages” with a new architecture (AV2). This new architecture integrates RCS and is said to have “user privacy as the central tenet.”

Sunbird further states that with AV2:

• Unencrypted messages are never stored anywhere on disk or in a database. When messages are decrypted to be passed to the iMessage and RCS/Google Messages network, they exist in that state only within memory for a limited period of time. In the front-end app, messages are only stored in an encrypted state within the in-app database.
• Static files transmitted through the service are stored in secure cloud storage buckets that are encrypted in transit and at rest. They are protected through permissioned URLs that prevent unauthorized access and are completely expunged from the Sunbird systems no later than 48 hours after sending or receiving them.
• All communication from the Sunbird app to the Sunbird API is protected at the transport layer, either through HTTPS or the MQTTS protocol.
• The MQTTS broker is secured via strict access control lists to ensure that users are only able to access broker topics specifically assigned to them and no others.
• Further, the contents of the message payload itself is encrypted at the application layer using AES encryption with an encryption key controlled completely by the client and only held in memory on the Sunbird side. Messages flow through the Sunbird system in an encrypted state and are only decrypted (in memory) at the moment of transfer of messages to the native messaging platform.

Something strange that sticks out here is that near the end of blog, the company mentions it has brought Jared Jordan on as a formal advisor. It says that Jordan is “currently Director of Engineering within the Gmail team at Google.” However, Jordan’s LinkedIn page says he left Google in March and is currently working at Capital One.

It’s good to see that Sunbird has seemingly taken measures to improve privacy and security. But it’s still probably safe to say that you shouldn’t trust any iMessage for Android app.