Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Astoundingly unsafe iMessage bridge Sunbird is back, and you still shouldn't use it

Sunbird powering an iMessage clone on Android.

Last updated

Sunbird, the service that claimed to bring iMessage to Android, is back in beta as the firm vows it has fixed its legion of security issues.

Sunbird was briefly popularized by the Nothing company, which announced that its Android phone would support iMessage via this third-party bridge. That announcement was followed in hours by security experts being suspicious of Sunbird.

It was then followed in days by Nothing removing its app, after a series of back-and-forths with Apple killing it, and Nothing working around the block.

Now the developer of Sunbird has announced that its service is back in beta form. Sunbird Messaging has also released what on the surface is an admirably comprehensive list of its previous security issues and why they occurred.

However, the copious list is presented alongside proclamations about the company's "core values [and] unwavering commitment to the privacy and security of our users." The discovery of the problems "was a stark reminder of our responsibilities," and the company is dedicated "to offering a robust, secure, and unified messaging experience that bridges the gap between Android and iOS users."

It just took people outside of the company to notice the astounding plethora of security issues, starting with how apparently no one at Sunbird thought to use end to end encryption. It's been claimed that if a user sent and received messages through Nothing's app powered by Sunbird, then everything sent through it was publicly viewable.

Sunbird makes that sound like a mistake any company could make, even any company that is producing software whose function is to relay the private messages of individuals. It says that part of the problem was that its service used "temporary storage of received messages in a Firebase real-time data store," and explains this means they could be open to attack, but at the same time downplaying that.

"It is important to note that while messages were temporarily stored in the Firebase database, they were deleted either upon download from the front end app, or automatically after 24 hours," it says. "Further, at no time was any unauthorized user ever able to access or read any messages sent or received through Sunbird by another user."

So the company claims says there was a problem with storage, then claims it wasn't a problem, and anyway it has now fixed it.

The company makes a similarly carefully-worded point about how it was possible for an unauthorized user to receive and send messages using someone else's account details. Sunbird broadly says that this was not an issue because that rogue user could only do this to the one user they'd got the credentials for, and there are all these other users who were fine.

Even so, this vulnerability has been fixed, says Sunbird, and we can all move on now, please.

Except what has not changed, what will never change, and what is entirely ignored in Sunbird's announcements, is that it still requires a valid iCloud username and password.

So users are required to provide their Apple ID to this company. It's never a wise move to give a third-party company your Apple ID details, and Sunbird has proven itself to be remarkably unsafe before.

The firm does want users to know that all of these amateurish security failings are behind it, though, and that it has taken personnel as well as technical steps to make sure its service is now safe.

What Sunbird claims has been fixed

First, the predominantly same team who entirely missed that their service was wildly insecure, have undertaken "an exhaustive evaluation." Now they've released a new beta version that fixes all the problems that they finally spotted.

The team is now being overseen by security expert Bobby Gill, and it is using an independent security consultancy called CIPHER.

Sunbird says it has also hired ex-Google executive Jared Jordan, specifically as it aims to scale up its messaging app service.

Sunbird chiefly puts the blame for its security issues on its previous reliance on legacy software. It does not explain or justify that previous use.

It seemingly doesn't believe its development team was at any fault for either using that software, or for failing to spot any of the security concerns.

The company does now say that it has moved from what it called AV1 architecture, the legacy software, and on to an RCS implementation that it calls AV2. Sunbird says that in testing, CIPHER consultants have since proven unable to recreate the previous vulnerabilities.

Android users are invited to join the new Sunbird waitlist. We don't suggest it, though.



8 Comments

9secondkox2 8 Years · 3153 comments

Trusting my communications to a known security risk that is now supposedly fortified by bubble gum and duct tape? Yeah… no. 

I wish there was some kind of warning to know when an android user is communicating with us using this hack. That way we can be more guarded in communications or even refuse to dialog in that format. 

charlesn 11 Years · 1209 comments

Please... can someone walk me through this, because there must be SOMETHING that I'm missing in this insanity. Android users are willing to put their security at genuine risk for the sake of blue bubbles when messaging so they can pretend they have an iPhone?! This is really a THING?! Look: I've always been an iPhone guy, but if you prefer Android, have at it! Makes no difference to me. I don't think less of you because your message bubbles are green. But if you think green bubbles are a problem, that's a YOU problem. And it's pathetic.

Anilu_777 8 Years · 579 comments

Did Sunbird not get the memo about RCS? Why are they still at it? That’s a question that needs answering, actually. 

rexsceleratorum New User · 3 comments

"It is important to note that while messages were temporarily stored in the Firebase database, they were deleted either upon download from the front end app, or automatically after 24 hours," it says. "Further, at no time was any unauthorized user ever able to access or read any messages sent or received through Sunbird by another user."

[...]

Except what has not changed, what will never change, and what is entirely ignored in Sunbird's announcements, is that it still requires a valid iCloud username and password.

A user can create a throwaway Apple ID to use Sunbird, so having to provide credentials is not necessarily a real risk. This is also why this app is not a "hack", it just uses the iMessage protocol with valid credentials. 

The company seems to be admitting that their service previously didn't encrypt end-to-end, ie, the messages were decoded and temporarily stored at a server while waiting for the user to come online, and this presented a potential risk. Not the end of the world. 

charlesn said:
But if you think green bubbles are a problem, that's a YOU problem. And it's pathetic.

Except Apple currently falls back to unencrypted and unsecured SMS to send and receive those green bubbles, and it is not obvious which is less secure, trusting Sunbird with encryption, or trusting unencrypted SMS. 

Apple could've made an app for Android years ago and made chats secure for iPhone users by not sending anything over SMS. But surprise surprise, they don't actually care about users' privacy more than they care about their bottom line by locking in American teenagers who don't want to be outcasts. The latter being a problem which does not exist outside of the US, because everyone uses Whatsapp or similar instead of texting. 

payeco 17 Years · 581 comments

Apple could've made an app for Android years ago and made chats secure for iPhone users by not sending anything over SMS. But surprise surprise, they don't actually care about users' privacy more than they care about their bottom line by locking in American teenagers who don't want to be outcasts. The latter being a problem which does not exist outside of the US, because everyone uses Whatsapp or similar instead of texting. 

I’ll never understand this mindset. Why is it Apple’s responsibility to make messaging better on someone else’s platform? You can dance around it all you want but that is what you’re saying.