Nothing Chats, the iMessage alternative recently launched by the company, has been removed from the Google Play Store. Officially, Nothing cites “bugs” as the reason for the removal, promising to fix them before a future relaunch. However, there are indications that the real issue might be serious security concerns. We shall further discuss why Nothing Chats got removed and Nothing Chats Security Flaw.
Nothing Chats Security Flaw:
Texts.com author Rida F’kih and Twitter users @batuhan and @1ConanEdogowa conducted a detailed technical analysis. They discovered that Nothing’s service provider, Sunbird, misled users about the end-to-end encryption of messages passing through its servers.
When signing up for Nothing Chats, users had to log in to Sunbird servers using their Apple ID, which ran on a Mac mini through a virtual machine. Sunbird claimed that messages sent to the servers were encrypted. However, the analysis revealed that the JSON Web Tokens (JWT) generated by the service were sent without encryption to another Sunbird server, making them vulnerable to interception by attackers.
Additionally, the messages were decrypted and stored on Sunbird servers, giving attackers the opportunity to access them before the intended recipient. Texts.com demonstrated this vulnerability by intercepting JWT and gaining access to the Firebase real-time database. With just 23 lines of code, they could download all user information and conversations.
The privacy issue primarily lies with Sunbird, but Nothing is implicated in choosing to partner with them. Describing the situation as “bugs” was seen as dishonest. The article suggests caution when logging into third-party servers with sensitive information like Apple ID, even if encrypted. This warning is especially relevant given Apple’s recent announcement of RCS support. The article concludes by anticipating the state of the service when Nothing decides to relaunch the app, emphasizing the importance of user privacy in such ventures.
Moreover, it is important to note that Nothing chats were just announced a couple of days back. On November 17, Nothing Chats became accessible on the Google Play Store exclusively for users of Nothing Phone (2). The messaging platform employed Sunbird’s patented process, requiring users to create and validate an Apple ID on an Apple device, which was then utilized to log in to the Nothing Chats app.
- Also, check out these featured articles,
Was Nothing too reckless in launching the feature considering Nothing Chats Security Flaw? What do you think?