The Nothing Chats beta app has been removed from the Google Play store due to “several bugs,” causing a delay in its launch. This app was supposed to allow Nothing Phone 2 users to text with iMessage, but it required Sunbird, the platform provider, to access users’ iCloud accounts on its own Mac Mini servers. This raised concerns about security.
The removal of the app came after a blog from Texts.com revealed that messages sent with Sunbird’s system are not end-to-end encrypted and are vulnerable to compromise. Despite being announced earlier this week, the app’s beta launch quickly led to its removal.
9to5Google highlighted findings from site author Dylan Roussel, indicating that Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server, storing them in unencrypted plain text. This raised concerns about data privacy and security.
Sunbird responded by claiming that HTTP is only used as part of the initial request from the app to notify the back-end of the upcoming iMessage connection, attempting to alleviate concerns about data privacy.
A blog from Texts.com examined the vulnerability and pointed out that an attacker subscribed to the Firebase realtime database could access messages before or at the moment they are read by the user, contradicting claims made by Nothing’s FAQ. This raised further concerns about privacy and security.
Efforts to obtain further comments from Nothing were unsuccessful as the company did not respond by press time, adding to the mystery surrounding the situation.