It’s pretty clear that iMessage for Android is not going to be an easy task, but one of the apps that tried to do it (before we found out that it was a terrible security nightmare), Sunbird, is giving it another shot.
In a press release, Sunbird has confirmed plans to relaunch its iMessage for Android services starting today.
Sunbird first hit the scene in 2022 with the promise of bringing iMessage to Android. The app launched in a private beta with a waitlist, but never made its way to a whole lot of users. In fact, it wasn’t until Nothing partnered with Sunbird to launch “Nothing Chats” that the service was widely available.
Within days of the launch of Sunbird-powered “Nothing Chats,” we reported on massive security problems with the app that included, among other things, hundreds of thousands of pieces of user-shared media being relatively-easily accessible, as well as messages being visible through the same method as they were sent in real-time. It was… bad.
Days after the incident, Sunbird announced that it would cease operations indefinitely.
Now, somehow, Sunbird has returned.
Sunbird says that invitations to those on the waitlist will roll out in “small phases” starting today, April 5.
In a press release, Sunbird references Apple’s shutdown of Beeper’s “unauthorized access” to iMessage and touts its platform which “provides a bridge between Android and Apple users, enabling secure communication within Apple’s ecosystem.”
The press release itself doesn’t offer any explanation of what Sunbird has changed besides committing “to offering a robust, secure, and unified messaging experience.”
In a further post on its website, Sunbird actually goes into its “unencrypted HTTP protocol” security issues, and also denies that it was ever using the “BlueBubblesApp” as part of its infrastructure following some findings alongside the many security problems. Sunbird says that, following last year’s debacle, it took time to “thoroughly reevaluate both our technical implementations and our organizational processes.”
So, has anything changed?
Sunbird says that its “older architecture” which used Firestore (a part of Firebase) has been replaced. The new “AV2” architecture, Sunbird explains, uses “a MQTTS message broker which is an OASIS standard for secure messaging.” The app will also now integrate with RCS via Google Messages, like Nothing Chats was going to.
The company further makes claims saying:
- Unencrypted messages are never stored anywhere on disk or in a database. When messages are decrypted to be passed to the iMessage and RCS/Google Messages network, they exist in that state only within memory for a limited period of time. In the front-end app, messages are only stored in an encrypted state within the in-app database.
- Static files transmitted through the service are stored in secure cloud storage buckets that are encrypted in transit and at rest. They are protected through permissioned URLs that prevent unauthorized access and are completely expunged from the Sunbird systems no later than 48 hours after sending or receiving them.
- All communication from the Sunbird app to the Sunbird API is protected at the transport layer, either through HTTPS or the MQTTS protocol.
- The MQTTS broker is secured via strict access control lists to ensure that users are only able to access broker topics specifically assigned to them and no others.
- Further, the contents of the message payload itself is encrypted at the application layer using AES encryption with an encryption key controlled completely by the client and only held in memory on the Sunbird side. Messages flow through the Sunbird system in an encrypted state and are only decrypted (in memory) at the moment of transfer of messages to the native messaging platform.
Sunbird also adds that it has made organizational changes including an “independent security consultancy,” CIPHER, as well as Jared Jordan, a former Director of Engineering at Google for Gmail, who is now a “formal advisor” to Sunbird (note: Sunbird’s post claims that Jordan is currently working at Google, but his LinkedIn profile, which Sunbird links, says he left Google in March and now works with CapitalOne).
9to5Google’s Take
I, for one, am shocked that Sunbird is actually trying to make a comeback. Following the horrifying issues discovered last year, I was confident the company wouldn’t be able to recover (and I’m still not convinced they’ll earn anyone’s trust).
And while it’s great to see Sunbird putting effort into fixing things up, I’m still pretty wary. A big red flag, as mentioned above, is that the company is claiming that their new advisor works for Google, when he actually left that position (which he only held for six months) earlier this week.
I won’t be signing up for Sunbird’s waitlist, but I do hope that the company has truly fixed its issues.
More on iMessage for Android:
Follow Ben: Twitter/X, Threads, and Instagram
FTC: We use income earning auto affiliate links. More.