Updated on November 23, 2023
Nothing Chats, an iMessage clone recently launched by Nothing, has been swiftly removed from the Google Play Store, officially citing “bugs” as the reason. However, an in-depth analysis reveals deeper security concerns that may have prompted its sudden disappearance.
Unveiling Security Issues
Investigations by Texts.com author Rida F’kih and Twitter users @batuhan and @1ConanEdogowa expose critical security flaws within Nothing’s service provider, Sunbird. Contrary to claims of end-to-end encryption, Sunbird was found sending unencrypted JSON Web Tokens (JWT) to another server, jeopardizing user data.
Breach Details
Users signing up for Nothing Chats via Sunbird servers using Apple ID faced potential privacy breaches. The JWT, initially encrypted, was transmitted without SSL, allowing interception. Worse still, messages were decrypted and stored on Sunbird servers, granting attackers an opportunity to access sensitive data before users. A simple demonstration by Texts.com revealed how a mere 23 lines of code could compromise user information and conversations.
Accountability and Implications
While Sunbird bears direct responsibility for the privacy lapse, Nothing’s association implicates the company. Addressing the situation as mere “bugs” appears disingenuous, especially when user privacy is at stake.
Future of Nothing Chats
The app’s return to the Play Store remains uncertain. Users are advised to exercise caution, especially considering the availability of Apple’s RCS support, rendering third-party logins unnecessary. Nothing must address the security concerns transparently before re-launching the app.
Your thoughts are welcome. Feel free to leave any comments below.
