Nothing's iMessage-Like Chat App Removed From Google Play Store; Here's Why
With Nothing Chats Beta withdrawn, the tech world awaits answers, emphasising the vital role of transparency and strong encryption in messaging platforms.
technology
Highlights
- Nothing Chats Beta pulled from Google Play amid serious concerns about iMessage integration security
- Texts.com investigation reveals messages lack end-to-end encryption, with HTTP use and plain text storage jeopardising user data
- Contradictions between Sunbird's reassurances and actual vulnerabilities, along with discrepancies in access claims, add fuel to the privacy controversy
In a surprising turn of events, Nothing has decided to pull the beta version of its much-anticipated Nothing Chats app from the Google Play Store, citing the need to address ‘several bugs’ before an official launch.
The app, which promised seamless iMessage integration for Nothing Phone 2 users, is now under scrutiny due to alarming revelations about its security practices.
We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
— Nothing (@nothing) November 18, 2023
We apologise for the delay and will do right by our users.
Privacy concerns unveiled
The removal of Nothing Chats from the Google Play Store came on the heels of the widespread sharing of a blog post from Texts.com, shedding light on a critical flaw in Sunbird's platform, the service provider for Nothing Chats.
The crux of the issue revolves around the app's failure to provide end-to-end encryption for messages, raising concerns about the safety of user data. Texts.com's investigation, outlined in a detailed blog post, exposed that messages transmitted through Sunbird's system are not adequately protected.
Shockingly, the decryption and transmission of messages occur using HTTP, leaving them vulnerable to potential compromise. Additionally, messages are stored in an unencrypted, plain text format on Firebase cloud-syncing servers, a practice deemed highly insecure.
The gravity of the situation escalated when it was revealed that Sunbird, the platform provider, had access to these messages. The company's use of Sentry, a debugging service, to log messages as errors further raised eyebrows.
Sunbird's attempt to downplay the use of HTTP by claiming it's solely for the initial connection to iMessage did little to assuage concerns, especially given the evidence presented by Texts.com.
Contradictions& unanswered questions
Responding to Texts.com's findings, Sunbird insisted that HTTP was only used in the app's initial connection request. However, the blog pointed out that attackers subscribed to the Firebase real-time database could exploit this vulnerability, gaining access to messages before or at the moment they are read by the user.
Moreover, the contradiction between Nothing's FAQ assertion that no one at Sunbird can access messages and Texts.com's revelation about Sentry dashboard access raises serious questions about the veracity of the claims made by the involved parties.
Despite these revelations, Nothing remained silent on the matter as of the press deadline, leaving users and industry observers awaiting further clarification on the privacy issues surrounding the Nothing Chats app.
COMMENTS 0