What was supposed to be an iMessage redeemer for Android smartphone users has quickly been consumed in a chaos of security and utter negligence. Merely days after the Nothing Chats app was removed from the Play Store, the tech at its foundation provided by Sunbird is also taking an unspecified leave, intensifying suspicions of something being seriously wrong.
Sunbird appeared on our radar late last year, promising blue bubbles for Android-to-iPhone messages. It also promised to bundle all messaging apps into a single cluster, somewhat like Beeper. Nothing adopted the Sunbird tech, bundled it into its own app for the Nothing Phone 2, and launched it with an ambitious video. “Sorry, Tim.” That’s the message Nothing CEO Carl Pei sent.
Over the weekend, I noticed that the Sunbird app’s Google Play Store listing returned a blank page. I originally thought it was unavailable due to some geographic restrictions. The company made no public announcement regarding the same, except notifying members in the Sunbird Discord channel.
“We have temporarily shut down the Sunbird app while we do a detailed security analysis,” the alert said, adding that the company will offer further details when it identifies the “exact occurrences.”
Interestingly, the revelation was first made in the dev-announcements channel of Sunbird’s Discord network. “In an abundance of caution and to protect your confidential data, we are shutting down Sunbird temporarily,” it said.
What I can’t wrap my head around is why it took a day to drop the same information in the public channel. And above all, why did Sunbird fail to make an announcement on its active Facebook and X (formerly Twitter) handles?
In a message that appeared today in the public Discord channel, Sunbird only said “lots going on” but didn’t provide any further technical details or progress on risk mitigations. “We have decided to pause Sunbird usage for now while we investigate security concerns,” says the message.
Digital Trends has reached out to Sunbird’s technical lead, Garin, for more information and will update this story as soon as they respond.
Sunbird only started notifying users via an in-app message. Earlier today, 9to5Google spotted in-app notifications from Sunbird users posted on Reddit, notifying them that the app was temporarily put on hold. It’s the same message that was first shared in the Discord community.
Security specialists at Texts found that the messaging app Nothing Chats was not employing HTTPS security protocols for its messages. Instead, it used the less secure HTTP standard, transmitting messages in unencrypted, plain text. If history has taught us anything about digital security, plain text is bad news.
A separate investigation revealed that all types of communication through Nothing Chats — including text, images, and other media — were sent in this unsecured, easily visible format. Additionally, it was uncovered that all messages sent and stored on Nothing Chats were unencrypted and hosted on a readily accessible Firebase platform.
Further findings showed that after users authenticate using JSON Web Tokens (JWT), which are not secure during transmission, they gain access to Nothing Chat’s Firebase database. This access allows them to view other users’ messages and files, which are sent and stored in real time and in plain text.
All of this rings giant security alarms about the Sunbird (and the Nothings Chats) app. It’s especially worrying when it asks for your Apple ID credentials, the magic token that links everything from your emails and personal photos to your banking details.
It would be interesting to see where Nothing and Sunbird go from here. But with Apple embracing RCS and filling the feature gulf for Android-iPhone messaging, I don’t think it would be worth risking your privacy and data security for a hack that gives you blue chat bubbles.