Nothing Chats, the iMessage clone launched by the company earlier this week, has been pulled from the Google Play Store. The official reasoning is “several bugs” that the company needs time to fix before launching it again after an indefinite period of time.
We have removed the Nothing Chats beta from the Play Store and will delay the launch until further notice to work with Sunbird to fix several bugs.
We apologize for the delay and will do good for our users.
– Nothing nothing) November 18, 2023
However, there’s enough evidence to support the idea that the app was retired not because of “bugs,” as Nothing says, but rather due to some glaring security issues.
According to an in-depth technical analysis by Texts.com author Laugh F’kih and Twitter users @batuhan AND @1ConanEdogowaNothing’s service provider, Sunbird, was caught lying about the end-to-end encrypted nature of messages routed through its servers.
As explained above, signing up to use Nothing Chats required you to log in to Sunbird servers using your Apple ID, which ran on a Mac mini with a virtual machine. Messages sent to servers are encrypted, as stated by Sunbird. However, as the above authors discovered, the JSON Web Tokens or JWTs generated by the service are again sent unencrypted to another Sunbird server without SSL, allowing them to be intercepted by an attacker.
The messaging team took a quick look at the technology behind Nothing Chats and found that it is extremely insecure
it doesn’t even use HTTPS, credentials are sent via HTTP in plain text
the backend runs an instance of BlueBubbles, which doesn’t yet support end-to-end encryption pic.twitter.com/IcWyIbKE86
— Kishan Bagaria (@KishanBagaria) November 17, 2023
Additionally, messages are decrypted and then stored on Sunbird servers, allowing an attacker to access them before the user. Texts.com demonstrated this by sending some messages between two devices and intercepting the JWT, which gives them access to the Firebase real-time database. From that point on, 23 lines of code were enough to download all the users’ information and conversations.
The author has also provided a website where a user with sufficient knowledge of the code will be able to intercept their messages when sending messages between two devices, one of which is running the Nothing Chats app.
@ridafkih @batuhan @1ConanEdogawa I dug a little deeper and found that all incoming text/media is not only stored in plain text, but all outgoing text is also leaked in plain text to a sentinel server pic.twitter.com/GOqiatPNaE
— Kishan Bagaria (@KishanBagaria) November 18, 2023
To be clear, the privacy issue is directly Sunbird’s fault. However, by choosing to collaborate with the company, Nothing also implicated itself in the matter. Furthermore, addressing this rather serious situation as a “bug” was extremely dishonest.
We will have to see what state the service will be in again when Nothing decides to put the app back on the store. It goes without saying that you probably shouldn’t log into a third-party service’s servers with your Apple ID, even if it were encrypted. But it seems especially useless now that Apple announces RCS support.
Start a new Thread