Nothing Chats launched earlier this week to bring iMessage to Android devices. But now the app has been removed from the Google Play Store. The official reason is: “several bugs” that the company needs time to fix. However, there is enough evidence that the app was withdrawn not due to any bugs, but rather due to some serious security issues.
According to an in-depth technical analysis by texts.com writer Rida F’kih and Twitter users @batuhan and @1ConanEdogowa, Nothing’s service provider Sunbird has been caught making false claims about the end-to-end encryption of messages routed through its servers. As already mentioned, Nothing Chats required you to register on the Sunbird servers. With an Apple ID that ran in a virtual machine on a Mac mini. Messages sent to the servers are encrypted, Sunbird claims. However, as the authors above discovered, Sunbird sends the generated JSON web tokens (JWT) unencrypted to another Sunbird server without SSL. This means they can be intercepted by an attacker.
Sunbird stores decrypted messages on its own servers
In addition, Sunbird decrypts the messages and then stores them on its servers so that attackers can access them before the user. Texts.com sent some messages between two devices and intercepted the JWT, giving them access to the Firebase real-time database. From that point on, only 23 lines of code were required to download all user information and conversations.
The author also provided a website where a user with sufficient knowledge of the code can intercept their own messages. The only requirement is messages between two devices, one of which is running the Nothing Chats app.
Sunbird is to blame for the data protection problem. However, through its collaboration with the company, Nothing is also involved in the matter. Furthermore, Nothing rather succinctly described the situation as “bugs” rather than a serious security issue.
It remains to be seen what state the service will be in when Nothing Charts returns to the Play Store. But you probably shouldn’t log in to a third-party server with your Apple ID anyway, even if it’s encrypted. Since Apple only announced RCS support for its iPhones yesterday, the question arises if Nothing Chats is still needed.