Nothing’s latest product, the Nothing Phone 2, is all lit up in the newest images. However, it seems that companies that refuse to answer the media’s security concerns are actually vulnerable to security breaches themselves. Last week, Nothing Chats—an app from Android manufacturer “Nothing” and app company Sunbird—declared it could hack into Apple’s iMessage protocol and give Android users blue bubbles. However, Sunbird, a company with a history of empty promises and security neglect, drew attention for all the wrong reasons upon launch. The app faced immediate criticism and was swiftly removed from the Play Store by Nothing, with Sunbird’s app also being put on hold. This was hardly surprising since the app had raised huge red flags with its initial sales pitch that required users to provide their Apple login credentials to access iMessage on Android, a move that demanded an ultra-secure infrastructure to avoid potential disaster.
Several reports emerged from 9to5Google and Text.com, revealing significant security flaws. Both platforms discovered that the app did not encrypt messages as advertised and stored messages in plain text on error reporting software and in a Firebase store, making it susceptible to theft. Further investigations by Text.com showed that messages were unencrypted until acknowledged and deleted, leaving them accessible to attackers. Text.com also uncovered an alarming number of privacy vulnerabilities, allowing them to access supposedly end-to-end encrypted messages and public media files.
The situation is made worse by Sunbird’s response, or lack thereof, to the crisis, further damaging their credibility. They initially defended their use of unencrypted HTTP, claiming it was part of a secure communication channel, which was contradicted by Text.com’s findings. Sunbird’s failure to comply with basic security best practices, particularly with regard to HTTPS protocols, raises serious concerns about their competence.
This fiasco has exposed the negligence of Nothing, a company that seemed to prioritize hype over substance, and their partnership with Sunbird has revealed a systemic security failure. Despite asserting that they will fix the bugs and reintroduce the app, it’s doubtful whether users will trust the app and its developer enough to input their credentials. The entire episode has significantly undermined Nothing’s credibility as an Android manufacturer. Fixing a fundamentally flawed security framework cannot be solved hastily, and the app’s future remains uncertain at best.
