As it turns out, Nothing Chat’s partnership with Sunbird isn’t exactly what they claimed. Within a day of the feature being announced, researchers found severe issues with how Sunbird was handling user data, messages, and encryption. They found data stored, unencrypted, including photos, videos, and plaintext text messages.
Nothing brought iMessage to Android. They’ve already abandoned it because they realized how bad of an idea that is. With RCS coming to iMessage, maybe that’s okay? But if you took Nothing up on their offer, you’ll have to take some big steps to try to get some of your privacy back.
Sunbird’s Privacy Issues
When I first heard the rather scant details about how Sunbird worked, I thought the worst of their issues might be that they were storing Apple ID credentials and decrypting iMessages in transit. It was effectively a man-in-the-middle attack people signed up for themselves. But Sunbird at least claimed they weren’t storing messages or files, right?
Well, turns out that may have been an outright lie.
Not only is Sunbird decrypting messages, they’re also using some unsafe practices for communicating between their services. On top of that, they are absolutely are storing your information. This includes contact information from the vCards they require you send to every iPhone user to use iMessage as well as all files sent between devices. Photos, videos, messages themselves, contact information, all sent and stored unencrypted. It’s an absolute worst case scenario.
Sunbird is sending JSON Web Tokens (JWT) without encryption over HTTP. These aren’t just login tokens, but also contain a payload with unencrypted information. The information is sent between Firebase, used for storage and app performance metrics, and Sentry, a service for logging errors and issues. Sunbird is logging all messages through Sentry. The service is supposed to be for error tracking, instead Sunbird is misusing it to store messages. On top of that, there are reportedly over 630,000 publicly available files stored in Firebase that people have already sent each other using Sunbird’s service. This could include files sent from iPhone users to Android users who couldn’t consent to have their data stored like this. In other words, it was literally a man-in-the-middle attack. Employees at Sunbird have access to every one of these messages and files, unencrypted.
This is so much worse than I could have imagined. This is almost maliciously bad. You would have had to work hard to make something worse than this.
Sunbird hasn’t denied claims that they’re storing files and messages between Firebase and Sentry. They did claim that their backend does not use the unencrypted “BlueBubbles” service, that they just named their servers that prior to the other company using that name, and it’s a coincidence. They do admit to sending tokens over HTTP though.
Sunbird is clearly going against their own claims. They’re storing messages, they’re not protecting encryption, and they also have full access to your Apple ID. They also, oddly enough, don’t have a monetization strategy yet. Interesting!
If you used their service, either directly through Sunbird or through Nothing’s chat app, you should be concerned.
Nothing Backs Out
Nothing Chat apparently didn’t work very well. From headaches getting your phone to associate with your number, promised features not working, user interface issues, and even RCS setup issues. That’s the part that should have been easy! However, it was in an early state. Users expected a few bugs. They didn’t expect any privacy issues like this.
“We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.”
– Nothing spokesperson
Nothing hasn’t mentioned the security issues that are actually easier to attribute to malice than incompetence because they’re so bad. These security flaws would take some effort to enact. I’ve used Sentry before, it would be incredibly difficult not to know this was happening. Worst of all though, users were able to simply track the data being sent and received by the app to prove that Sunbird’s claims were false. It was incredibly easy to find these security flaws. As far as due diligence is concerned, Nothing did… nothing. A cursory security review at any reputable company would have uncovered these problems early on. The simplest of investigation would have found issues. Did Nothing really do nothing to protect their users?
Nothing was a fun little brand trying something new with their phones. Now it’s hard to see them as anything but the kind of company that lets gaping security flaws through their apps just to make headlines for a few days. Nothing pulled their chat app from Google Play, but nothing is going to fix their image.
How to Protect Your Account If You Bought the Hype
Nothing is a hype company. It seems that’s all they’ll ever be. They even got Marques Brownlee, MKBHD, in on the announcement. Now I suppose his credibility could come into question. None of Sunbird’s or Nothing’s claims were all that assuring, I certainly wouldn’t have helped them build hype. But maybe everyone just got wrapped up into the frenzy. iMessage on Android is exciting, right? It happens all the time with sneakers, new ice cream shops, pop-up shops selling some weird food, you get it. People will line up for anything for the hype. You can be forgiven for falling for Nothing’s privacy-violating marketing gimmick. Nothing, on the other hand, should have known better.
To protect your Apple ID from any further misuse, you’re going to want to log out of your account on Sunbird’s machines, as well as any others you don’t recognize, change your password, and turn on two-factor authentication.
Obviously, the first step will be to delete your Nothing Chat app or the Sunbird app, if you’ve been using it.
Next, you’ll want to revoke their access to your account. Do this by logging in to your Apple ID at appleid.apple.com.
- On the sidebar, click “Devices.”
- Select the devices that aren’t yours.
- Click remove from account button.
Now we’re going to manage your password and two-factor authentication.
- Click Sign-In and Security on the left sidebar.
- Click password.
- Add a new password. Make it a nice strong one.
- Then click the Account Security Button
- Add at least your phone number, if you don’t have any Apple devices you can use as a trusted device for authentication.
Finally, rethink who you give access to your accounts to. If they’re a shady company with no explanation of how they’re protecting your messages and tell you to just trust them, maybe you shouldn’t trust them. That also goes for any phone company CEOs thinking of partnering with a company. Try research next time.
iMessage Safe Once Again
With that, iMessage is safe for another day. People certainly won’t want to risk their security and privacy by using apps like this in the future, even if they are well-established and private. Other phone manufacturers will likely think twice before partnering with a service that promises both privacy and iMessage on Android. Plus, now that Apple has pledged to support RCS messaging next year, the demand for iMessage on Android will drop slightly.
Nothing is a small brand that relies on hype and good press. With a decision this bad, it could hurt Nothing’s brand for some time. That’s really all they have right now. As for those 630,000+ files and chats that hackers could get their hands on? Maybe Sunbird will delete them before any other hackers gain access. Maybe they’ll actually do what they said they were doing all along? Hopefully none of that is your info. But, if you have a friend on Android who sent you an iMessage in the past year, maybe re-think messaging that person for a while.
Sources:
- C. Scott Brown, Android Authority
- Wes Davis, The Verge
- Rida F’kih, Batuhan İçöz, and 1Conan, Texts.com
- Sheyenne MacDonald, Engadget
- Andrew Myrick, Android Central
- Ben Schoon, 9to5Google