A new feature to Nothing’s messaging app brings iMessages to Nothing phones. It uses a technique we’ve seen quite a few companies attempt, but a functional one that Apple can’t easily prevent. Basically, you sign in to the Nothing Chat app with your Apple iCloud account, which passes your credentials to Sunbird, a company that makes a unified messaging service. There, a Mac Mini receives the message, then forwards it to your Nothing phone. Not all the features are there, like reactions, and group messages are imperfect, but it’s iMessage on Android.
If you’re even slightly security-conscious, you likely have noticed a problem here.
iMessage is end-to-end encrypted. However, if you send an iMessage through this service, it very likely is not. While they’re not clear on specifics, the message is almost certainly decrypted on a server you have no control over, then re-encrypted and forwarded. Doing iMessage this way completely breaks the security and privacy features of iMessage. Not only that, it’ll break the security of your entire iCloud account.
This is a problem of Apple’s own making. Unless they make an Android version of their iMessage app, you’ll never be sure if your iMessages are actually secure. If some users of iMessage have their security compromised, the entire service itself is compromised. You can’t trust iMessage if you can never verify your messages aren’t being intercepted. If Apple doesn’t make iMessage for Android, they’ll allow a security flaw to undermine everything they’ve built into iMessage.
But maybe they just don’t care?
In This Article:
A Security Nightmare
A “man-in-the-middle” (MITM) attack is a type of hack where an attacker finds a way to intercept data on its path from one device to another. There are many ways to do this, from a fraudulent VPN service, to fake Wi-Fi networks, and more. The goal is to add a step between the victim’s device and wherever the data was supposed to go, then log it, before sending the data on its way. If done right, and if the victim doesn’t suspect anything, it can go completely unnoticed.
So what happens when a user intentionally puts a man in the middle?
Decrypted in Transit
There are two ways a messaging service like this could work, given that they need access to your iCloud account. The first is, somehow, the best solution. If they’re taking the encrypted iMessage, not touching it, and wrapping it and the key to decrypt that iMessage in an encrypted packet to your device which can first decrypt Sunbird’s encryption, then Apple’s using the enclosed key, it would at least be encrypted during transit the entire way. This is unlikely because it would entail unwrapping the iMessage protocol and key storage at Sunbird, something that would amount to reverse-engineering iMessage. This method also means they’d be able to decrypt any iMessage if they wanted to. Anything you send would only be secure if Sunbird feels like it. That also leads to another problem: they can, so they will. If Sunbird can decrypt your messages to read or log them, they will. It’ll either be at the request of a legal entity, the result of a hack, a bug or mistake with logging, or a malicious employee. If there’s a backdoor, it will be exploited.
The second way is worse. It’s that Sunbird is decrypting iMessages using your login information, then wrapping them in their own encryption, and sending them to the Android device. This would mean they do store, whether temporarily or only in memory, your decrypted message to pass along to the next step. The message would be unencrypted at some point, completely breaking end-to-end encryption, from one iPhone to one Android device.
If anyone has the capability to read messages along the line, regardless of the privacy policy, they will do it. The only reason end-to-end encryption works is that the messages cannot be decrypted. However, thanks to you handing over your iCloud account login info, these could be decrypted. It seems like a user-initiated MITM attack. You have their word that they won’t read or store anything… but that falls apart if law enforcement for any nation tells them they need to log those messages.
If they only security you have is a company’s word, you do not have security.
iCloud Logins Shared
Let’s say you were an iPhone user at some point. Maybe you’re going from an iPhone to a Nothing Phone 2 and you want to be able to keep your iMessage access. So, you sign up for Sunbird through Nothing Chat. You just passed your iCloud account login to a third party. They say it’s just for messaging, but they could access your emails, your iCloud storage, your photos, contacts, your Apple Card, passwords, everything that your iCloud is securely storing.
Now, let’s say Sunbird is the world’s most trustworthy company—by a wide margin—and they really don’t want to scrape any of that data. The fact is, they can. That will make them a target of law enforcement, of course, but also every other hacker. They created a way to get tons of iCloud accounts cracked if you just get past their security. Sunbird says they want to connect millions of people. Millions of iCloud accounts, credit cards, payment information, and more. That’s one hell of a data trove for any hacker or nefarious government. So if you trust Sunbird, do you trust everyone else?
No Third Party Audits, Open-Sourced Code, or Certifications… Shady?
Okay, but should you trust Sunbird? Because they’re throwing up enough red flags that I feel like sliding into their DMs (I have unhealthy dating habits). Sunbird does not say exactly how their solution works, they are not open-sourced, and they do not have any certifications. It’s a black box. We have a pretty good idea that they’re likely decrypting messages and sending them along, but we don’t know for sure anything about their technology.
