Nothing Chats, a highly anticipated messaging app that was set to be released for the Nothing Phone 2, has been pulled from the Google Play store. The company announced that it is delaying the launch of the beta version of the app until further notice due to the presence of several bugs that need to be fixed. This decision comes after the app promised to allow users to text with iMessage, a feature that generated a lot of excitement among Android users.
However, the excitement quickly turned to concern when it was revealed that the app required the use of Sunbird, a platform provider, to log into users’ iCloud accounts on its own Mac Mini servers. This raised red flags about the security and privacy implications of allowing a third-party service to access sensitive user data.
The decision to pull the app from the Google Play store came after a blog post from Texts.com was widely shared, revealing that messages sent through Sunbird’s system are not end-to-end encrypted, and that the security of the platform is easily compromised. This revelation called into question the integrity of the app’s security features and raised concerns about the protection of user data.
9to5Google pointed to a thread from site author Dylan Roussel, who discovered that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server, and storing them there in unencrypted plain text. Roussel also uncovered that the company itself has access to messages because it logs them as errors using Sentry, a debugging service.
Related Post
In response to these concerns, Sunbird claimed that HTTP is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.” However, this explanation did little to assuage the concerns raised by the vulnerabilities in the platform’s security.
Texts.com’s blog highlighted that “an attacker subscribed to the Firebase realtime database will always be able to access the messages before or at the moment they are read by the user.” Additionally, the blog pointed out that the company could look at messages in its Sentry dashboard, directly contradicting the claim from Nothing’s FAQ that nobody at Sunbird can access messages sent or received.
The revelations about the security vulnerabilities in the Nothing Chats app have raised serious concerns about user privacy and data protection. Nothing, the company behind the app, has not yet provided a response to these concerns, despite being reached out to for further comment. This lack of transparency from the company has led to further skepticism about the integrity of the app and the commitment of its developers to addressing the security issues.
In conclusion, the delayed launch of Nothing Chats has raised concerns about the security and privacy of the app, as well as the integrity of the platform provider, Sunbird. The revelations about the vulnerabilities in the app’s security features have led to a loss of trust among potential users, and it remains to be seen how Nothing will address these concerns and rebuild confidence in the security of its messaging app.
