Nothing Chats, the iMessage clone recently launched by the company, has been removed from the Google Play Store. Officially, the reason given is “several bugs” that need to be fixed before the app can be relaunched, with no definite timeline provided.
However, there is compelling evidence to suggest that the app was pulled not due to “bugs,” as Nothing claims, but rather because of significant security issues.
According to a comprehensive technical analysis by Texts.com author Rida F’kih and Twitter users @batuhan and @1ConanEdogowa, Nothing’s service provider Sunbird was caught lying about the end-to-end encrypted nature of the messages being routed through its servers.
Moreover, the messages are decrypted and stored on the Sunbird servers, leaving them vulnerable to attackers. Texts.com demonstrated this by intercepting the JWT and gaining access to the Firebase realtime database, exposing all user information and conversations with just 23 lines of code.
The author also provided a website where users with technical expertise can intercept their own messages by sending them between devices, one with the Nothing Chats app.
It’s important to note that the privacy issue lies directly with Sunbird. However, by choosing to work with the company, Nothing has also become involved in the matter. Addressing this serious situation as “bugs” was highly misleading.
When Nothing decides to relaunch the app, it remains to be seen in what state the service will be. It is advisable not to log into a third-party service’s servers with your Apple ID, especially now that Apple has announced RCS support.
