Can an Android OEM really just hack its way into Apple’s iMessage? That is the hard-to-believe plan from upstart phone manufacturer “Nothing,” which says the new “Nothing Chats” will allow users to use “iMessage on Android” complete with a blue bubble sent to all their iPhone friends.
Nothing Chat will be powered by Sunbird, an app developer that has claimed to be able to send iMessage chats for about a year now, with no public launch. According to a Washington Post article with quotes from the CEOs of Nothing and Sunbird, Nothing will “start” rolling out “an early version” of Nothing Chats with iMessage compatibility on Friday. The only catch, supposedly, is that you’ll need a Nothing Phone 2.
Is this for real or a publicity stunt? Apple is on record saying that iMessage on Android would only serve to weaken Apple, and it doesn’t want to do that. Surely, any Android OEM offering “iMessage” support would immediately have the project shut down by Apple.
The quotes in the Post article from Nothing and Sunbird come across as a dare more than anything else. Nothing CEO Carl Pei told the paper, “There’s nothing illegal about this setup. I think whatever we do is gonna be passed along within Cupertino, but we’re so small that it will look really bad if Apple takes any action.” Sunbird CEO Danny Mizrahi added, “We don’t see a scenario where Apple tries to, or can, block these messages. Apple’s focus has openly been on providing the best experience to their end users and both Nothing Chats and Sunbird help with that.”
It’s hard to believe something like this could be a long-running service, and it seems destined to be immediately shut down.
The many red flags of Sunbird
Sunbird has claimed to be able to send iMessages on Android for a long time, has missed its deadline for launch, and generally doesn’t come off as a serious company. The company announced itself to the world with the promise of iMessage on Android during a press briefing in December 2022. I attended this meeting and did not write about it because Sunbird’s suspect presentation did not meet my standards for a story. To me, the purpose of a press meeting like this would be to overcome the skepticism about the claim that you could imperviously, permanently hack into iMessage. Being honest with the press would have helped, but Sunbird refused to take open questions in its big debut. Sunbird’s PR person approved and asked all the questions, the Zoom chat was turned off, and the company didn’t answer a single one of the basic technical questions.
How does Sunbird work? Why should people trust Sunbird with their ultra-important Apple account credentials, which contain some people’s entire online lives and, in some cases, a literal bank account? How are these credentials secured? Are they stored on Sunbird’s servers somewhere? Doesn’t hacking into iMessage with a third-party client violate Apple’s terms of service, possibly leading to an account ban? Won’t Apple just shut this down the instant you launch? These are all critical and obvious questions that were asked at the meeting, some of them by me, and they all went unanswered. Instead, the Sunbird people focused on how great it would be if the whole world could hold hands and share access to blue-colored chat bubbles. It wasn’t just ridiculous—the company completely failed to convince a skeptical listener that it was for real or acknowledge that there was any skepticism to overcome.
Even today, almost a year later, the company does not answer these questions in its FAQ. Sunbird has a “Privacy & Security” page that doesn’t answer anything about the privacy or security of your Apple credentials. This company just wants to hand-wave away any concerns. To me, without the company offering public, comprehensive explanations around Apple ID security, it seems hard to take it seriously.
The Nothing Chats FAQ at least manages to ask the all-important question of where your Apple ID lives but then quickly changes the subject to messages: “Are any of my messages or Apple ID credentials stored?” “No, Nothing is powered by Sunbird, and Sunbird’s architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey. Messages are not stored on Sunbird’s servers and are only live on your device—once a message is delivered, it can only be recovered locally from your personal device.”
When Sunbird announced itself in December 2022, it gave some select members of the press access to the app, and reports said that the app worked. The Washington Post article claims the service works, too, though it doesn’t go into any technical detail about how. One Android Authority article came the closest to giving even the slightest perfunctory explanation of what was going on:
Sunbird has no plans to open-source its technology for bringing iMessage to Android. As such, we didn’t hear a detailed report on how this app works (or at least should work).
However, from what the company did say, it sounds like it has taken the Beeper method—connecting an Android phone to an Apple-based system—and taken a few further steps. First, each individual user doesn’t need their own connected hardware. Sunbird has figured out some way to allow thousands of users to connect to a single machine. Second, the company has also figured out a way to preserve end-to-end encryption through this method, which is something companies like Beeper cannot provide (at least not yet). Once again, Sunbird did not disclose how it does either of these things.
“Beeper” is an open source app that connects to iMessage by forwarding your iMessage through a Mac (there are a few services like this already). Beeper will let you host this yourself on your own Mac or you can do it via a Mac in Beeper’s data center. It’s fair to raise your security concerns with Beeper’s use of an Apple ID, but Beeper is a great example of how to do things in a way that doesn’t feel like a phishing scam. There’s a clear explanation of how it works, especially the line, “We operate a fleet of Mac servers that are used to relay messages between iMessage and Beeper. Each Beeper user is granted a Mac OS user account on a single Mac server.” That sounds like an awful business that isn’t scalable at all, but at least there’s a monetization plan, with “Beeper Plus” eventually going for a $5–$10 monthly fee. So Beeper is a 1:1 data center Mac-to-iMessage forwarding service, while Sunbird, according to Android Authority, has somehow figured out how to set up “thousands” of iMessage accounts on a single Mac.
Sunbird has already missed its launch deadline by quite a bit. In December 2022, Sunbird started taking “waitlist” reservations to get access to the app and promised, “Sunbird will roll out invitations in phases to join the closed beta user group beginning in late 2022,” in other words, later that month. I guess there’s no way of knowing if any beta testers actually got access (I have certainly never heard of a single one), but by April, the company boasted it had 100,000 sign-ups on the waitlist. The company also said additional daily sign-up rates of “2,500+ per day,” and that “we’re giving Sunbird to 200 Android app alpha testers at a time.” A lot of this doesn’t add up, like waitlist growth of 2,500 users per day while only adding 200 accounts “at a time,” and the “beta” test now becoming an “alpha” test. There’s also the eyebrow-raising line “Sunbird boasts a 93% success rate for iMessage”—meaning that 7 percent of your messages end up in a black hole?
How the company invites people to its beta (or alpha?) test is its own business, but that April press release also promised a “Summer 2023 launch,” which never happened. Today, the waitlist still exists and still grows. Now, it still isn’t clear if these people will ever get access, with Sunbird’s CEO telling The Washington Post, “for the next few months the only way to get Sunbird is to have a Nothing Phone (2).”
We’ll see on Friday, assuming something happens on that date. Given how poorly Sunbird has explained itself, Apple has a solid argument for shutting the whole project down in the name of security. So don’t give random companies your Apple username and password, especially ones that don’t seem to understand and/or respect the security version of Pandora’s box they are opening.