Summary
- Nothing Chats, a rival to apps like Beeper and AirMessage, advertised itself as a secure platform for sending messages to iMessage users.
- However, less than 24 hours after its launch, investigations into the app revealed that Nothing Chats logged every message in plain text and stored unencrypted data, including text messages, images, videos, and more, making it a significant privacy and security risk.
- The company removed the app from the Play Store following these complaints, citing “several bugs” that need fixing.
Even when it was initially announced, Nothing Chats seemed like a sketchy idea at best. You’ll find plenty of methods for bringing iMessage to Android — either by routing messages through your own Mac or through a remote server farm — but a phone manufacturer throwing its weight behind one of these solutions certainly raises the stakes. It only took a few hours following the launch of Nothing Chats for the earliest security concerns to pop up online. Now, just a day after the app hit the Play Store, it seems like the dream of Nothing Chats might be turning into a nightmare.
From the jump, Nothing has been advertising their product — a rival to similar apps like Beeper or AirMessage — as a way to send end-to-end encrypted messages to iMessage users. Yesterday, following the app’s launch on the Play Store, Kishan Bagaria (who founded Texts, another competing service) tweeted the platform was sending credentials over plain text HTTP rather than HTTPS, something you don’t necessarily want to see from a platform claiming to be privacy-focused. In a statement, Nothing downplayed these findings, effectively claiming the whole thing was blown out of proportion because its encryption keys are using HTTPS.
Not so fast. The folks at 9to5Google published a scathing article this morning, tying their own findings with Twitter user Wukko to prove that things are much worse than you might’ve thought. It’s a one-two privacy punchout, utilizing a developer troubleshooting application called Sentry to log every single message in plain text while also storing that data unencrypted in Firebase for virtually anyone to find. It’s not just your text messages — it’s images, videos, usernames, phone numbers, and anything else sent directly through the app. And considering Nothing Chats specifically requests its users send their data to contacts through a vCard, that’s a very big problem.
9to5Google’s Dylan Roussel broke down his findings deeper in a Twitter thread, highlighting that more than 600,000 pieces of media were, effectively, publicly available. This number includes 2,300 vCards, all of which are downloadable from Nothing’s Firebase server, alongside images, PDFs, and more. As this report lays out, all of this data is available and accessible in real-time to any user that authenticates with the app’s insecure JSON Web Tokens. Texts also expanded on its own initial findings, demoing these vulnerabilities in an expansive blog post.
According to 9to5Google, the publication alerted Nothing to these security flaws after discovering them Friday night. Though the company did not initially announce any specific actions taken towards its app, based on reports across Reddit, users that should have had access to Nothing Chats based on their location could not download the app from the Play Store. Sure enough, shortly before the publication of this story, Nothing confirmed on Twitter in a statement that the launch was “delayed” to fix “several bugs,” which, uh, sure is putting it lightly.
If you’re a Nothing Phone 2 user feeling bummed out about this turn of events, it’s worth noting that Nothing Chats in general appeared fairly broken when trying to send messages on Friday. My colleague Taylor Kerns and I were testing the service for a hands-on that, frankly, probably will never happen at this point, with nearly every message sent either delayed or missing entirely. Thankfully, we used a fresh, burner Apple ID with this service — it’s obvious you should not be handing your data over to Nothing or Sunbird.
It’s going to be difficult for Nothing to overcome the massive breach in trust that its messaging platform has stirred up here. As a smaller brand in the larger Android ecosystem, Nothing effectively depends on tech-savvy users and reviewers recommending its hardware to regular buyers, and a rollout as botched as this one makes that a whole lot harder. Trusting Sunbird to handle an iMessage workaround seems to have been a massive misstep in its overall direction; even worse, though, is how quickly users around the web found these holes in its security. Either Nothing lied about its messaging application being encrypted, or it didn’t take the time to test these protocols for itself. Either way, it’s a very, very bad look.
Oh, and to be completely clear, you should not use Nothing Chats or Sunbird, whether or not it’s accessible on the Play Store. Stay far away.
