Astoundingly unsafe iMessage bridge Sunbird is back, and you still shouldn't use it

By William Gallagher and Mike Wuerthele

Sunbird, the service that claimed to bring iMessage to Android, is back in beta as the firm vows it has fixed its legion of security issues.

Sunbird powering an iMessage clone on Android.

Sunbird was briefly popularized by the Nothing company, which announced that its Android phone would support iMessage via this third-party bridge. That announcement was followed in hours by security experts being suspicious of Sunbird.

It was then followed in days by Nothing removing its app, after a series of back-and-forths with Apple killing it, and Nothing working around the block.

Now the developer of Sunbird has announced that its service is back in beta form. Sunbird Messaging has also released what on the surface is an admirably comprehensive list of its previous security issues and why they occurred.

However, the copious list is presented alongside proclamations about the company's "core values [and] unwavering commitment to the privacy and security of our users." The discovery of the problems "was a stark reminder of our responsibilities," and the company is dedicated "to offering a robust, secure, and unified messaging experience that bridges the gap between Android and iOS users."

It just took people outside of the company to notice the astounding plethora of security issues, starting with how apparently no one at Sunbird thought to use end to end encryption. It's been claimed that if a user sent and received messages through Nothing's app powered by Sunbird, then everything sent through it was publicly viewable.

Sunbird makes that sound like a mistake any company could make, even any company that is producing software whose function is to relay the private messages of individuals. It says that part of the problem was that its service used "temporary storage of received messages in a Firebase real-time data store," and explains this means they could be open to attack, but at the same time downplaying that.

"It is important to note that while messages were temporarily stored in the Firebase database, they were deleted either upon download from the front end app, or automatically after 24 hours," it says. "Further, at no time was any unauthorized user ever able to access or read any messages sent or received through Sunbird by another user."

So the company claims says there was a problem with storage, then claims it wasn't a problem, and anyway it has now fixed it.

The company makes a similarly carefully-worded point about how it was possible for an unauthorized user to receive and send messages using someone else's account details. Sunbird broadly says that this was not an issue because that rogue user could only do this to the one user they'd got the credentials for, and there are all these other users who were fine.

Even so, this vulnerability has been fixed, says Sunbird, and we can all move on now, please.

Except what has not changed, what will never change, and what is entirely ignored in Sunbird's announcements, is that it still requires a valid iCloud username and password.

So users are required to provide their Apple ID to this company. It's never a wise move to give a third-party company your Apple ID details, and Sunbird has proven itself to be remarkably unsafe before.

The firm does want users to know that all of these amateurish security failings are behind it, though, and that it has taken personnel as well as technical steps to make sure its service is now safe.

What Sunbird claims has been fixed

First, the predominantly same team who entirely missed that their service was wildly insecure, have undertaken "an exhaustive evaluation." Now they've released a new beta version that fixes all the problems that they finally spotted.

The team is now being overseen by security expert Bobby Gill, and it is using an independent security consultancy called CIPHER.

Sunbird says it has also hired ex-Google executive Jared Jordan, specifically as it aims to scale up its messaging app service.

Sunbird chiefly puts the blame for its security issues on its previous reliance on legacy software. It does not explain or justify that previous use.

It seemingly doesn't believe its development team was at any fault for either using that software, or for failing to spot any of the security concerns.

The company does now say that it has moved from what it called AV1 architecture, the legacy software, and on to an RCS implementation that it calls AV2. Sunbird says that in testing, CIPHER consultants have since proven unable to recreate the previous vulnerabilities.

Android users are invited to join the new Sunbird waitlist. We don't suggest it, though.