what you need to know
- Sunbird, a messaging app that aims to bring iMessage to Android users, announced on Friday that it is returning to beta.
- The original app was quickly shut down after users exposed serious security and privacy flaws that left users’ messages vulnerable to interception.
- The company added a page to its website detailing the first time the problem occurred and the changes it has made since.
Sunbird, the messaging app that was quickly shut down for partnering with Nothing to bring iMessage to Android, is back. The company announced on Friday, April 5, that it would be relaunching a beta version of its app after making changes to its backend infrastructure. Sunbird said more than 165,000 users have signed up for the app’s waitlist, and invitations will be made available in small phases.
For the first time, Sunbird is bringing iMessage to Android through its own app and the Nothing Chats app. Nothing, the Android phone maker behind the Nothing Phone 2 and Phone 2a, wants to make all of its devices compatible with iMessage with Nothing Chats. However, users quickly discovered that messages and internal processes were not encrypted, allowing anyone to access user messages and shared files.
On its website, Sunbird explains technical changes to its iMessage architecture designed to improve security and address privacy concerns with the original app. If you’re curious or skeptical, here they are:
- Unencrypted messages are never stored anywhere on disk or in the database. When messages are decrypted and delivered to the iMessage and RCS/Google Messages networks, they only exist in this state in memory for a limited time. In the front-end application, messages are stored only in an encrypted state in the in-application database.
- Static files transferred through the service are stored in secure cloud storage buckets that are encrypted both in transit and at rest. They are protected from unauthorized access by a licensed URL, and are completely deleted from Sunbird systems within 48 hours of being sent or received.
- All communication from the Sunbird application to the Sunbird API is secured at the transport layer via the HTTPS or MQTTS protocols.
- MQTTS brokers are secured with strict access control lists to ensure that users can only access broker topics specifically assigned to them and not other broker topics.
- Additionally, the content of the message payload itself is encrypted at the application layer using AES encryption, with the encryption key fully controlled by the client and held only in memory on the Sunbird side. Messages flow through the Sunbird system in an encrypted state and are decrypted (in memory) only when the message is transferred to the native messaging platform.
In its press release, Sunbird also alluded to Beeper, which stopped supporting its iMessage client, known as Beeper Mini, after Apple repeatedly moved to shut down its iMessage client. The company claims that Sunbird is a solution to iMessage compatibility issues and does not take steps to provide unauthorized access to Apple’s iMessage servers. Ironically, Sunbird pointed out “security and privacy concerns” related to the Beeper Mini because the app “unauthorized access to iMessage.”
However, it’s up to the end user to decide whether Sunbird is truly trustworthy. Regardless, the company has once again found itself in conflict. 9to5Google noted that Sunbird claimed to have hired Google engineering director Jared Jordan as a formal consultant. However, Jordan’s LinkedIn page shows that he left the company several months ago. The Sunbirds quietly updated their website, changing wording about Jordan’s past experience, without mentioning or acknowledging the change.
Sunbird said the company’s “strong commitment to user privacy and security” prompted it to remove the app for months. Rather than offering a quick fix, Sunbird opted to completely rebuild its internal architecture.
Still, it remains to be seen whether users will trust Sunbird again. The app still has a long way to go, as it’s starting from scratch in a very limited beta right now.