Sunbird has been making promises of iMessage support on Android for nearly a year, but recent developments have unveiled unsettling privacy issues. The recently launched Nothing Chats, built on the Sunbird platform, has failed to deliver on its end-to-end encryption promises. Contrary to assurances, user data, including images, is easily accessible in plain text.
The concept behind Sunbird and Nothing Chats involves providing iMessage support for Android users by having them log in to their Apple ID through the app, routing the login through a Mac server farm. Although this method is not unique, Sunbird emphasized maintaining end-to-end encryption throughout the entire process.
However, recent revelations contradict these claims. Twitter user “Wukko” disclosed that Nothing Chats sends all media attachments, including user images, to Sentry, with links visible in plain text. Additionally, all data is sent and stored through Firebase without any encryption.
Independent confirmation by media supports Wukko’s findings. Research by Dylan Roussel revealed that once a user authenticates with insecure JSON Web Tokens (JWT) in transit, they can access Nothing Chat’s Firebase database, exposing messages and files from other users in real-time and plain text. Notably, vCards containing sensitive user information, such as names, phone numbers, and email addresses, are easily accessible.
Sunbird, via Firebase, currently stores over 630,000 media files, including images, videos, PDFs, and audio. While Sunbird doesn’t store user data on its servers, the data is still vulnerable to security breaches.
A blog post highlighted the ease of automating the process to download this information with minimal code. A demonstration revealed an iMessage appearing as “end-to-end encrypted” text in plain text, emphasizing the severity of the vulnerability. A proof of concept was shared on Github to illustrate the exploit.
This privacy nightmare came to light on November 17, prompting immediate notification to Nothing, despite the lack of a dedicated point of contact for security issues. In response, it appears that Nothing and Sunbird may have blocked app downloads on the Play Store, signaling a potential awareness of the issue.
The accessibility of image files is just the tip of the iceberg. The broader concern is the apparent lack of due diligence by Nothing in uncovering this vulnerability during the partnership’s development. The question arises: if this flaw was discovered within 24 hours by multiple users, what other potential security issues remain undiscovered? Users are strongly advised against downloading Nothing Chats or Sunbird in light of these revelations.