Play Store Removes Nothing iMessage Clone Due to Security Issues

Nothing
Nothing

Nothing Chats, the company’s recent iMessage clone, has been removed from the Google Play Store. Officially, the reason given is that “several bugs” must be fixed before the app can be relaunched, with no timetable provided.

However, there is compelling evidence to suggest that the app was removed due to significant security issues rather than “bugs,” as Nothing claims.

According to a comprehensive technical analysis by Texts.com author Rida F’kih and Twitter users @batuhan and @1ConanEdogowa, Nothing’s service provider, Sunbird, was caught lying about the end-to-end encrypted nature of the messages being routed through its servers.

As previously stated, signing up for Nothing Chats required signing into Sunbird servers using your Apple ID, which was run on a virtualized Mac mini. Sunbird claims that messages sent to servers are encrypted. However, as the aforementioned authors discovered, the JSON Web Tokens (JWT) generated by the service are sent unencrypted to another Sunbird server without SSL, allowing an attacker to intercept them.

Moreover, the messages are decrypted and stored on the Sunbird servers, leaving them vulnerable to attackers. Texts.com demonstrated this by intercepting the JWT and gaining access to the Firebase real-time database, exposing all user information and conversations with just 23 lines of code.

The author also provided a website where users with technical expertise can intercept their own messages by sending them between devices, one with the Nothing Chats app.

It’s important to note that the privacy issue lies directly with Sunbird. However, by choosing to work with the company, nothing has also become involved in the matter. Addressing this serious situation as “bugs” was highly misleading.

When Nothing decides to relaunch the app, it remains to be seen in what state the service will be in. It is advisable not to log into a third-party service’s servers with your Apple ID, especially now that Apple has announced RCS support.

Also Read: Google will delete millions of Gmail accounts starting in December; here’s how to protect yours

Also Read: Samsung Galaxy Z Fold 5

Leave a Reply

Your email address will not be published. Required fields are marked *