Apple is under pressure to open up its messaging platform. Now, Nothing says it has found a way to let people get iMessage support on its Android-based devices — but there’s a catch that seems to mean users must take a dangerous leap of trust.

The Nothing solution certainly fills a gap.

Apple has consistently refused to make iMessage completely compatible with non-Apple devices, even though it offers business messaging. Most users only notice the difference in the color of the message bubble. Some experience other problems, such as when people in group chats share really low-resolution images due to iMessage’s limited compatibility.

Nothing doing…

Nothing doesn’t want it to stay that way, saying, “Bring on the blue bubbles. We believe in windows, not walls. If messaging services are dividing phone users, then we want to break those barriers down.”

What the company promises is that with its system, Nothing device users will gain iMessage compatibility on their device. That means blue bubbles and support for many ‘Apple-only’ features (eventually). The company promises support for other iMessage features, such as group chats and read receipts “will be coming soon.” Once live, the Nothing system will be available in the US, EU, UK, and Canada.

How it works

• People who want to use iMessage on their Nothing phone will have to sign up to join the beta for a service called Nothing Chat.
• During the sign-up process, they’ll be asked to login with their Apple ID. If they do not have an Apple ID, they will be able to create one during sign-up.
• Once logged-in using the ID, messages sent from their Nothing device using the service will appear as blue bubbles on Apple devices.
• It is possible the system will be made available via other Android devices, as Nothing is working with a third-party service called Sunbird to achieve this.
• What’s unclear is whether Apple will change iMessage or find some other way to prevent the service.

What about security?

The company says it is certain the system is secure.

“Nothing Chats is based on the Sunbird platform and all messages are protected by end-to-end encryption,” it wrote. “This means that neither we nor Sunbird have access to the messages you send and receive.” It claims messages are delivered without being stored at any point, meaning messages can only be recovered locally and are not available to Nothing or to Sunbird.

All the same, I have suspicions. The service means that you get to blue bubble your conversations, but it also means you’re just one hack away from having your entire Apple ID in the wild — including all your data, images, payment details, file, and everything else.

If that sounds crazy, here’s why this is the case:

Nothing’s iMessage support relies on the Sunbird messaging app. That app lets people use any messaging service, even if they don’t have the relevant device. But, in order for this to work, the user must sign in with their Apple ID on Sunbird’s Mac servers. Those servers then intercept messages sent to your account and send them to the chat app you’re using with your Nothing device. The service doesn’t store the Apple ID username or password, but does log your ID, and saves a login token. That token can potentially be used to access anything associated with your Apple ID.

Marques Brownlee took a preview of the service, and says it works by “literally signing in on some Mac mini in a server farm somewhere, and that Mac mini will then do all of the routing for you to make this happen.”

A few concerns

Now, I’m sure that both Sunbird and Nothing mean well here. I’m confident the idea of abusing their access to your Apple ID token is far, far, far from their mind. But it’s not going to be too far from less salubrious characters. To those people, the Apple ID tokens stored on those servers become natural targets, and securing those servers will cost money.

Apple has a lot more money than Sunbird or Nothing, which means the company can employ and equip highly experienced security teams to protect Apple ID information on its servers. I expect Apple’s authentication servers experience frequent probes and attacks, but seem to have remained secure so far.

This raises a lot of questions, including: Can Sunbird’s Mac servers ever offer the same degree of security? How long will the company commit to protecting them? When those Mac servers reach EOL what commitment is there that the data on those servers will be deep wiped? What level of insurance does either company offer users in the event they are hacked? Where does the information sit in terms of GDPR and the various territorial data sharing and storage agreements that exist between nation states? What data protection policy is applied to this information, and to what extent can a user choosing to risk Nothing ensure that any information they share (including Apple ID authorization tokens) is removed from those servers when they quit?

Some questions already have answers (maybe)

We have a few answers. Sunbird has servers in the US and in Europe, which may assure some elements of data retention. And a Nothing representative told The Verge that after two weeks of inactivity, Sunbird will delete the account information.

The messaging provider (which is Sunbird) also has what appears in the context of things a fairly concise privacy policy, which you can explore here. That privacy policy says that any personal information it does choose to retain is kept according to a series of criteria, and it describes your rights under various national and regional privacy policies, such as GDPR. Obviously, any IT admin, security expert, or company that has Apple or Android devices in their fleets will need to explore that policy to figure out whether the service meets with their privacy/security requirements.

For me, while it’s easy to concede that making messaging more compatible between platforms makes sense, I wouldn’t recommend any enterprise user or IT admin permit employees to make use of this service on any managed device — certainly not those using any form of managed Apple ID. While Nothing has certainly shown a relatively easy way through which interoperability could be accomplished, it doesn’t yet seem sufficiently market-tested for anyone using sensitive data.

Time will tell, of course, and it does seem plausible that Apple may take its own steps toward interoperability (albeit in response to regulatory pressure) during the coming months. If nothing else, Nothing has raised the level of conversation. Though I wouldn’t share my Apple ID with anyone in any circumstances.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.