Sunbird Security Isn’t Nothing

This might get lost in the OpenAI earthquake happening, but it’s important so I wanted to post about it. (And gosh! A Starship launch, which is amazing. We live in interesting times.) On Tuesday, Nothing, who makes the cleanest and most interesting Android phones (and whose earbuds sound great), announced via my favorite tech video channel, MKBHD, that the phones would support iMessage on Android, so you can be a blue bubble with your friends. This got a lot of pickup!

It got a little buried, though, because on Thursday Apple said it was going to support the RCS standard, which Google and others had been lobbying hard for. However, it’s doing the bare minimum: RCS isn’t actually encrypted, and Apple’s not doing the Google proprietary thing to encrypt it, and so non-Apple people still get green bubbles. (More on that later.)

iMessage on Android (and Windows!) is on the roadmap for Texts, the all-in-one messaging platform Automattic acquired last month. The Texts team is obsessed with security, and that’s part of why the platform is desktop-only right now—to keep everything 100% client-side and fully encrypted in a way that could never be accessed by the team, or have any compromise in the middle, they’ve been taking their time to get the engineering right on the mobile versions. So they poked around the Sunbird app that Nothing partnered with, and it wasn’t pretty. Here’s Texts founder Kishan Bagaria:

The BlueBubbles thing might be a mistake, but seeing the unencrypted data on the wire definitely wasn’t. Sunbird replied and doubled down on Twitter, citing some ISO standard and claiming it was “encrypted.”

Okay! Now you’re caught up to Friday. Texts says Sunbird isn’t secure, Sunbird says it is. He said, she said, right? Not quite—there are receipts. This blog post lays out even more than Kishan tweeted originally and shares code so you can confirm this yourself. tl; dr: Sunbird puts all your iMessages and attachments into Firebase.

What should you take away from this?

Nothing (the company) still makes amazing hardware that you should absolutely check out and use. It’s my favorite Android experience. I think the company got bamboozled by Sunbird, and unfortunately this went mainstream on MKBHD.

Sunbird appears either not to understand security or to lie about it, and probably misled Nothing. I would recommend double-checking what that team claims in the future.

Who should we actually be upset with?


You shouldn’t need to jump through all these hoops to have a blue bubble on iMessage. Design can create great things; it can also harm. Apple’s design decisions to “magically” upgrade SMS or texts or RCS into iMessage, which is better and more secure, creates a green-bubble ghetto that’s also a terrible user experience for anyone not on an Apple-made device.

I’ve heard stories of teenagers being ostracized because they couldn’t afford an iPhone, of group chats rejecting people who turn the chat from blue to green. I know that sounds petty, but do you remember middle school? It’s about status, and Apple knows that. Everything they make bleeds status and signaling. They’re the best in the world at it, and I should know—I’m typing this post from a M3 Max black MacBook with 128GB of RAM. But while status signaling with amazing hardware and design touches is harmless, in software and social settings in can be harmful.

Regardless of how it started, today the green bubble indicates cheaper, lower-status, less secure. Apple’s half-hearted support of RCS just continues this. Sunbird (and others) shouldn’t need to jump through so many hoops around this stuff by reverse engineering. Apple should open up iMessage APIs so it can be natively supported just like every other 100M+ messaging platform is: Telegram, Signal, WhatsApp, et al. Teens who can’t afford or don’t want an iPhone should be able to have an app that lets them connect with their friends as peers, securely and with all the features that are easy to support in messaging.

Tim Cook, Apple, we love you. Trillion-dollar company, and lots of room still to grow. Allowing iMessage/FaceTime to interoperate (like it used to!) might take .01% off your growth rate, but it’s the right thing for humanity. Yes, I know Google is shady too, and they’re locked in this smartphone death match with you. But take person-to-person communication out of the struggle, make it a DMZ, and be content to compete in all the other areas you’re currently crushing: design, silicon, Continuity, security, privacy, customer experience, retail stores, spatial audio, the list goes on.

I have no idea how to get in touch with YouTubers, but Marques, if you see this, I’m happy to chat about the future of technology, open source, freedom, and privacy.

Update: As I was writing this, the Nothing Chats app has been pulled from the Play store.

Update 2: From my colleague Batuhan:

One thought on “Sunbird Security Isn’t Nothing

  1. It baffles me. In Europe anyone uses WhatsApp (and Telegram is rising fast). Nobody would ever consider sending an iMessage / SMS first. This is a very strange thing we cannot even fathom. Why don’t you simply use Telegram/WhatsApp