The disgraced iMessage app on Android couldn’t accept tips and is back for more

Remember last year’s Nothing Chats fiasco? It was an app built on Sunbird’s architecture and had so many security flaws that Nothing Chats and Sunbird’s own messaging app were removed from the Google Play Store. has been removed from. Well, Sunbird is back in the hopes that users will forget the past and give it a second chance.

Through a press release, Sunbird announced plans to relaunch its beta iMessage Android app. The company announced that it will begin sending out invitations gradually to people on the waiting list starting today.

Sunbird launched in 2022 and promised to bring iMessage compatibility to Android. It claimed to offer end-to-end encryption and iMessage functionality without collecting user data. However, this software quickly turned out to be highly insecure and not as private as advertised. The company later announced that it would temporarily suspend its services while it investigated the security issues raised.

In a blog post also published today, Sunbird acknowledged the security vulnerabilities. However, the company claims some of the claims are false and denies ever using BlueBubblesApp as part of its infrastructure.

The company added that the new architecture (AV2) has replaced the old architecture (AV1) that “leveraged Firestore for message temporary storage.” This new architecture integrates his RCS and is said to have “user privacy as its core tenet.”

Sunbird further states the following about AV2:

• Unencrypted messages are not stored anywhere on disk or in the database. When a message is decrypted and passed to iMessage and the RCS/Google Messages network, it remains in memory for only a limited period of time. In front-end apps, messages are only stored encrypted within the in-app database.
• Static files sent through the Service are stored in secure cloud storage buckets that are encrypted both in transit and at rest. These are protected by permissioned URLs to prevent unauthorized access and are permanently deleted from Sunbird systems within 48 hours of being sent or received.
• All communication from Sunbird apps to the Sunbird API is secured at the transport layer through HTTPS or MQTTS protocols.
• MQTTS brokers are protected by strict access control lists that ensure that users can only access the broker topics assigned to them and no other topics.
• Additionally, the content of the message payload itself is fully controlled by the client and is encrypted at the application layer using AES encryption with an encryption key held only in memory on the Sunbird side. Messages pass through the Sunbird system in an encrypted state and are decrypted (in memory) only upon transfer of the message to the native messaging platform.

What’s oddly striking here is that near the end of the blog, the company mentions that it has hired Jared Jordan as an official advisor. It says that Jordan “currently serves as Director of Engineering for his Gmail team at Google.” However, according to Jordan’s LinkedIn page, he said he left Google in March and is now working at Capital One.

It looks like Sunbird is taking steps to improve privacy and security, and that’s a good thing. However, it’s probably safe to say that you shouldn’t trust all iMessage apps for Android.