Security Vulnerabilities Force ‘Nothing Chats’ App Out of Play Store
The iMessage alternative software Nothing Chats, which was released earlier this week, has been taken down from the Google Play Store. At first, Nothing, the business behind the program, blamed the removal on "several bugs" that needed to be fixed.
We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologise for the delay and will do right by our users.
— Nothing (@nothing) November 18, 2023
However, according to a thorough technical study by security experts, serious security issues probably led to the app's withdrawal.
The founder of Texts.com, Kishan Bagaria, first brought up these issues on X/Twitter. Subsequently, the Texts.com team also released a thorough blog post detailing the vulnerabilities in the program.
texts team took a quick look at the tech behind nothing chats and found out it's extremely insecureit's not even using HTTPS, credentials are sent over plaintext HTTPbackend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
— Kishan Bagaria (@KishanBagaria) November 17, 2023
After investigating, they discovered that Sunbird, Nothing's service provider, had been deceiving customers regarding the end-to-end encryption of messages sent over its servers. While messages sent to Sunbird's servers were encrypted, the JSON Web tokens (JWT) provided by the service were sent to another Sunbird server unencrypted, leaving them open to interception.
The messages were also decrypted and stored on Sunbird servers, making them vulnerable to unauthorized access.
Texts.com demonstrated this by accessing the Firebase real-time database by intercepting the JWTs that were switched between two devices. Then, using only 23 lines of code, researchers were able to intercept JWT tokens and access user data and conversations.
Although Sunbird bears direct responsibility for the privacy concerns, Nothing has come under fire for partnering with the firm and downplaying the severity of the matter by referring to it as "bugs."
The Nothing Chats app's appeal decreased even more when Apple announced the addition of RCS compatibility. Users should proceed with caution when utilizing their App IDs to log into third-party services, even if encryption is promised.
Whether Nothing Chats will be able to address these security concerns and successfully return to the Play Store is still to be seen.