This week brought a series of disasters (and quite some embarrassment) to Android messaging apps that were trying hard to break the infamous green-blue bubble barrier between Android and Apple users. It started with the failure of Nothing Chats and recently extended to the shutdown of Sunbird.
Nothing Chats launched fairly recently (and didn’t even last a full day) with the ambitious goal of being able to chat through the same servers as Apple users. Soon after it launched, it was taken down from the Google Play Store for privacy and security issues. Sunbird, launched in late 2022, was the third-party service that Nothing Chats used as its tech foundation. Hence, security vulnerabilities for Nothing Chats meant that Sunbird had to rethink its privacy structures, too.
Sunbird’s security mess-up was essentially a failure to provide end-to-end encryption for users’ messages. It was found that it was employing the not-so-secure HTTP instead of the standard HTTPS. 9to5Google found over 630,000 files accessible through this vulnerability.
One of the most confusing things about this whole episode is how Sunbird dealt with it. For some reason, it didn’t take to X (formerly Twitter) or Facebook to properly inform users about what was going on. Out of all places, it started with sending messages on its Discord channel.
The first message on the channel said, “We have temporarily shut down the Sunbird app while we do a detailed security analysis.” It added that it will return as soon as it devises a plan to move forward. Shortly after, it said another alert saying, “In an abundance of caution and to protect your confidential data, we are shutting down Sunbird temporarily.”
After a series of cryptic messages on Discord and blocking downloads of the app, which, reportedly, users who hadn’t seen the Discord alert thought was a Play Store issue, Sunbird notified users via an in-app message. It said, “Dear Sunbird User. We have decided to pause Sunbird usage for now while we investigate security concerns. We will update you when we are ready to proceed.”
Apparently, Sunbird’s shutdown due to questionable security protocols was a ticking time bomb waiting to happen. ArsTechnica details that the company was a big red flag since its inception. It refused to answer basic technical questions in its briefing and went as far as shutting the meeting’s chat to avoid being asked anything. There’s another instance of when a Sunbird Discord community member dared to express concern over the company’s security protocol in the chat and got blocked right away.