The Sunbird Situation

The past few days have been quite the rough ride for Sunbird, a competitor of Beeper among security concerns raised by the community. When it comes to unified messaging apps, Sunbird has always been the runt of them all, being closed-source (and no sign of change), very buggy, slow development, and a plethora of other reasons. However recently, Nothing made a partnership with Sunbird, which made the app more mainstream with Nothing Phone 2 users now getting access to “Nothing Chats”, a divergent of Sunbird. However, this partnership has gone very south recently.

Rising Concerns

Community members have raised concerns about the app’s privacy for quite a long time, pointing out trackers found in the decompiled app’s code. Sunbird later banned this member and did not allow discussion of this incident. However three days ago, November 18 2023, multiple members found a fatal vulnerability. The initial request to the Firebase DB is made using HTTP, rather than HTTPS – the secure version. Many of us wonder how in the world a mistake like this was made – many people pointed out that a simple 14 year old could identify and fix this issue with some tech knowledge, and implementing HTTPS is an extremely easy task to do. A proof-of-concept showing how this could be exploited can be found [here], and shows the true impact of user’s privacy. Every user that has ever used Sunbird now has some amount of information leaked online.

Sunbird’s Response

Days later, Sunbird shut down their service due to these security concerns, and their app has been pulled both from the Apple App Store and the Google Play Store. Nothing’s relationship with Sunbird seems to be dwindling in light of this situation, as Nothing probably had no idea who they were dealing with. Amid these leaks, Sunbird still holds their stance on having their app closed-source – a foolish decision since they have the least transparency and user trust than any other unified messaging platform to begin with!

Current Sentiment

Many users have since left, but few are still foolishly siding with Sunbird, not knowing the benefits of using generally better apps such as Beeper. After communicating with some of the Sunbird community members about the truth of what is happening, many others (including those who made the proof-of-concept demonstration, those who raised concerns about trackers, and even those who said anything positive about Beeper) have been banned – I myself have gotten a lengthy timeout. The only thing that surprised everyone is how long it is taking Sunbird to correct this issue…we were all generally aware about security concerns and failing user trust, but this entire situation has been enlightening for everyone, and will continue to be once this gets resolved.

The Future of Sunbird

Sunbird’s future is ultimately unsure. However this has left a astonishing mark on their reputation and will never fully recover from this, after a lot of time, work, and consideration it will be added back to app stores. I believe Sunbird unfortunately will live on, but I also believe that Beeper will reign supreme in the long run, and that Sunbird’s tarnished trust with its users will only slightly heal, especially when we find more vulnerabilities. But for now, Sunbird’s reputation is very much dwindling, and we are unsure if Nothing will continue their partnership.