Nothing Chats, the iMessage clone that the company launched earlier this week, has been removed from the Google Play Store. The official reasoning is “multiple bugs” that the company needs time to fix before relaunching it after an unspecified period of time.
We have removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
We apologize for the delay and will do the right thing for our users.
– Nothing nothing) November 18, 2023
However, there is enough evidence to support the idea that the app was removed not because of “bugs,” as Nothing puts it, but rather because of glaring security issues.
According to an in-depth technical analysis carried out by Textes.com author Rida F’kih and Twitter users @batuhan And @1ConanEdogowaSunbird, Nothing’s service provider, was caught lying about the end-to-end encrypted nature of messages routed through its servers.
As previously noted, signing up for Nothing Chats required logging into the Sunbird servers using your Apple ID, which were running on a Mac mini running a virtual machine. Messages sent to servers are encrypted, as Sunbird claims. However, as the aforementioned authors discovered, JSON or JWT web tokens generated by the service are sent back in the clear to another Sunbird server without SSL, allowing them to be intercepted by an attacker.
The SMS team took a quick look at the technology behind Nothing Chats and discovered that it was extremely insecure.
it doesn’t even use HTTPS, credentials are sent over plaintext HTTP
the backend runs an instance of BlueBubbles, which does not yet support end-to-end encryption pic.twitter.com/IcWyIbKE86
– Kishan Bagaria (@KishanBagaria) November 17, 2023
Additionally, messages are decrypted and then stored on Sunbird servers, allowing an attacker to access them before the user. Texts.com demonstrated this by sending a few messages between two devices and intercepting the JWT, which gives them access to the Firebase real-time database. From there, it only took 23 lines of code to download all user information and conversations.
The author also provided a website where a user with sufficient knowledge of the code will be able to intercept their own messages when sending messages between two devices, one of them running the Nothing Chats application.
@ridafkih @batuhan @1ConanEdogawa I dug a little deeper and discovered that not only is all incoming text/media stored in plain text, but all outgoing text is also leaked to a sentinel server in plain text. pic.twitter.com/GOqiatPNaE
– Kishan Bagaria (@KishanBagaria) November 18, 2023
To be clear, the privacy issue is directly Sunbird’s fault. However, by choosing to work with the company, Nothing also became involved in the matter. Additionally, calling this rather serious situation “bugs” was extremely disingenuous.
We will have to see in what state the service resurfaces when Nothing decides to put the application back on the store. It goes without saying that you probably shouldn’t log into a third-party service’s servers with your Apple ID, even if it was encrypted. But it seems particularly unnecessary now that Apple is announcing RCS support.
Source • Via