Nothing Chats, the iMessage clone that the company launched earlier this week, has been pulled from the Google Play Store. The official reasoning is “several bugs” that the company needs time to fix before launching it again after an indefinite period of time.
We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
We apologise for the delay and will do right by our users.
— Nothing (@nothing) November 18, 2023
However, there is enough evidence to support the idea that the app was pulled not due to “bugs”, as Nothing puts it, but rather due to some glaring security issues.
According to a thorough technical analysis by Texts.com author Rida F’kih and Twitter users @batuhan and @1ConanEdogowa, Nothing’s service provider Sunbird was caught lying about the end-to-end encrypted nature of the messages being routed through its servers.
As was disclosed before, signing up to use Nothing Chats required singing into Sunbird servers using your Apple ID, which were run on a Mac mini running a virtual machine. Messages sent to the servers are encrypted, as claimed by Sunbird. However, as the aforementioned authors discovered, the JSON Web Tokens or JWT that the service generates are sent again unencrypted over to another Sunbird server without SSL, allowing them to be intercepted by an attacker.
texts team took a quick look at the tech behind nothing chats and found out it’s extremely insecure
it’s not even using HTTPS, credentials are sent over plaintext HTTP
backend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
— Kishan Bagaria (@KishanBagaria) November 17, 2023
Moreover, the messages are decrypted and then stored on the Sunbird servers, allowing an attacker time to access them before the user does. Texts.com demonstrated this by sending a few messages between two devices and intercepting the JWT, which give them access to the Firebase realtime database. From that point, all it took was 23 lines of code to download all user information and conversations.
The author also provided a website where a user with sufficient knowledge of the code will be able to intercept their own messages when they send messages between two devices, one of them running the Nothing Chats app.
@ridafkih @batuhan @1ConanEdogawa dug a bit further and found out all incoming texts/media are not only stored unencrypted but also all outgoing texts are being leaked to a sentry server in plaintext pic.twitter.com/GOqiatPNaE
— Kishan Bagaria (@KishanBagaria) November 18, 2023
To be clear, the privacy issue is directly Sunbird’s fault. However, by choosing to work with the company, Nothing has also implicated itself into the matter. Moreover, addressing this rather grave situation as “bugs” was extremely dishonest.
We will have to see in what state the service resurfaces when Nothing decides to put the app back on the store. It goes without saying that you probably shouldn’t be logging into a third-party service’s servers with your Apple ID in the first place, even if it was encrypted. But it especially seems pointless now with Apple announcing RCS support.