Apple’s iMessage has such a deathgrip on the messaging situation in the United States that companies like Nothing feel like they need to take drastic measures in order to assuagegreen bubble concernsfrom potential customers. Earlier this week, the tech world collectively gasped when the design-focused smartphone brand announced it would be bringing iMessage to its Android devices using a service called Sunbird that forwards messages from Apple’s servers to a client app called Nothing Chat. We had seen similar third-party hacksbefore, but an OEM offering this functionality for free almost sounded too good to be true. Now it seems like there may be a serious security problem with Nothing’s iMessage implementation.
The companyjust today announcedthat Nothing Chats was available on the Play Store, and the developers atTexts, a competing service that offers similar functionality to Sunbird, wasted no time digging into the code. The founder of Texts, Kishan Bagaria, claims that Sunbird’s iMessage forwarding backend on Nothing phones is running on an instance ofBlueBubbles, an open-source solution primarily aimed at end-users who want to forward iMessages to their non-Apple phone from their Mac.
But the most damning revelation, if true, is that Nothing’s iMessage implementation was found to not be using any type of encryption when sending your Apple login credentials — in fact, Bagaria says this extremely sensitive data is being sent as plain text over HTTP, not even HTTPS.
Bagaria goes on to explain that the BlueBubble backend supposedly being used by Sunbird doesn’t support end-to-end encryption. However, BlueBubble’s FAQ does state that “all connections are done over HTTPS/WSS and utilizes TLS encryption by default,” so there would likely be some form of encryption, perhaps just not at every point throughout transit.
These claims seem to directly contradict statements made by Nothing in the lead-up to the release of Chats. Previously, the company had stated “all Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.” Of messages and your Apple ID in particular, it says “Sunbird’s architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey.” Nothing co-founderAkis Evangelidishas even said that “Messages are end-to-end encrypted.”
To be fair, neither the company’s Nothing Chat FAQ nor the tweet from its co-founder address the encryption of credentials specifically, which is the focus of Bagaria’s tweet. And in a statement to9to5Google, Nothing explained that the plain text seen by Bagaria is a tokenized version of the Apple ID credentials rather than the actual password:
Once the Apple ID is provided, whether existing or newly created, it’s then tokenized in an encrypted database and the Apple ID data is destroyed. The token is of no use to bad actors as it does not contain any sensitive information like your Apple ID, and the data you initially provided is automatically deleted, ensuring your Apple ID is secure and at no point vulnerable to bad actors.
A Nothing spokesperson also provided context on the usage of HTTP and BlueBubbles — regarding the latter, the company claims the code discovered with this name in it is merely a coincidence:
While the protocol is HTTP, all data is encrypted and the key used to encrypt that data is provided via HTTPS so Apple credentials or messages sent via that HTTP request are secure and not open to the public. All sensitive user data such as Apple ID credentials and messages are encrypted at all times. The HTTP is only used as part of the one-off initial request from the app notifying the back-end of the upcoming iMessage connection iteration that will follow via a stand alone communication channel.
Regarding the other part of his tweet, years ago when the servers were being built Sunbird’s co-founder named them Blue Bubbles. Sunbird/Chats is not using an instance of anyone else’s technology – the naming is strictly coincidence.
Meanwhile, Apple announced that it willadd RCS functionality to iMessage in 2024, and its implementation will support the Universal Profile and end-to-end encryption. So even when you factor in Nothing’s explanations, considering how long we’ve been waiting for a decent messaging experience between Android and iOS, it might behoove Nothing Phone users to wait a few more months and simply RCS chat with their iPhone counterparts.
