Last week we saw Nothing, the Android phone maker founded by Carl Pei of OnePlus fame, announce that it was bringing iMessage support to its latest phone via a collaboration with Sunbird. At the time Sunbird might have gone under the radar a little bit, but it was already offering an invitation-only service for all Android phones that allowed them to send and receive iMessages.
That all seemed like a very bad idea, not least because the prospect of handing over the keys to your Apple ID felt like the kind of thing that people probably shouldn't be doing. There was little reason to suspect that Nothing was up to no good, and the same likely went for Sunbird — although that was less clear last week — but I did wonder how secure the whole system was.
Now, it turns out that the system wasn't that secure after all. In fact, it was very insecure across the board and things are so bad that Sunbird has now taken the decision to take its service offline. For how long, nobody knows. But it doesn't look great for the company or its collaboration with Nothing. In fact, things don't look great for the phone maker, either. After a self-congratulatory mock interview with a member of the press was shared on YouTube, Nothing's Carl Pei is left with egg on his face. Maybe someone should have looked into Sunbird a bit more before we got this far.
'We have decided to pause Sunbird usage'
Things started to go awry last week when it became clear that perhaps Sunbird's security systems weren't all they were cracked up to be. Not only were messages not protected by end-to-end encryption as was promised, but 9to5Google was able to find more than 630,000 files that had been sent via Nothing Chats — the app powered by Sunbird.
Those files were accessible via a vulnerability which was compounded by the fact that all of the data was stored on servers controlled by Sunbird which was something we'd been told wasn't the case.
Nothing later decided to block downloads of Nothing Chats with a notification sent to users to tell them that the availability of the app had been "paused." That was followed by messages being sent to users of the standalone Sunbird app saying much the same.
"Good afternoon everyone," the notification began. "We are investigating the security issues raised in the last 24 hours. In an abundance of caution and to protect your confidential data, we are shutting down Sunbird media temporarily. We will keep you posted." The message ended by thanking users and offering "sincere apologies for the inconvenience."
So what happens next?
The next steps are very much up to Sunbird right now. Nothing can't do all that much because it needs Sunbird to run the whole system on the back end, so the fate of Nothing Chats is up in the air. Even if all of the security issues that were found last week are fixed, I'm still not comfortable with handing access to my Apple ID to anyone, let alone a company accused of fundamental security flaws and lying about encryption that doesn't seem to be there.
Will Nothing Chats ever be available again and will Sunbird survive this storm? Time will tell, but it might not matter in the long term. With Apple announcing RCS support for next year, the need to bring iMessage support to Android via hacks like Sunbird will go away soon enough anyway. And that might ultimately be the biggest problem for the company to deal with.