Yeah, so they didn't reverse engineer anything, they literally take your password and then have you approve them registering a Mac mini they control as a trusted device in iCloud.
At that point they have access to your entire iCloud account: messages (obviously), docs, browser history, browser tabs, iTunes/App Store account if you're using a single account, etc. Oh yeah, and that Mac mini is now a trusted device, so it can approve adding new devices to your account if they're compromised (or malicious, but lets give them the benefit of the doubt).
Now based on the problems presented in this article I don't think I would trust their data management or security practices at all, they clearly don't give a damn about customer privacy (beyond their already overt removal of message privacy/e2ee).
> The app promised to let Nothing Phone 2 users text with iMessage, but it required allowing Sunbird, who provides the platform, log into users’ iCloud accounts on its own Mac Mini servers, which... isn’t great?
Can you register multiple iCloud accounts to a given Apple device and use both simultaneously? I can't otherwise see how this could possibly be cost effective, or feasible, or scalable.
At that point they have access to your entire iCloud account: messages (obviously), docs, browser history, browser tabs, iTunes/App Store account if you're using a single account, etc. Oh yeah, and that Mac mini is now a trusted device, so it can approve adding new devices to your account if they're compromised (or malicious, but lets give them the benefit of the doubt).
Now based on the problems presented in this article I don't think I would trust their data management or security practices at all, they clearly don't give a damn about customer privacy (beyond their already overt removal of message privacy/e2ee).