Security is paramount. It’s a lesson that Android manufacturer Nothing and app company Sunbird learned the hard way last week. The companies had teamed up to launch Nothing Chats, a chat app that boldly claimed it could hack into Apple’s iMessage protocol and offer Android users the coveted blue bubbles.
However, this audacious claim was met with skepticism from the outset, as Sunbird had a track record of making grandiose promises with little to show for it. Despite concerns about its security, Nothing Chats was launched last Friday. The app was met with immediate criticism and was lambasted for its numerous security flaws. The backlash was so severe that within 24 hours, Nothing had removed the app from the Play Store.
Sunbird’s original app, of which Nothing Chat was a rebrand, was also put on hold. The app’s initial selling point was a cause for concern. It claimed that by providing your Apple username and password, it could log you into iMessage on Android. This proposition raised significant security concerns, as it would require Sunbird to have a highly secure infrastructure to prevent a potential disaster.
Unfortunately, the app proved to be as insecure as anticipated. The extent of the security issues was alarming. Investigations by 9to5Google and Text.com revealed shockingly poor security practices. The app was not end-to-end encrypted as claimed by Nothing and Sunbird. Instead, Sunbird logged and stored messages in plain text on the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP, making them vulnerable to interception and misuse.
Check this out. Basically Sunbird was sending text without encryption:
While Sunbird’s claim that they generate and send the JWT over a secured channel are true, the application immediately turns around and sends the JWT back to another Sunbird service hosted on a load-balanced Express server which does not implement SSL, so requests can be easily intercepted by an attacker.
The endpoint in question can be found at `http://monarch.sunbirdapp.com:8888/register` and accepts two fields in a JSON body. `name` which contains our Apple ID, and `token` which contains our JWT.
Transmitting our JWT over an insecure channel is very dangerous, because it acts as an API token which we can use to access all our data. By nature, JWTs cannot be easily invalidated on the server side. If an attacker gets their hands on it, they have unfettered access to the resource it grants until token expiry. In this case, all our account details, messages, attachments, etc., all in realtime.
By not implementing SSL, we’ve compromised level 7 of our OSI model. If an attacker compromises any point along our network pipeline between the application and the aforementioned Express server, our JWT can become compromised and an attacker will gain access to the information we’ve entrusted to Sunbird / Nothing Chats.
The investigation by Text.com uncovered a plethora of vulnerabilities. The blog detailed that messages and attachments were unencrypted on the server side until the client acknowledged and deleted them from the database. This meant that an attacker subscribed to the Firebase Realtime DB could access the messages before or at the moment they were read by the user.
Further, the company argued vociferously that they were in the clear:
Text.com was able to intercept an authentication token sent over unencrypted HTTP and subscribe to changes occurring in the database. This allowed them to receive live updates of account changes and messages from other users. Text.com went a step further and released a proof-of-concept app that could retrieve supposedly end-to-end encrypted messages from Sunbird’s servers. Batuhan Içöz, a product engineer for Text.com, also released a tool that could delete some of your data from Sunbird’s servers. Içöz advised any Sunbird/Nothing Chat users to change their Apple password immediately, revoke Sunbird’s session, and assume their data had already been compromised. Dylan Roussel from 9to5Google also investigated the app and discovered that all public text data, including documents, images, videos, audio, PDFs, and vCards sent through Nothing Chat and Sunbird were public.
Roussel found that Sunbird currently stored 630,000 media files, some of which he could access. The app even suggested that users transfer vCards—virtual business cards full of contact data—resulting in the personal information of over 2,300 users being accessible. Roussel described the entire situation as “probably the biggest ‘privacy nightmare’ I’ve seen by a phone manufacturer in years.” This incident serves as a stark reminder of the importance of robust security measures in the digital age. As technology continues to evolve and intertwine with our daily lives, the need for secure and reliable digital platforms becomes increasingly critical.