What you need to know
- Sunbird, the messaging app that aimed to bring iMessage to Android users, announced Friday that it is relaunching in beta.
- The original app was quickly shut down after users exposed critical security and privacy flaws that left users’ messages vulnerable to interception.
- The company added a page to its website detailing what went wrong the first time and what has changed since then.
Sunbird, the messaging app that infamously partnered with Nothing to bring iMessage to Android before it was quickly shut down, is now back. The company announced on Friday, April 5, that it will relaunch the beta version of its app after making changes to its backend infrastructure. Sunbird says more than 165,000 users have registered for the app’s waiting list and that invitations will be available in small phases.
Sunbird first brought iMessage to Android through its own app and the Nothing Chats app. Nothing, the Android phone maker behind the Nothing Phone 2 and Phone 2a, wanted to make all their devices compatible with iMessage via Nothing Chats. However, users quickly discovered that messages and internal processes were unencrypted, leaving users’ messages and shared files available to anyone who could access them.
On its website, Sunbird explained the technical changes to its iMessage architecture, intended to increase security and address privacy concerns of the original app. If you’re curious or skeptical, here they are:
- Unencrypted messages are never stored anywhere on disk or in the database. When messages are decrypted to be forwarded over the iMessage and RCS/Google Messages network, they only exist in that state in memory for a limited period of time. In the front-end application, messages are only stored in an encrypted state within the in-app database.
- Static files transmitted through the Service are stored in secure cloud storage bins that are encrypted in transit and at rest. They are protected by permitted URLs that prevent unauthorized access and are completely deleted from the Sunbird system no later than 48 hours after being sent or received.
- All communication from the Sunbird application to the Sunbird API is secured at the transport layer, either via HTTPS or the MQTTS protocol.
- The MQTTS broker is secured through strict access control lists to ensure that users can only access broker topics specifically assigned to them and not others.
- Furthermore, the payload content itself is encrypted at the application layer using AES encryption with an encryption key that is fully managed by the client and stored only in memory on the Sunbird side. Messages pass through the Sunbird system in an encrypted state and are decrypted (in memory) only when the messages are transferred to the original messaging platform.
Sunbird also indirectly mentions Beeper in its press release, which ended support for its iMessage client — called Beeper Mini — after repeated moves by Apple to shut it down. The company claims that Sunbird is a solution to the iMessage compatibility problem that does not take steps to provide unauthorized access to Apple’s iMessage servers. Ironically, Sunbird highlights “security and privacy concerns” with the Beeper Mini due to “unauthorized app access to iMessage.”
However, it is up to the end users to decide if Sunbird is truly trustworthy. For what it’s worth, the company is already caught in the middle of a disagreement again. 9to5Google noted that Sunbird claimed to have brought in Jared Jordan, Google’s director of engineering, as a formal advisor. However, Jordan’s LinkedIn page reveals that he left the company a few months ago. Sunbird quietly updated its website to change the text about Jordan’s past experience, without mentioning or acknowledging the change.
Sunbird says the reason the company pulled the app for months was because of its “unwavering commitment to the privacy and security of our users.” Instead of delivering a quick fix, Sunbird decided to completely revamp its internal architecture.
However, it remains to be seen whether users will trust Sunbird again. The app still has a long way to go as it is now starting from scratch in a very limited beta version.