this post was submitted on 18 Nov 2023
173 points (98.9% liked)

Technology

57997 readers
5748 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
173
Nothing Chats has already been pulled from Google Play over privacy issues (www.theverge.com)
submitted 9 months ago by AnActOfCreation@programming.dev to c/technology@lemmy.world
16 comments fedilink hide all child comments
top 16 comments
sorted by: hot top controversial new old
[–] Ghostalmedia@lemmy.world 48 points 9 months ago (1 children)

Given Nothing and Sunbird’s small marketshare, I assumed Apple was probably going to let Sunbird slide. Now I hope they bring the hammer down.

E2EE is one of the main points of iMessage. Security minded iMessage users are not going to feel comfortable if a Sunbird user is on the other end.

Sunbird / Nothing needed to play this very carefully. Users are giving them their iCloud credentials and are technically giving them the ability to view encrypted comms, documents, photos, password wallets, health records, etc.

Shit like this is unacceptable.

[–] KrummsHairyBalls@lemmy.ca 12 points 9 months ago (2 children)

E2EE is one of the main points of iMessage. Security minded iMessage users are not going to feel comfortable if a Sunbird user is on the other end.

You could say the same about RCS. Apple's implementation of RCS next year will not have e2ee, at least not at first.

Can't wait to lose my RCS e2ee thanks to Apple.

[–] LifeInOregon@lemmy.world 20 points 9 months ago* (last edited 9 months ago)

Google only allows E2EE between its own app, though, because there is no E2EE in RCS yet.

You can’t send a message from Google’s RCS supporting app to another RCS app or platform and utilize E2EE.

What Apple’s asking for is to have a standard encryption for RCS rather than a 3rd party implementation.

[–] Ghostalmedia@lemmy.world 12 points 9 months ago* (last edited 9 months ago)

Yeah, to be fair, the current state of encryption has been one of the major grievances with RCS.

The fact that Apple is pushing for a more universal E2E standard, and having Google onboard for it, is a good thing for everyone.

Also, those unencrypted messages will be called on their clients. Messages on Android gets the no lock icon, and Messages in Apple’s ecosystem gets green bubbles.

This Sunbird thing is some bullshit because people think it’s encrypted, and it isn’t. Unencrypted comms are getting blue bubbled.

[–] JackGreenEarth@lemm.ee 5 points 9 months ago (3 children)

SMS is also plain text, what's the big deal?

[–] ChaoticEntropy@feddit.uk 43 points 9 months ago

The premise of the app is not sending plain text messages.

[–] Ghostalmedia@lemmy.world 10 points 9 months ago

E2E encryption is one of the main points of iMessage.

Giving your iCloud credentials to someone that isn’t Apple is already kind of shady. They needed the security around this product to be bullet proof. I don’t know why anyone would be quick to trust Sunbird after this.

[–] CameronDev@programming.dev 4 points 9 months ago (3 children)

Probably a privacy policy issue? Its okay to do stuff in plaintext, but the privacy policy must make that clear.

[–] breadsmasher@lemmy.world 17 points 9 months ago

Literally from their FAQ

Are my messages secure? Yes, Nothing Chats is built on Sunbird’s platform and all Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.

And regardless, if they removed this line and added privacy policy like “we do not encrypt messages and can read them whenever we like” should kill their entire platform.

[–] sanpo@sopuli.xyz 8 points 9 months ago

No, read the article. App claimed to be end-to-end encrypted, it was anything but.

[–] Ghostalmedia@lemmy.world 3 points 9 months ago (1 children)

Yeah, but what about the other user who’s texting a sunbird client and thinks everything is E2E encrypted?

[–] Apollo2323@lemmy.dbzer0.com -4 points 9 months ago* (last edited 9 months ago) (1 children)

Security and privacy minded people dont use iMessage and not even an iPhone. The ecosystem is so close that you don't know what's going on behind just Apple.

[–] Ghostalmedia@lemmy.world 0 points 9 months ago (1 children)

Do you have anything substantive to say around E2EE encryption on iMessage?

The whole point of E2EE is so that a middle man, including the Apple, cannot read it. Apple has been very publicly opposed to providing encryption backdoors that could be accessed by Apple, law enforcement, etc. Backdoors usually get sniffed out and become widespread security vulnerabilities.

[–] Apollo2323@lemmy.dbzer0.com 1 points 9 months ago (1 children)

Thats their marketing strategy. Selling you a device no one can spy you except us. ;)

[–] Ghostalmedia@lemmy.world 0 points 9 months ago

That’s not how E2EE works. If they did have a back door, that would eventually get exploited and we’d all learn about it.

[–] autotldr@lemmings.world 5 points 9 months ago

This is the best summary I could come up with:

Nothing has pulled the Nothing Chats beta from the Google Play store, saying it is “delaying the launch until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users text with iMessage, but it required allowing Sunbird, who provides the platform, log into users’ iCloud accounts on its own Mac Mini servers, which... isn’t great?

The removal came after users widely shared a blog from Texts.com showing that messages sent with Sunbird’s system aren’t actually end-to-end encrypted — and that it’s not hard to compromise it.

The app launched in beta yesterday after being announced earlier this week.

9to5Google pointed to a thread from site author Dylan Roussel, who found that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server and storing them there in unencrypted plain text.

Roussel posted that the company itself has access to messages because it logs them as errors using Sentry, a debugging service.

Sunbird claimed yesterday that HTTP is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”

The original article contains 282 words, the summary contains 187 words. Saved 34%. I'm a bot and I'm open source!