Submit a review

Nothing chats offline after security concerns

Nothing Chats, the iMessage clone that launched earlier this week, has been removed from the Google Play Store again.
Nothing Chats

Nothing Chats launched earlier this week to bring iMessage to Android devices. But now the app has been removed from the Google Play Store. The official reason is: “several bugs” that the company needs time to fix. However, there is enough evidence that the app was withdrawn not due to any bugs, but rather due to some serious security issues.

According to an in-depth technical analysis by writer Rida F’kih and Twitter users @batuhan and @1ConanEdogowa, Nothing’s service provider Sunbird has been caught making false claims about the end-to-end encryption of messages routed through its servers. As already mentioned, Nothing Chats required you to register on the Sunbird servers. With an Apple ID that ran in a virtual machine on a Mac mini. Messages sent to the servers are encrypted, Sunbird claims. However, as the authors above discovered, Sunbird sends the generated JSON web tokens (JWT) unencrypted to another Sunbird server without SSL. This means they can be intercepted by an attacker.

Sunbird stores decrypted messages on its own servers

In addition, Sunbird decrypts the messages and then stores them on its servers so that attackers can access them before the user. sent some messages between two devices and intercepted the JWT, giving them access to the Firebase real-time database. From that point on, only 23 lines of code were required to download all user information and conversations.

The author also provided a website where a user with sufficient knowledge of the code can intercept their own messages. The only requirement is messages between two devices, one of which is running the Nothing Chats app.

Sunbird is to blame for the data protection problem. However, through its collaboration with the company, Nothing is also involved in the matter. Furthermore, Nothing rather succinctly described the situation as “bugs” rather than a serious security issue.

It remains to be seen what state the service will be in when Nothing Charts returns to the Play Store. But you probably shouldn’t log in to a third-party server with your Apple ID anyway, even if it’s encrypted. Since Apple only announced RCS support for its iPhones yesterday, the question arises if Nothing Chats is still needed.


Achim Maier
We will be happy to hear your thoughts

Leave a Reply

Compare items
  • Total (0)