Nothing Chats beta was removed from the Google Play Store due to privacy concerns. The app, powered by the Sunbird messaging platform, allowed Nothing Phone users to message iMessage users, following Apple’s recent announcement of RCS support.
Reports indicate that the launch is delayed due to bug extermination efforts. The app required access to users’ iCloud accounts for texting with iMessage. Texts.blog called Nothing Chats a reskinned, insecure version of the Sunbird app.
Texts.com’s reverse engineering team investigated and found that Sunbird and Nothing Chats required sending Apple ID credentials to their servers. The preliminary findings revealed vulnerabilities affecting Nothing’s version.
The team discovered security issues, including sending crucial credentials over an unencrypted channel (HTTP). Despite Sunbird claiming ISO27001 certification, the investigation revealed misleading information about end-to-end encryption.
Messages sent to Sunbird’s servers were encrypted, but JSON Web Tokens (JWT) were sent without encryption to another Sunbird server, making them vulnerable to interception.
Messages were decrypted and stored on Sunbird servers, susceptible to unauthorized access. Texts.com intercepted JWTs, gaining access to the Firebase real-time database and user information with just 23 lines of code.
While Sunbird is directly responsible for privacy issues, Nothing received criticism for working with them and downplaying the situation as “bugs.” It remains uncertain if Nothing Chats can address these security concerns and return to the Play Store successfully.
Outlining security risks in Nothing Chats app, Texts.com, posted:
Sending your credentials to external services poses a substantial risk. It’s crucial to remain vigilant about your information and carefully evaluate the security consequences of sharing any. When we send our Apple ID to an external service, we not only entrust them with our messages but also risk compromising our photos, videos, contacts, notes, keychain, and more if the third-party faces a security breach.