Security Vulnerabilities Force ‘Nothing Chats’ App Out of Play Store

The iMessage alternative software Nothing Chats, which was released earlier this week, has been taken down from the Google Play Store. At first, Nothing, the business behind the program, blamed the removal on "several bugs" that needed to be fixed.

However, according to a thorough technical study by security experts, serious security issues probably led to the app's withdrawal.

The founder of Texts.com, Kishan Bagaria, first brought up these issues on X/Twitter. Subsequently, the Texts.com team also released a thorough blog post detailing the vulnerabilities in the program.

After investigating, they discovered that Sunbird, Nothing's service provider, had been deceiving customers regarding the end-to-end encryption of messages sent over its servers. While messages sent to Sunbird's servers were encrypted, the JSON Web tokens (JWT) provided by the service were sent to another Sunbird server unencrypted, leaving them open to interception.

The messages were also decrypted and stored on Sunbird servers, making them vulnerable to unauthorized access.

Texts.com demonstrated this by accessing the Firebase real-time database by intercepting the JWTs that were switched between two devices. Then, using only 23 lines of code, researchers were able to intercept JWT tokens and access user data and conversations.

Although Sunbird bears direct responsibility for the privacy concerns, Nothing has come under fire for partnering with the firm and downplaying the severity of the matter by referring to it as "bugs."

The Nothing Chats app's appeal decreased even more when Apple announced the addition of RCS compatibility. Users should proceed with caution when utilizing their App IDs to log into third-party services, even if encryption is promised.

Whether Nothing Chats will be able to address these security concerns and successfully return to the Play Store is still to be seen.