Security Concerns Prompt Removal of Nothing Chats from Google Play Store
Nothing, the tech company behind Nothing Chats, faced a setback this week as the iMessage clone was abruptly pulled from the Google Play Store. While Nothing cited “several bugs” as the reason, emerging evidence suggests underlying security issues may be the real cause for the removal.
Nothing Chats Removed from Google Play Store
We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
We apologise for the delay and will do right by our users.
— Nothing (@nothing) November 18, 2023
A technical analysis conducted by Texts.com author Rida F’kih, along with insights from Twitter users @batuhan and @1ConanEdogowa, revealed concerns about Sunbird, Nothing’s service provider, and its claims of end-to-end encryption. The sign-up process for Nothing Chats required users to log in to Sunbird servers using their Apple ID, operating on a Mac mini with a virtual machine.
The investigation exposed that JSON Web Tokens (JWT) generated by the service were sent unencrypted to another Sunbird server without SSL, making interception by potential attackers possible. Additionally, messages were decrypted and stored on Sunbird servers, providing an opportunity for unauthorized access before the user.
texts team took a quick look at the tech behind nothing chats and found out it’s extremely insecure
it’s not even using HTTPS, credentials are sent over plaintext HTTP
backend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
— Kishan Bagaria (@KishanBagaria) November 17, 2023
Texts.com demonstrated the vulnerability by intercepting JWTs and accessing the Firebase realtime database, highlighting the potential risk to user information and conversations. This privacy lapse squarely falls on Sunbird’s shoulders, but Nothing’s association with the service implicates the company in the security concerns. Labeling these issues as mere “bugs” has been criticized as misleading and dishonest.
As Nothing takes the app offline for an indefinite period to address these security issues, users are advised to exercise caution when logging into third-party services with sensitive credentials.
Pokdepinion: The incident raises questions about the integrity of Nothing Chats and the necessity for robust security measures in messaging apps. The upcoming re-release of the app will be closely watched for a resolution to these concerns.