The disgraced iMessage-on-Android app can't take the hint, and it's back for more

Remember the whole Nothing Chats debacle from last year? It was an app built on the Sunbird architecture, which had several security flaws, and Nothing Chats and Sunbird's messaging app were removed from the Google Play Store. Well, Sunbird is back, hoping that users will forget the past and give it a second chance.

Through a press release, Sunbird announced that it plans to relaunch the beta version of the iMessage app for Android. The company says it will send invitations to those on its waiting list in small phases starting today.

Launched in 2022, Sunbird promises to bring iMessage compatibility to Android. It claimed to provide end-to-end encryption and iMessage features while not collecting users' data. However, it was quickly discovered that the software was completely insecure and was not as private as advertised. The company later announced that it would temporarily shut down the service while it investigated the security issues raised.

in Blog post, also published today, Sunbird acknowledges the vulnerabilities for which it has been recalled. However, it claims that some of the allegations were untrue and denies that it ever used “BlueBubblesApp” as part of its infrastructure.

The company adds that it has replaced its old architecture (AV1) that “leveraged Firestore to cache messages” with a new architecture (AV2). This new architecture integrates RCS and user privacy is said to be the central principle.

Sunbird also states that with AV2:

• Unencrypted messages are never stored anywhere on disk or in the database. When messages are decrypted to pass to the iMessage and RCS/Google Messages network, they only exist in memory for a limited period of time. In a front-end application, messages are only stored in an encrypted state within the in-app database.
• Static files transferred via the service are stored in secure cloud storage pools that are encrypted during transmission and at rest. They are protected by permissioned URLs that prevent unauthorized access and are completely deleted from Sunbird's systems no later than 48 hours after they are sent or received.
• All communications from the Sunbird application to the Sunbird API are protected at the transport layer, either through HTTPS or the MQTTS protocol.
• The MQTTS broker is secured with strict access control lists to ensure that users are only able to access broker topics specifically intended for them and not for others.
• Furthermore, the contents of the message payload itself are encrypted at the application layer using AES encryption with an encryption key fully controlled by the client and kept in memory only on the Sunbird side. Messages flow through the Sunbird system in an encrypted state and are only decrypted (in memory) at the moment the messages are transferred to the original messaging platform.

The weird thing that stands out here is that towards the end of the blog, the company mentioned that they had hired Jared Jordan as an official consultant. It says Jordan is “currently an engineering manager on the Gmail team at Google.” However, Jordan LinkedIn page He says he left Google in March and currently works at Capital One.

It's good to see that Sunbird has seemingly taken measures to improve privacy and security. But it's still safe to say that you shouldn't trust any iMessage app for Android.