How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages. […]
Despite being the cause of this huge catastrophe, Sunbird has been bizarrely quiet during this whole mess. The app’s X (formerly Twitter) page still doesn’t say anything about the shutdown of Nothing Chats or Sunbird. Maybe that’s for the best because some of Sunbird’s early responses to the security concerns raised on Friday do not seem like they came from a competent developer. […] Nothing has always seemed like an Android manufacturer that was more hype than substance, but we can now add “negligent” to that list. The company latched on to Sunbird, reskinned its app, created a promo website and YouTube video, and coordinated a media release with popular YouTubers, all without doing the slightest bit of due diligence on Sunbird’s apps or its security claims. It’s unbelievable that these two companies made it this far — the launch of Nothing Chats required a systemic security failure across two entire companies.