Nothing's iMessage clone pulled from the Play Store over security concerns
Nothing Chats, the iMessage clone that the company launched earlier this week, has been pulled from the Google Play Store. The official reasoning is "several bugs" that the company needs time to fix before launching it again after an indefinite period of time.
However, there is enough evidence to support the idea that the app was pulled not due to "bugs", as Nothing puts it, but rather due to some glaring security issues.
According to a thorough technical analysis by Texts.com author Rida F'kih and Twitter users @batuhan and @1ConanEdogowa, Nothing's service provider Sunbird was caught lying about the end-to-end encrypted nature of the messages being routed through its servers.
As was disclosed before, signing up to use Nothing Chats required singing into Sunbird servers using your Apple ID, which were run on a Mac mini running a virtual machine. Messages sent to the servers are encrypted, as claimed by Sunbird. However, as the aforementioned authors discovered, the JSON Web Tokens or JWT that the service generates are sent again unencrypted over to another Sunbird server without SSL, allowing them to be intercepted by an attacker.
Moreover, the messages are decrypted and then stored on the Sunbird servers, allowing an attacker time to access them before the user does. Texts.com demonstrated this by sending a few messages between two devices and intercepting the JWT, which give them access to the Firebase realtime database. From that point, all it took was 23 lines of code to download all user information and conversations.
The author also provided a website where a user with sufficient knowledge of the code will be able to intercept their own messages when they send messages between two devices, one of them running the Nothing Chats app.
To be clear, the privacy issue is directly Sunbird's fault. However, by choosing to work with the company, Nothing has also implicated itself into the matter. Moreover, addressing this rather grave situation as "bugs" was extremely dishonest.
We will have to see in what state the service resurfaces when Nothing decides to put the app back on the store. It goes without saying that you probably shouldn't be logging into a third-party service's servers with your Apple ID in the first place, even if it was encrypted. But it especially seems pointless now with Apple announcing RCS support.
Reader comments
You don't need to be patronizing. Regardless I learned more info about it before you posted this: https://appleinsider.com/articles/23/11/16/apples-flavor-of-rcs-wont-support-googles-end-to-end-encryption-extension That's very good n...
- 22 Nov 2023
- qbk
I love X's new features where users can add context. Means that no public figure can lie easily anymore.
- 22 Nov 2023
- v{u
uh huh .... is that the RCS standard profile, Mr Big Brain? Or is that Google's proprietary profile they whack over the top?
- 22 Nov 2023
- K6X