Nothing Chats, the Sunbird-based iMessage app, is a privacy nightmare with unencrypted messages and images

Nothing reiterates this on a landing page for Nothing Chats, saying:

…Nothing Chats is built on Sunbird’s platform and all Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.

“Wukko” on Twitter/X published (edit: Nitter link) findings that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, “all” data is sent and stored through Firebase, and it’s also completely unencrypted.

– Sunbird has access to every message sent and received through the app on your device.
– All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.
– Nothing Chats is not end-to-end encrypted.


Well, Nothing Chat is Nothing you should use™

1 Like

This is a disaster waiting to happen… I’ll grab the popcorn.


Separate post, to be a bit more serious. From what I’ve heard, the device will ask for your Apple Credentials, and forward it to Mac servers. Meaning, they will likely have access to everything, via that Mac. iMessage, iCloud, browser data, keyring, Home (eg: cameras), Find My, and so on. No joke, this is a privacy and security nightmare.


And also an anonymity nightmare as well no one Should use this app because its nothing to be caring for


I feel like anyone tech savvy enough to be aware of Nothing’s existence won’t even be swayed by this chats feature and the people who want iMessage features won’t even consider this.
If someone wants this kind of janky setup they would better off hosting it themselves but even that has its security and pratical issues. This is just a PR stunt anyways. what ive discovered doing experiments like this found is most users wouldnt be fond of the fact that you’re only routing the iMessages through your email instead of your number

1 Like

This is an easily predictable outcome. If you are trusting a third party to route ALL of your Apple data through, of course it’s an absolute security and privacy mess.

As soon as I saw this “feature” announced I expected this outcome. Though the issues being publicly exposed did happen faster than expected.

The real scandal here is the promise of everything being E2EE when that was never true. Sunbird and Nothing flat out lied. I hope someone sues them both.

1 Like

While disappointing, as I do think services such as Beeper and Sunbird were on track to be good apps to fix the iMessage issue, there would always be the privacy and security concern of singing into a mac mini server farm. It is even more disappointing to see that they had a security/privacy vulnerability that wasn’t discovered until launch. It shows that Nothing didn’t properly audit Sunbird, which raises questions about their future integrity.

However, I still think that Apple supporting RCS is a step in the right direction and is a win-win for all consumers. I also still like projects like BlueBubbles and will continue to run a BlueBubbles server until RCS is properly integrated and works the same as or better than BlueBubbles.

1 Like

Well, it looks like Sunbird figured out that security vulnerabilities and unencrypted messages when they say they are encrypted is bad news and has caught up to them. Sunbird announced that they will be temporarily shutting down all of Sunbird’s iMessage services. This PR might mark the end of Sunbird and will probably also negatively affect other iMessage translation services like Beeper.

Sunbird, the app that brings iMessage to Android, has temporarily shut down the service over “security concerns,” as first reported by 9to5Google. In a notice to users, Sunbird says it has “decided to pause Sunbird usage for now” while it investigates reports that its messages aren’t actually end-to-end encrypted.