C. Scott Brown/Android Authority
TL;DR
- Nothing’s CMF Watch app sub-optimally encrypts emails and passwords, reportedly allowing decryption using the same decryption keys.
- The problem was partially fixed, as the encryption method of the password was updated, but not that of the email.
Given the novelty of the phone and the emerging brand image, the Nothing Phone 2 has not met with great success. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app ran in the wild for about a day before it was removed due to a serious security breach. But it appears there are more skeletons in Nothing’s closet, as two more vulnerabilities have been revealed.
Android developer and reverse engineer dylan roussel Posted on X that it found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was created in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method reportedly left the door open to decryption with the same decryption key, defeating the purpose of encryption.
Nothing/Jingxun fixed this vulnerability, but interestingly, only for passwords. You can reportedly still decrypt the email used as a username.
The second vulnerability has not been publicly detailed, but it is related to Nothing’s internal data. Nothing was said about it in August, but it has not been fixed yet.
There is no mechanism for vulnerability disclosure or reporting of security issues in anything. Users who encounter these issues have to contact the company through other channels, which is not ideal. Considering how much soup Nothing has gotten into recently, it would be a good idea to make it easier to report these issues to the company.
We have contacted Nothing for comments. We will update this article once we get a response from them.
notes