Alright, I’ll save you all the techy crap. We have an app that carries messages from an Android phone with this route: Take your Apple ID credentials ➡ Macs in the cloud ➡ Trick Apple systems into believing that the message comes from an iPhone ➡ Recipient's iPhone, posing as a legitimate iMessage exchange from another iPhone. Interestingly, it's a patented process.
The app in question is Nothing Chats. It comes from the same company that makes those fancy transparent back Android phones with blinking lights. Back to the app, shall we?
We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
— Nothing (@nothing) November 18, 2023
We apologise for the delay and will do right by our users.
Within a matter of days since its widely-covered launch, the Nothing Chats app has been pulled from the Play Store to address “bugs.” The Sunbird app – which was the foundation of Nothing’s app – has mysteriously gone missing from the Play Store.
But hey, let’s focus on the Nothing-iMessage revolution that never was.
“Sorry Tim.” Great way to generate some hype, posing as if you’re some godsend pro-consumer anarchist challenging the unabashedly pro-money monster that is Apple. In a video, Nothing CEO Carl Pei announced a new app that essentially brings iMessage to Android. Essentially, mind you!
As the news broke out, the tech world went bananas. A puff piece went out in The Washington Post. “We have a messiah.” After all, Apple has locked iMessage to iPhones, and if a poor Android guy texts you on the pricey fruit iPhone, the text bubble will be green.
And as you jump across the operating system walls, security is gone. Hello, to the Neanderthal era SMS/MMS system in the age of ChatGPT. Most importantly, no cool features such as read receipts, typing indicators, emoji reactions, or high-res file exchange are also allowed for the Android-iPhone message pipeline.
Enter Nothing Chats, an app built atop the tech developed by a company called Sunbird. “Blue Bubbles for Everybody: They said it couldn't be done. They were wrong,” says the app’s Play Store listing. The app has since gone AWOL.
I am not going to get into the experience of using the Nothing Chats, which appears to be a mix of smooth-sailing and mind-bendingly lacking. On November 17, the tech world was graced with the beta launch of Nothing Chats.
Almost immediately, it turned into a comedy of errors with security concerns. It's like they were practically begging for attention.
texts team took a quick look at the tech behind nothing chats and found out it's extremely insecure
— Kishan Bagaria (@KishanBagaria) November 17, 2023
it's not even using HTTPS, credentials are sent over plaintext HTTP
backend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
Enter Kishan Bagaria from Texts.com, playing the role of the party pooper, who shockingly found out that Nothing Chats, in its infinite wisdom, decided to skip HTTPS security. Why bother with that pesky encryption, right? It's not technically Nothing's fault, since Sunbird built it.
But hey, due diligence, especially when your Apple ID (and the whole goddamn digital footprint is at stake). So, they went old school with the super vintage HTTP standard, transmitting messages in the trendiest fashion: plain text.
nothing chats app (skinned sunbird) is an absolute privacy nightmare that sends/stores ALL data unencrypted on firebase
— wukko (@uwukko) November 18, 2023
and for whatever reason it also sends ALL messages and attachments to sentry (again, in plain text) pic.twitter.com/CxBS7TZwCl
Then there’s Wukko, confirming the jaw-dropping revelation that Nothing Chats was basically a public broadcast system. Standard texts, images, media attachments – you name it, all in the clear, just there for the taking for anyone with a bit of know-how.
And let's not forget, all this top-notch communication was happening on the ultra-secure, easily hackable Firebase platform. So retro! Adding to the fun, 9to5Google jumped into the fray with their own little nuggets of wisdom.
I’ve been banned from @sunbirdapp’s Discord, probably because I made a tool that deletes some of the data they keep.
— batuhan içöz (@batuhan) November 18, 2023
If you are a Sunbird/Nothing Chats user, here’s my recommendation, in order:
- Change your Apple ID password *now* and revoke their session
- Remove the app
-…
Dylan Roussel, their in-house detective, found that once you're in with these laughably insecure JSON Web Tokens (JWT), the Firebase database becomes your oyster. Real-time messages and files from other users, served up on a silver platter, in plain text, no less.
And the icing on the cake? Those vCards, which is basically the digital invite that an iMessage user (on Android) sends to another iMessage user (on iPhone). You could practically start your own phone book with the names, numbers, emails, and other goodies lying around.
Plus, a treasure trove of over 630,000 media files was just hanging out on Sunbird's Firebase server – the puppet master behind the entire shitshow. Now, let me tell you something about how Sunbird was actually able to pull off the impossible.
“Your credentials are encrypted and become associated with one of Sunbird’s North America or Europe-based Mac Minis,” says a Nothing spokesperson about how the Sunbird — and Nothing Chats — apps allow an Apple-ID linked messaging system to work on an iPhone.
For the lack of a better word, this is nothing but a brazen hack that tricks Apple’s systems into believing that a message is coming from an Apple device. In this case, a Mac Mini handling multiple Apple accounts in the cloud.
I talked to at least three cybersecurity experts, and they made it clear it would be unwise to rule out that Sunbird can’t create a technical pathway to go around the so-called privacy measures and allow snooping, willingly or otherwise.
In the meanwhile, I highly recommend that you read this security-focused takedown of Nothing Chats and the underlying Sunbird tech.
What next?
If you signed up for the Nothing Chats app, sign out. Then delete it. Change your Apple ID password, just to be sure. Look, depending on your love for Apple, that account is linked to everything from your computer to your mobile wallet and bank account.
Don’t be so desperate to see your messages appear blue on an iPhone. There’s always apps like WhatsApp and Telegram that offer more than what iMessage serves you in terms of features. Heck, just wait a bit.
Apple has already announced that it is embracing RCS. In a nutshell, most of the fancy iMessage features. In a nutshell, texting between Android and iPhones won’t absolutely suck. That shift will materialize at some point early next year.
Just take the L, gracefully 'n' responsibly!
As for Nothing, well, it’s a brand that aims to challenge the status quo. It’s brash, bold, and not afraid to challenge everyone from Apple to Samsung. After all, when was the last time you saw a brand’s CEO reviewing a rival brand’s top-tier phone?
Given it’s position as an upstart and what’s at stake, it would be best if the brand admit that it fucked up, and move on, instead of trying a cover-up that has been brazenly ripped apart by security experts. As far as Sunbird — or any app of its ilk goes — stay the hell away from such hacks.