C. Scott Brown / Android Authority
TL; DR
- Sunbird, the iMessage for Android app, is back.
- Invitations are being released in “small stages” starting today.
- The company claims to have replaced its old architecture with a new privacy-focused architecture.
Remember the whole Nothing Chats debacle from last year? It was an application built on top of Sunbird’s architecture, which had so many security vulnerabilities. Nothing Chats and Sunbird’s own messaging app have not been removed from the Google Play Store. Well, Sunbird is back, hoping users will forget the past and give it a second chance.
Through a press release, Sunbird announced that it plans to relaunch its beta iMessage for Android app. The company says it’s sending invitations to those on the waiting list in small phases starting today.
Sunbird launched in 2022, promising to bring iMessage compatibility to Android. It claimed to provide end-to-end encryption and iMessage features and not collect user data. However, it was quickly discovered that the software was terribly insecure and not as private as advertised. The company subsequently announced that it would temporarily shut down the service while it investigates the security issues that were raised.
In a blog post, also published today, Sunbird acknowledges the security flaws that got it called. However, it claims some of the allegations were false and denies ever using “BlueBubblesApp” as part of its infrastructure.
The company adds that it has replaced its old architecture (AV1) “which used Firestore to temporarily store messages” with the new architecture (AV2). This new architecture integrates RCS and is said to have “user privacy as a central principle.”
Sunbird further states that with the AV2:
- Unencrypted messages are never stored anywhere on disk or in the database. When messages are decrypted to be forwarded over the iMessage and RCS/Google Messages network, they only exist in that state in memory for a limited period of time. In the front-end application, messages are only stored in an encrypted state within the in-app database.
- Static files transmitted through the Service are stored in secure cloud storage bins that are encrypted in transit and at rest. They are protected by permitted URLs that prevent unauthorized access and are completely deleted from the Sunbird system no later than 48 hours after being sent or received.
- All communication from the Sunbird application to the Sunbird API is secured at the transport layer, either via HTTPS or the MQTTS protocol.
- The MQTTS broker is secured through strict access control lists to ensure that users can only access broker topics specifically assigned to them and not others.
- Furthermore, the payload content itself is encrypted at the application layer using AES encryption with an encryption key that is fully managed by the client and stored only in memory on the Sunbird side. Messages pass through the Sunbird system in an encrypted state and are decrypted (in memory) only when the messages are transferred to the original messaging platform.
Something strange that stands out here is that towards the end of the blog the company mentions that it has brought on Jared Jordan as an official consultant. It says that Jordan is “currently the director of engineering within the Gmail team at Google.” However, Jordan’s LinkedIn page says he left Google in March and currently works at Capital One.
It’s good to see that Sunbird has seemingly taken measures to improve privacy and security. But it’s still probably safe to say that you shouldn’t trust any iMessage app for Android.