Jannah Theme License is not validated, Go to the theme options page to validate the license, You need a single license for each domain name.

Nothing’s iMessage clone removed from Play Store over security concerns

Nothing Chats, the iMessage clone that the company launched earlier this week, has been removed from the Google Play Store. The official reasoning is “multiple bugs” that the company needs time to fix before relaunching it after an unspecified period of time.

However, there is enough evidence to support the idea that the app was removed not because of “bugs,” as Nothing puts it, but rather because of glaring security issues.

According to an in-depth technical analysis carried out by Textes.com author Rida F’kih and Twitter users @batuhan And @1ConanEdogowaSunbird, Nothing’s service provider, was caught lying about the end-to-end encrypted nature of messages routed through its servers.

As previously noted, signing up for Nothing Chats required logging into the Sunbird servers using your Apple ID, which were running on a Mac mini running a virtual machine. Messages sent to servers are encrypted, as Sunbird claims. However, as the aforementioned authors discovered, JSON or JWT web tokens generated by the service are sent back in the clear to another Sunbird server without SSL, allowing them to be intercepted by an attacker.

Additionally, messages are decrypted and then stored on Sunbird servers, allowing an attacker to access them before the user. Texts.com demonstrated this by sending a few messages between two devices and intercepting the JWT, which gives them access to the Firebase real-time database. From there, it only took 23 lines of code to download all user information and conversations.

The author also provided a website where a user with sufficient knowledge of the code will be able to intercept their own messages when sending messages between two devices, one of them running the Nothing Chats application.

To be clear, the privacy issue is directly Sunbird’s fault. However, by choosing to work with the company, Nothing also became involved in the matter. Additionally, calling this rather serious situation “bugs” was extremely disingenuous.

We will have to see in what state the service resurfaces when Nothing decides to put the application back on the store. It goes without saying that you probably shouldn’t log into a third-party service’s servers with your Apple ID, even if it was encrypted. But it seems particularly unnecessary now that Apple is announcing RCS support.

Source • Via

Gn tech

Back to top button