Nothing Chatsdeveloped by Nothing e Sunbirdmade headlines by promising to bring the iMessage experience to the world of Android – but after a few days, it closed its doors for safety issues. Carl Pei’s company said it will work with the technology partner to fix the bugs. But adding to the security problems is the announcement of Apple for supporting the RCS standard by next year, arriving shortly after the launch of Nothing’s app.
Nothing Chats closes its doors due to security issues
Last Tuesday, Nothing Chats caused a stir by promising to bring iMessage from Apple to Android users. With the app it would become possible to send high resolution images, emojis and above all display your messages in blue bubbles, usually only available to those writing from an Apple device. Especially in the United States, where a very high percentage of users use an iPhone and iMessage is one of the most used messaging apps, this promise seemed really interesting to those who had purchased the Nothing Phone (2).
The app comes thanks to the collaboration with Sunbird, a service that allows you to use iMessage from other devices too. But after the announcement, Sunbird’s account security management came under scrutiny. And he didn’t pass the test.
Less than a week after launch, Nothing has withdrawn the app since Play Store, marking a first and significant step backwards. Furthermore, as Ars Technica reports, the original app Sunbirdof which Nothing Chats it was a revised version, it was put on “pause”.
Nothing released a statement apologizing for the issues, withdrawing temporarily Nothing Chats and promising to work closely with Sunbird to solve a series of bug. However, readers of the tweet added that these bug in reality they constituted serious problems safetyas the app saved all messages in unencrypted text format, including texts, images, and videos.
The app’s initial promise to access iMessage on Android requiring Apple credentials was already a red flag in itself in terms of safety. Such a request would have implied the implementation of a robust and secure infrastructure to ensure the protection of user data. But it seems this was not the case.
The entity of safety issues was highlighted by discoveries made by both 9to5Google and Text.com, owned by Automattic, WordPress’ parent company. According to their analyses, the app in question it was not crittografata end-to-end.
Sunbird not only didn’t have end-to-end encryption, but saved and archived messages in unencrypted text format either on the Sentry error reporting system or in a Firebase repository. This involved sending authentication token via unencrypted HTTP, making messages vulnerable to interception and fraudulent use.
The investigation conducted by Text.com revealed a number of vulnerability worrying. Analysts were able to intercept a authentication token sent via unencrypted HTTP and make changes in the database. As a result, they could monitor in real time “incoming messages, outgoing messages, account changes, etc.” both relating to your account and those of other users. Analysts have retrieved messages and also been able to see information regarding Apple IDs, which they recommend changing from Apple’s website.
Dylan Roussel of 9to5Google verified that “all documents (images, videos, audio, pdfs, vCards…) sent via Nothing Chat and Sunbird are public.” Roussel found that Sunbird currently retains approx 630,000 media files and appears to be able to access them. Roussel called the whole situation “probably the biggest” privacy incident that I have seen in the phone manufacturing industry for years.
Can Nothing Chats solve security problems?
Transferring messages and personal information over the unencrypted HTTP protocol is a particularly serious security problem. Most browsers block and warn users who want to connect to an HTTP site, now that the HTTPS standard is available and more secure for everyone. The damage to the image of Sunbird and, consequently, of Nothing could cost the continuation of the project. Privacy and security are key for messaging apps, if Should Nothing Chats return to the Play Store there is a risk that many users will not trust it, even if companies solved the problems.
Adding to the security concerns is the fact that Apple has promised that it will support the RCS standard in 2024. This means that Android Messages apps will be able to communicate with Apple’s with a protocol that supports emojis, stickers, GIFs and multimedia messages in high resolution. The problem of the “green bubble” for those writing from Android will remainbut many of the problems in communicating with iPhone will be solved, reducing the impact of apps like Sunbird and Nothing Chats.
Given the security concerns, it’s hard to imagine that many users will turn to alternative apps only to see their messages in a blue bubble. Nothing has promised that Chats will return after fixing the security issues. But if he had to silently put the app aside, we wouldn’t be too surprised. We still like Nothing Phone (2) – but perhaps it’s better to use Telegram or WhatsApp to communicate with your friends who have an iPhone.