Update: Security Incident Remediation and Re-Launch

April 5, 2024

To Our Sunbird Community:

Following reports of security vulnerabilities in the Sunbird platform last November, we're taking this opportunity to update you on our findings, the current status, and our approach to remediating these issues in the upcoming relaunch of the Sunbird app.

What happened?

In November 2023, soon after the beta announcement of the Sunbird app, a group of researchers reverse engineered the app and identified security vulnerabilities in the Sunbird platform. 

 At a high level, the vulnerabilities included:

We immediately pulled the Sunbird app from the Play Store, deleted all static files from our Firebase, and began the process of rebuilding our technical architecture to address these vulnerabilities.

Use of an Unencrypted HTTP API Call

Upon launch, a security vulnerability was the use of the unencrypted HTTP protocol for a single call made to our backend API. This endpoint was the /register endpoint, which is used by the app to signal the start of an iMessage session from the app. The use of the HTTP protocol for this single endpoint call was inadvertently left in by our development team, and while it did not expose or reveal any end-user or Apple credentials, it did leave unprotected the Firebase-issued JWT token used by Sunbird for securing access to our API. With the JWT susceptible to interception over unprotected networks, it potentially allowed an unauthorized user to receive and send messages on behalf of the user whom the JWT was issued for. However, possession of the JWT did not allow anyone to send and receive messages for any other user in the Sunbird app. This vulnerability was swiftly mitigated by immediately disabling the HTTP endpoint and redirecting all calls to HTTPS.

Storage and Visibility of Static Files vCards

Another vulnerability discovered was the presence of over 600,000 static media files, including vCards containing contact information for users of the Sunbird system. The root cause of this vulnerability was a misconfiguration of the access control rules for the static media hosting bucket. The scope of this vulnerability was that anyone who was able to intercept a JWT token mentioned previously could potentially access any of those files. However, it is important to note that these files were not publicly accessible to unauthenticated users or anyone without a valid Firebase-issued JWT. To address these vulnerabilities, the Sunbird team has migrated to the use of permissioned URLs to restrict access to any static files sent on the system to only the intended recipient. Further, we implemented cleanup logic to purge all static files from the bucket after a maximum of 48 hours.

Storage of Unencrypted Messages in a Firebase Database

A further vulnerability identified was the temporary storage of received messages in a Firebase real-time data store. The implementation of Sunbird iMessage integration previously relied on the messages received from iMessage to be stored in an unencrypted state in a Firebase database up until the point the front end app could receive and download them, at which time they were deleted. It is important to note that while messages were temporarily stored in the Firebase database, they were deleted either upon download from the front end app, or automatically after 24 hours. Further, at no time was any unauthorized user ever able to access or read any messages sent or received through Sunbird by another user.

Other Issues

Finally, one of the vulnerabilities discovered was the logging of message data to Sentry, a third-party application monitoring and logging platform. Sentry was employed as a debugging tool for Sunbird while under development, which included logging test messages to Sentry. Our intention was to disable this logging feature upon the app's release; however, this step was unfortunately overlooked. We have since conducted a thorough review of our entire front end and back end code base and removed any logging in the system that could potentially include unencrypted message data or personally identifiable information of our users.

While all of the vulnerabilities mentioned above were real, it is important to note there were some assertions made about the Sunbird app that are not true, including the perceived use of the “BlueBubblesApp” as part of the Sunbird infrastructure. At no point has the BlueBubbles app been a part of or used in any way by Sunbird’s infrastructure.

Moving Forward:

The discovery of vulnerabilities within the Sunbird apps was a stark reminder of our responsibilities toward user privacy and security. Following the identification of these issues and the consequent suspension of the Sunbird system, we were presented with a choice. We could have opted for a quick fix to patch these vulnerabilities, potentially allowing us to reinstate the Sunbird app on the app store within a few short weeks. However, we recognized that such an approach would not align with our core values or our unwavering commitment to the privacy and security of our users.

We decided to take the opportunity to thoroughly reevaluate both our technical implementations and our organizational processes from the foundation up. This decision was driven by our belief in the paramount importance of trust and safety in our platform. It reflects our dedication to not just resolving the immediate issues at hand but also to ensuring that we uphold the highest standards of security and privacy for our community in the long term.

Technical Changes to Sunbird’s iMessage Architecture

From a technical perspective, at the root of certain vulnerabilities discovered was the fact that the iMessage implementation in Sunbird was released using an older architecture (which we refer to as ‘AV1’) that leveraged Firestore for temporarily storing messages on our servers until they could be retrieved by the front end app. This AV1 architecture is a legacy piece of software which we have now replaced with our RCS implementation built using a newer architecture (called ‘AV2’) with the maintenance of user privacy as the central tenet of its implementation. For instance, in AV2, message delivery and security is achieved through the use of a MQTTS message broker which is an OASIS standard for secure messaging. AV2 was created from the ground up with the following tenets central to its development:

Since November, the Sunbird team has worked to migrate the iMessage implementation off of AV1 to the AV2 architecture. With the adoption of AV2, we believe that we’ve not only resolved the security vulnerabilities previously identified, but also provided a secure and privacy oriented foundation for Sunbird’s iMessage integration moving forward.

Organizational Changes

In addition to the technical changes described above, the Sunbird team has made a number of organizational changes to help improve our development processes and improve our security posture. Sunbird has brought aboard Bobby Gill of BlueLabel to oversee our development and engineering efforts. Bobby brings over 20 years of hands-on experience building secure enterprise and mobile software across many different platforms and programming languages. In his role, Bobby is leading all engineering efforts and working alongside the engineers on a daily basis.

Further, Sunbird has brought on board an independent security consultancy, CIPHER, to perform a rigorous security analysis penetration test of the Sunbird app and backend. Our security partner conducted what is known as a 'grey box' penetration test on Sunbird. This approach, leveraging the provided documentation, the API and the communication from the front end app to the backend enabled them to simulate potential attack vectors. Their aim was to identify any possible weaknesses that could be exploited by malicious actors. The outcome of the penetration testing was affirming; they reported no critical vulnerabilities within the Sunbird app or its backend API. In addition, they specifically attempted to recreate the architecturally present vulnerabilities previously identified in November 2023 and were unable to do so on the AV2 platform. 

Lastly, we’re very excited to announce that we have brought on Jared Jordan, formerly Director of Engineering within the Gmail team at Google, as a formal advisor to Sunbird. Before joining the Gmail team, Jared was the Director of Engineering at YouTube, Leader of Growth APAC Engineering for Netflix, and Growth Senior Software Engineering Manager at Evernote. His extensive experience in building massively scaled consumer applications will be tremendously valuable as we continue to scale up the Sunbird platform.

Sunbird Re-Launch

The past few months have been very sobering for the Sunbird team. Despite the recent challenges we’ve faced, we all believe in the potential of the Sunbird app to bring a world-class unified messaging platform to every Android device. We are committed to regaining our users' and partners' trust, and the entire Sunbird team is focused on relaunching the Sunbird app in early April. We will continue to share updates on our progress and developments.