Companies that evade the media’s security inquiries often reveal their own vulnerabilities. Last Tuesday, Nothing Chats, a chat app developed by Android manufacturer “Nothing” in collaboration with Sunbird—an emerging app company—boldly asserted its capability to hack into Apple’s iMessage protocol, allowing Android users to have blue message bubbles. Promptly, Sunbird raised concerns due to its history of making unfulfilled promises and displaying a lack of focus on security. Despite these warnings, the app launched on Friday, only to face immediate and severe criticism on the internet for numerous security flaws. It was swiftly removed from the Play Store by Nothing on Saturday morning. The Sunbird app, of which Nothing Chat is merely a reskinned version, has also been placed “on pause.”
The initial proposition of the app, requiring users to provide their Apple username and password for access to iMessage on Android, raised significant security alarms. This suggested that Sunbird needed an exceptionally secure infrastructure to avert potential disasters. However, the reality turned out to be quite the opposite, as the app demonstrated a level of insecurity that was highly problematic. Nothing responded with a statement, but the app’s failure underscored the critical importance of robust security measures in such endeavors. Companies that evade
How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages.