Sunbird, the messaging app that promises to deliver iMessage to Android, is once again in beta and expanding access to those on its waitlist.
Sunbird had a disastrous debut in late 2023 when Nothing partnered with the app to provide messaging to its new Nothing 2 phone. Almost immediately, keen-eyed users and security experts noticed major issues with Sunbird’s security…or lack thereof. In fact, the security issues were so bad that Nothing dropped the app and Sunbird paused its beta to completely revamp its service and infrastructure.
On the heels of that revamp, Sunbird is once again launching a beta of its app and expanding access to the individuals who joined the waitlist. Sunbird emphasizes that its approach is different than other apps—such as the ill-fated Beeper—by serving as a bridge between the Apple and Google messaging ecosystem.
Sunbird’s approach to bridging the messaging gap between Android and Apple users is rooted in security and innovation. Unlike third-party attempts that involved unauthorized access to iMessage, Sunbird’s platform provides a secure bridge for communication within Apple’s ecosystem. Since the app’s initial public announcement in November 2022, Sunbird received extensive media coverage and tens of thousands of users have communicated through iMessage via Sunbird. This media coverage and usage did not lead to third-party interference, and the company remains confident about its method of securely connecting Android and iPhone users.
What About Security?
One of the biggest concerns many users will have is whether the company has addressed the security issues that plagued its initial launch. In a blog post, the company does an in-depth postmortem and describes the issues that were discovered:
- The use of the unencrypted HTTP protocol for an API call.
- The storing of messages in an unencrypted state in a Firebase real-time store.
- The possible accessibility of over 600,000 files, some of which were vCards, within the Firebase static file host.
- The logging of messages by the front-end into a Sentry log.
The company says it made major changes following the revelations.
The discovery of vulnerabilities within the Sunbird apps was a stark reminder of our responsibilities toward user privacy and security. Following the identification of these issues and the consequent suspension of the Sunbird system, we were presented with a choice. We could have opted for a quick fix to patch these vulnerabilities, potentially allowing us to reinstate the Sunbird app on the app store within a few short weeks. However, we recognized that such an approach would not align with our core values or our unwavering commitment to the privacy and security of our users.
We decided to take the opportunity to thoroughly reevaluate both our technical implementations and our organizational processes from the foundation up. This decision was driven by our belief in the paramount importance of trust and safety in our platform. It reflects our dedication to not just resolving the immediate issues at hand but also to ensuring that we uphold the highest standards of security and privacy for our community in the long term.
Sunbird outlines both technical changes and organizational changes to ensure it provides the level of security its customers expect. On a technical note, the company says:
- Unencrypted messages are never stored anywhere on disk or in a database. When messages are decrypted to be passed to the iMessage and RCS/Google Messages network, they exist in that state only within memory for a limited period of time. In the front-end app, messages are only stored in an encrypted state within the in-app database.
- Static files transmitted through the service are stored in secure cloud storage buckets that are encrypted in transit and at rest. They are protected through permissioned URLs that prevent unauthorized access and are completely expunged from the Sunbird systems no later than 48 hours after sending or receiving them.
- All communication from the Sunbird app to the Sunbird API is protected at the transport layer, either through HTTPS or the MQTTS protocol.
- The MQTTS broker is secured via strict access control lists to ensure that users are only able to access broker topics specifically assigned to them and no others.
- Further, the contents of the message payload itself is encrypted at the application layer using AES encryption with an encryption key controlled completely by the client and only held in memory on the Sunbird side. Messages flow through the Sunbird system in an encrypted state and are only decrypted (in memory) at the moment of transfer of messages to the native messaging platform.
On an organization level, Sunbird brought Bobby Gill of BlueLabel onboard to oversee development. Gill brings more than 20 years of hands-on development of secure enterprise and mobile software.
Even more importantly, the company has tapped “independent security consultancy, CIPHER, to perform a rigorous security analysis penetration test of the Sunbird app and backend.”
The outcome of the penetration testing was affirming; they reported no critical vulnerabilities within the Sunbird app or its backend API. In addition, they specifically attempted to recreate the architecturally present vulnerabilities previously identified in November 2023 and were unable to do so on the AV2 platform.
Is Sunbird Still Needed In View of Apple’s RCS Plans
Apple surprised the industry when it announced it would finally support RCS for iOS > Android texting, replacing the archaic SMS as a fallback option. RCS is slated to debut in iOS 18, and will bring a host of improvements, including file sharing, read receipts, group admin, and more.
Despite the good news, there is no reason to believe that RCS will be the magic bullet that solves the green vs blue bubble debate. RCS has its own problems, including an over-reliance on Google. What’s more, custom Android ROMs—such as GrapheneOS and CalyxOS—cannot use RCS. In addition, there is no reason to believe that Apple will implement RCS with same feature parity as iMessage—the company’s own solution will always provide a superior experience.
In that context, bringing iMessage to Android still stands to provide a better experience than RCS on iOS.
Should You Use Sunbird?
The million dollar question is: Should you use Sunbird? Unfortunately, there is no easy answer to that question.
On the one hand, Sunbird has implemented significant changes to its platform in an effort to fully address the issues it experienced in its first preview launch. The company has also made organizational changes, not the least of which is leveraging independent testing to ensure its platform is safe.
On the other hand, the critical part of Sunbird’s description of how its service works pertains to when the message is moving from one ecosystem to the other:
Unencrypted messages are never stored anywhere on disk or in a database. When messages are decrypted to be passed to the iMessage and RCS/Google Messages network, they exist in that state only within memory for a limited period of time. In the front-end app, messages are only stored in an encrypted state within the in-app database.
As this describes, messages are briefly decrypted as they cross over, before being re-encrypted and sent on their way.
To be fair, it’s likely that Apple’s implementation of RCS won’t support end-to-end encryption (E2EE) for some time. While Google’s implementation of RCS does support E2EE, Apple obviously doesn’t want to be beholden to its main rival and rely on it for encryption. As a result, Apple has said it plans to work with the GSMA to add E2EE to the main RCS standard, but that will not be completed by the time iOS 18 is released.
As a result, Apple’s implementation of RCS on iOS will offer no better security than Sunbird’s implementation of iMessage on Android.
When deciding whether to give Sunbird a try, the dilemma boils down to one simple question: Do you trust Sunbird? If so, then give the app a try.