Four days after favorite smartphone startup Nothing announced the first-of-its-kind iMessage on an Android phone app run by another startup called Sunbird, the company pulled Nothing Chats from the Google Play store. This followed independent research which argued that, although Sunbird and Nothing claimed that Nothing chats were end-to-end encrypted and secure, these promises could not have been further from the truth.
Nothing Chats was an app that sent iMessages through the Android-based Nothing Phone 2, bypassing the distinctive green bubble Android messages sent specifically to iPhones. Android SMS and MMS messages also currently suffer from low media quality, limited group chat compatibility, and an unencrypted format when communicating with an iPhone, although this may soon change as Apple changes the RCS for texts coming from Android. Switch to messages.
“Wukko” on This contradicts what Nothing tells users – that neither it nor Sunbird can access any iMessages sent or received through Nothing chat.
Vukko also pointed out that the data appears completely unencrypted, meaning it lacks protection from unauthorized access, modification or theft by other parties.
immediately after Vukko and other users Upon sounding the alarm, the Texts.com reverse engineering team dug deeper into the Nothing chats and discovered that requests for critical user credentials occurred via HTTP, an unencrypted channel, rather than HTTPS. sunbird Denied security issues And said that the HTTP request was a one-time request only to notify users of the iMessage connection. According to Sunbird, the connection itself took place over a secure channel.
However, the Texts.com reverse engineering team was still able to easily obtain information about a Nothing Phone 2 user and all of their conversations through the Sunbird-powered Nothing Chat app with just 23 lines of code.
The Texts.com team confirmed what Is sent to. This allows authorized parties within Sunbird to view messages, leading to potential insider threats.
Nothing was initially said other than that Sunbird would not store any messages or Apple ID credentials in an external server and that messages could only be retrieved locally.
Nothing Chats app removed from the Play Store on November 18, stating that it would delay the launch as it worked with Sunbird to “fix several bugs”.