Sunbird’s promise of delivering iMessage support to Android users has finally materialized with the launch of Nothing Chats, which is built on Sunbird’s platform. Despite the assurance of end-to-end encryption, concerning privacy issues have come to light. Contrary to Sunbird’s claims of storing user data securely, it has been revealed that user data, including image files, is easily accessible in plain text.
The method employed by Sunbird and Nothing Chats involves users logging into their Apple ID through the app, routing the login through a Mac server farm. However, it has been found that this process is not fully end-to-end encrypted as advertised, raising serious security concerns. Despite claims to the contrary, Sunbird and Nothing Chats do not maintain the promised encryption, leaving user data, including vCards, exposed.
Wukko’s findings on Twitter revealed that media attachments, user images, and all data sent and stored through Firebase are completely unencrypted and accessible in plain text. 9to5Google independently confirmed that user messages and files can be accessed in real-time and in plain text, bringing into question the privacy and security claims made by Sunbird and Nothing Chats.
Sunbird’s role in this privacy nightmare has been further emphasized by evidence showing that Sunbird has access to every message sent and received through the app. Moreover, the process of downloading user data has been automated through a short bit of code, exposing the vulnerability of this system.
In response to these findings, Nothing and Sunbird have seemingly blocked downloads of the app in the Play Store. Nothing Chats is no longer available for download, reflecting the urgency and severity of the situation at hand.
In conclusion, the privacy issues surrounding Sunbird and Nothing Chats are deeply concerning. The ease with which user data can be accessed and the lack of due diligence in ensuring data security are alarming. Users are advised to refrain from downloading Nothing Chats or Sunbird to protect their private data from potential exposure.