Evenwhen it was initially announced, Nothing Chats seemed like a sketchy idea at best. You’ll find plenty of methods for bringing iMessage to Android — either by routing messages through your own Mac or through a remote server farm — but a phone manufacturer throwing its weight behind one of these solutions certainly raises the stakes. It only took a few hours following the launch of Nothing Chats for theearliest security concerns to pop up online. Now, just a day after the app hit the Play Store, it seems like the dream of Nothing Chats might be turning into a nightmare.
From the jump, Nothing has been advertising their product — a rival to similar apps like Beeper or AirMessage — as a way to send end-to-end encrypted messages to iMessage users. Yesterday, following the app’s launch on the Play Store, Kishan Bagaria (who founded Texts, another competing service) tweeted the platform was sending credentials over plain text HTTP rather than HTTPS, something you don’t necessarily want to see from a platform claiming to be privacy-focused. In a statement, Nothing downplayed these findings, effectively claiming the whole thing was blown out of proportion because its encryption keys are using HTTPS.
Not so fast. Thefolks at 9to5Googlepublished a scathing article this morning, tying their own findings withTwitter user Wukkoto prove that things are much worse than you might’ve thought. It’s a one-two privacy punchout, utilizing a developer troubleshooting application called Sentry to log every single message in plain text whilealsostoring that data unencrypted in Firebase for virtually anyone to find. It’s not just your text messages — it’s images, videos, usernames, phone numbers, and anything else sent directly through the app. And considering Nothing Chats specifically requests its users send their data to contacts through a vCard, that’s a very big problem.
9to5Google’s Dylan Roussel broke down his findings deeper in a Twitter thread, highlighting that more than 600,000 pieces of media were, effectively, publicly available. This number includes 2,300 vCards, all of which are downloadable from Nothing’s Firebase server, alongside images, PDFs, and more. As this report lays out, all of this data is available and accessible in real-time to any user that authenticates with the app’s insecure JSON Web Tokens. Texts alsoexpanded on its own initial findings, demoing these vulnerabilities in an expansive blog post.
According to 9to5Google, the publication alerted Nothing to these security flaws after discovering them Friday night. Though the company did not initially announce any specific actions taken towards its app, based onreports across Reddit, users that should have had access to Nothing Chats based on their location could not download the app from the Play Store. Sure enough, shortly before the publication of this story, Nothing confirmed on Twitter in a statement that the launch was “delayed” to fix “several bugs,” which, uh, sure is putting it lightly.
If you’re aNothing Phone 2user feeling bummed out about this turn of events, it’s worth noting that Nothing Chats in general appeared fairly broken when trying to send messages on Friday. My colleague Taylor Kerns and I were testing the service for a hands-on that, frankly, probably will never happen at this point, with nearly every message sent either delayed or missing entirely. Thankfully, we used a fresh, burner Apple ID with this service — it’s obvious you should not be handing your data over to Nothing or Sunbird.
It’s going to be difficult for Nothing to overcome the massive breach in trust that its messaging platform has stirred up here. As a smaller brand in the larger Android ecosystem, Nothing effectively depends on tech-savvy users and reviewers recommending its hardware to regular buyers, and a rollout as botched as this one makes that a whole lot harder. Trusting Sunbird to handle an iMessage workaround seems to have been a massive misstep in its overall direction; even worse, though, is how quickly users around the web found these holes in its security. Either Nothing lied about its messaging application being encrypted, or it didn’t take the time to test these protocols for itself. Either way, it’s a very, very bad look.
Oh, and to becompletelyclear, you should not use Nothing Chats or Sunbird, whether or not it’s accessible on the Play Store. Stay far away.
