Companies that stonewall security questions in the media are actually bad at security. On Tuesday, Nothing Chats—a chat app from Android manufacturer “Nothing” and upstart app company Sunbird—brazenly claimed to be able to hack Apple’s iMessage protocol and give Android users blue bubbles. We immediately flagged Sunbird as a company that has been making empty promises for almost a year and seems to be neglecting security. The app was launched on Friday however and was immediately cut off from the Internet for several security issues. It didn’t last 24 hours before Nothing pulled the app from the Play Store Saturday morning. The Sunbird app, which Nothing Chat is just a reskin, has also been put on “pause.”
The initial sales pitch for this app—that it would log you into iMessage on Android if you provided your Apple username and password—was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure. to avoid disaster. However, the app turns out to be as insecure as you can get. Here is Nothing’s statement:
How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) found shockingly bad security practices. Not only is the app not end-to-end encrypted, as Nothing and Sunbird have repeatedly claimed, but Sunbird actually logs and stores messages in plain text in both error reporting software. Sentry and in a Firebase store. Authentication tokens are sent via unencrypted HTTP so this token can be intercepted and used to read your messages.
Text.com’s investigation uncovered a host of vulnerabilities. The blog says, “When a message or an attachment is received by a user, they are not encrypted on the server side until the client sends a request to identify, and delete them from the database. This means that an attacker subscribed to Firebase Realtime DB can always access messages before or at the moment they are read by the user.” Text.com was able to intercept an authentication token sent over unencrypted HTTP and subscribe to the changes that occurred in the database. This means live updates of “Inward, outward messages, account changes, etc.” not only from themselves, but from other users, too.
Text.com has released a proof-of-concept app that can get what you believe to be end-to-end encrypted messages from Sunbird’s servers. Stone Içöz, a product engineer for Text.com, also released a tool that will remove some of your data from Sunbird’s servers. Içöz recommends that any Sunbird/Nothing Chat users change their Apple IDs now, revoke the Sunbird session, and “Assume your data has been compromised.”
9to5 on Google Dylan Roussel investigated the app and found that, in addition to all public text data, “All documents (images, videos, audio, pdf, vCards …) sent via Nothing Chat AND Sunbird public.” Roussel found that 630,000 media files are currently stored by Sunbird, and apparently he can access some. Sunbird’s app suggests that users transfer vCards—virtual business cards filled with contact data—and Roussel says the personal information of 2,300-plus users is accessible. Roussel called the whole fiasco “probably the biggest “privacy nightmare” I’ve seen for a phone manufacturer in years.”