Many secure messaging apps open source their protocols and describe how they keep you secure. This is so anyone can audit them by going through the code. They’ll also receive certifications. Sunbird says they’re trying to get ISO 27001/27701 certification, but they don’t have it yet. They say they’ll have it sometime after release. Not before. Not now when you can sign up for their service and give them all of your iCloud information, but sometime.
🚩 🚩 🚩
I’m just saying, the most toxic girl I dated also insisted that she have my laptop password.
Sunbird is a free app with no revenue model… yet. I mean, they are collecting a large number of email addresses for a waiting list, and I suppose they could sell those to data miners, but otherwise, they haven’t disclosed any way of making money. They’ve also insisted that they want the app to remain free to connect “millions of users” before they’d introduce a pricing model.
They won’t tell you how they’re sending messages or how they’re keeping them secure. They don’t have certifications yet. Sunbird can’t tell you how they plan to fiscally support all the Mac Minis they use to intercept iMessages and send them your way. Pay no attention to the chat app behind the curtain!
Meanwhile, they say they don’t store messages, but they must be. Unless they’re not decrypting the iMessage at all, they must be storing it, albeit temporarily, before sending it along. Of course, we don’t know what they’re doing, because they’re really shy about what their actual methods are. Just trust them though, okay?
Beeper, a similar app, will at least let you use your own Mac as the bridge between messages, allowing you complete control over your security. Sunbird does not. Instead, it essentially adds additional terms of service and privacy policies that iOS user in the messaging chain will never have read or agreed to, because they’ll never know they’re not talking directly to their friend, but instead a server in between them.
Now Nothing’s adding Sunbird’s features to the chat app on their Phone 2.
Nothing’s a Problem
Now, if this was just a few users here and there, it’s not really a large problem for Apple. Yes, it’s a way to get intercept iMessages. Sure. But it’s not a widespread problem yet, right? Then comes Nothing. They’re adding this capability to every single Nothing Phone 2. Nothing might be a bit of a niche brand, but it doesn’t mean they can’t be a trendsetter. They have some of the most unique devices on the market, and helped bring back the clear trend in electronics. Nothing can shape the industry, and they just showed other smartphone manufacturers how to undermine Apple’s stranglehold on teenagers and group chats.
Other smartphone manufacturers will likely follow suit with their own deals, their own technologies, their own iMessage interceptors. In doing so, they may not all have the same privacy standards of Sunbird. Maybe they will unapologetically scrape the data for data mining purposes. Maybe Sunbird isn’t as secure as it claims to begin with? Maybe it could be far worse. If people start moving to a Nothing Phone 2 to get Apple’s iMessage, it’ll certainly become an industry-wide trend, and their solutions might be worse.
Apple’s the Solution
So many Android users, especially outside of the United States, will just say “Why not just use WhatsApp?” Oh, Meta’s WhatsApp? The WhatsApp that has in its privacy policy the fact that they’ll collect identifying information on their users, potentially including location? That WhatsApp? The WhatsApp owned by one of the biggest privacy violators on the internet, Meta (Facebook)? That WhatsApp?
Yeah, pass.
The real third party solution is still Signal. Signal is end-to-end encrypted and takes extra measures to ensure you always know who you’re talking to and you’re who you claim to be. It’s the most secure widespread messaging platform on the planet. It’s what you should be using, regardless of the platform you’re on.
But, getting everyone over to Signal is tough. And it’s really not a solution Apple will want either.
Instead, Apple has to make an iMessage app for Android. It’s the only way for iMessage to be secure. It would instantly become the most popular Android app. Hell, I’d say Apple could even charge Android users $9.99 as a one-time fee to download iMessage, and they’d still jump at the opportunity. No more ruining group chats? Count everyone in!
Of course, it does mean fewer people will buy iPhones just to be in with the cool kids. They’ll just use iMessage on Android. Just like you can use Apple Music on Android. It’ll work great. We’ll just have to convince Apple to get rid of their most popular exclusive feature.
Okay, it’s not likely to happen without legal intervention.
However, if iMessage security is compromised, Apple may have little choice. If a large number of people are routing messages through third party servers, Apple will have to take action to protect users. The best course of action to protect security of their messaging protocol is to release an Android client. We just have to convince Apple that security is more important than profits.
I know, we’re doomed.
Sources:
- Ron Amadeo, Ars Technica
- Beeper
- Igor Bonifacic, Engadget
- Marques Brownlee, MKBHD — YouTube
- Jason Cross, Macworld
- Wes Davis, The Verge
- Oscar Gonzalez, Gizmodo
- Michael Kan, PCMag
- Ryan McNeal, Android Authority
- Michael Simon, Macworld
- Sunbird, [2]
- Chris Velazco, Washington Post