- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
Given Nothing and Sunbird’s small marketshare, I assumed Apple was probably going to let Sunbird slide. Now I hope they bring the hammer down.
E2EE is one of the main points of iMessage. Security minded iMessage users are not going to feel comfortable if a Sunbird user is on the other end.
Sunbird / Nothing needed to play this very carefully. Users are giving them their iCloud credentials and are technically giving them the ability to view encrypted comms, documents, photos, password wallets, health records, etc.
Shit like this is unacceptable.
E2EE is one of the main points of iMessage. Security minded iMessage users are not going to feel comfortable if a Sunbird user is on the other end.
You could say the same about RCS. Apple’s implementation of RCS next year will not have e2ee, at least not at first.
Can’t wait to lose my RCS e2ee thanks to Apple.
Google only allows E2EE between its own app, though, because there is no E2EE in RCS yet.
You can’t send a message from Google’s RCS supporting app to another RCS app or platform and utilize E2EE.
What Apple’s asking for is to have a standard encryption for RCS rather than a 3rd party implementation.
Yeah, to be fair, the current state of encryption has been one of the major grievances with RCS.
The fact that Apple is pushing for a more universal E2E standard, and having Google onboard for it, is a good thing for everyone.
Also, those unencrypted messages will be called on their clients. Messages on Android gets the no lock icon, and Messages in Apple’s ecosystem gets green bubbles.
This Sunbird thing is some bullshit because people think it’s encrypted, and it isn’t. Unencrypted comms are getting blue bubbled.
SMS is also plain text, what’s the big deal?
The premise of the app is not sending plain text messages.
E2E encryption is one of the main points of iMessage.
Giving your iCloud credentials to someone that isn’t Apple is already kind of shady. They needed the security around this product to be bullet proof. I don’t know why anyone would be quick to trust Sunbird after this.
Probably a privacy policy issue? Its okay to do stuff in plaintext, but the privacy policy must make that clear.
Literally from their FAQ
Are my messages secure? Yes, Nothing Chats is built on Sunbird’s platform and all Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.
And regardless, if they removed this line and added privacy policy like “we do not encrypt messages and can read them whenever we like” should kill their entire platform.
Yeah, but what about the other user who’s texting a sunbird client and thinks everything is E2E encrypted?
This is the best summary I could come up with:
Nothing has pulled the Nothing Chats beta from the Google Play store, saying it is “delaying the launch until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users text with iMessage, but it required allowing Sunbird, who provides the platform, log into users’ iCloud accounts on its own Mac Mini servers, which… isn’t great?
The removal came after users widely shared a blog from Texts.com showing that messages sent with Sunbird’s system aren’t actually end-to-end encrypted — and that it’s not hard to compromise it.
The app launched in beta yesterday after being announced earlier this week.
9to5Google pointed to a thread from site author Dylan Roussel, who found that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server and storing them there in unencrypted plain text.
Roussel posted that the company itself has access to messages because it logs them as errors using Sentry, a debugging service.
Sunbird claimed yesterday that HTTP is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”
The original article contains 282 words, the summary contains 187 words. Saved 34%. I’m a bot and I’m open source!