What was supposed to be the iMessage redeemer for Android smartphone users has soon been consumed by chaos and gross negligence of security. Just days after the Nothing Chats app was removed from the Play Store, the technology underpinning it, provided by Sunbird, is also taking an unspecified leave, deepening suspicions that something is seriously wrong.
Sunbird appeared on our radar late last year, promising blue bubbles for Android-to-iPhone messages. It also promised to bundle all the messaging apps into one cluster, somewhat like Beeper. Nothing took the Sunbird technology, bundled it into its own app for the Nothing Phone 2, and launched it with an ambitious video. “Sorry, Tim.” That’s the message Nothing CEO Carl Pei sent.
Over the weekend, I noticed that the Google Play Store listing of the Sunbird app returned a blank page. I originally thought it was unavailable due to some geographic restrictions. The company did not make any public announcement in this regard, other than informing members in the Sunbird Discord channel.
“We have temporarily shut down the Sunbird app while we conduct a detailed security analysis,” the alert said, adding that the company will provide further information once the “exact incidents” are identified.
Interestingly, the revelation was first made in the Dave-Announcement channel of Sunbird’s Discord network. “Out of an abundance of caution and to protect your confidential data, we are temporarily closing Sunbird,” it says.
I am unable to understand why it took a day for the same information to be posted on a public channel. And most of all, why Sunbird failed to announce on its active Facebook x (formerly Twitter) handle?
In a message that appeared today on a public Discord channel, Sunbird said only that “a lot is going on” but provided no further technical details or progress on mitigating the risk. “We have decided to pause the use of Sunbird for the time being while we investigate safety concerns,” the message said.
has reached out to Garin, Sunbird’s technology lead, for more information and will update this story as soon as he responds.
Sunbird began notifying users via in-app message only. Earlier today, 9to5Google saw Sunbird users’ in-app notifications posted on Reddit, informing them that the app was temporarily placed on hold. This is the same message that was first shared in the Discord community.
Security experts at Texts found that messaging app Nothing Chats was not using the HTTPS security protocol for its messages. Instead, it used the less secure HTTP standard, transmitting messages in unencrypted, plain text. If history has taught us anything about digital security, plain text is bad news.
A separate investigation revealed that all types of communications through Nothing Chats – including text, images and other media – were sent in this insecure, easily visible format. Additionally, it was discovered that all messages sent and stored on Nothing Chats were unencrypted and hosted on the easily accessible Firebase platform.
Further findings revealed that after users authenticate using JSON Web Tokens (JWT), which are not secure during transmission, they gain access to Nothing Chat’s Firebase database. This access allows them to view other users’ messages and files, which are sent and stored in real time and in plain text.
all of this Sunbird (and Nothing’s Chats) sounds huge security alarm about the app. This is especially worrisome when it asks for your Apple ID credentials, the magical token that links everything from your emails and personal photos to your banking details.
It will be interesting to see where Nothing and Sunbird go from here. But with Apple adopting RCS and the lack of a feature for Android-iPhone messaging, I don’t think it would be worth risking your privacy and data security for a hack that gives you blue chat bubbles.