Nothing reiterates this on a landing page for Nothing Chats, saying:
…Nothing Chats is built on Sunbird’s platform and all Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.
“Wukko” on Twitter/X published (edit: Nitter link) findings that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, “all” data is sent and stored through Firebase, and it’s also completely unencrypted.
Summary:
– Sunbird has access to every message sent and received through the app on your device.
– All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.
– Nothing Chats is not end-to-end encrypted.
Separate post, to be a bit more serious. From what I’ve heard, the device will ask for your Apple Credentials, and forward it to Mac servers. Meaning, they will likely have access to everything, via that Mac. iMessage, iCloud, browser data, keyring, Home (eg: cameras), Find My, and so on. No joke, this is a privacy and security nightmare.
I feel like anyone tech savvy enough to be aware of Nothing’s existence won’t even be swayed by this chats feature and the people who want iMessage features won’t even consider this.
If someone wants this kind of janky setup they would better off hosting it themselves but even that has its security and pratical issues. This is just a PR stunt anyways. what ive discovered doing experiments like this found is most users wouldnt be fond of the fact that you’re only routing the iMessages through your email instead of your number
This is an easily predictable outcome. If you are trusting a third party to route ALL of your Apple data through, of course it’s an absolute security and privacy mess.
As soon as I saw this “feature” announced I expected this outcome. Though the issues being publicly exposed did happen faster than expected.
The real scandal here is the promise of everything being E2EE when that was never true. Sunbird and Nothing flat out lied. I hope someone sues them both.
While disappointing, as I do think services such as Beeper and Sunbird were on track to be good apps to fix the iMessage issue, there would always be the privacy and security concern of singing into a mac mini server farm. It is even more disappointing to see that they had a security/privacy vulnerability that wasn’t discovered until launch. It shows that Nothing didn’t properly audit Sunbird, which raises questions about their future integrity.
However, I still think that Apple supporting RCS is a step in the right direction and is a win-win for all consumers. I also still like projects like BlueBubbles and will continue to run a BlueBubbles server until RCS is properly integrated and works the same as or better than BlueBubbles.
Well, it looks like Sunbird figured out that security vulnerabilities and unencrypted messages when they say they are encrypted is bad news and has caught up to them. Sunbird announced that they will be temporarily shutting down all of Sunbird’s iMessage services. This PR might mark the end of Sunbird and will probably also negatively affect other iMessage translation services like Beeper.
Sunbird, the app that brings iMessage to Android, has temporarily shut down the service over “security concerns,” as first reported by 9to5Google. In a notice to users, Sunbird says it has “decided to pause Sunbird usage for now” while it investigates reports that its messages aren’t actually end-to-end encrypted.
