Earlier this week, Nothing did the unexpected and launched the “Nothing Chats” app for the Nothing Phone 2. Base? Let anyone with a Nothing Phone 2 send and receive texts via iMessage. Nothing partnered with Sunbird to implement Nothing Chats, Nothing essentially used Sunbird’s own messaging technology to bring iMessage to Android.
It was a bold idea…but it was short-lived. That’s because Nothing Chats has already been shut down (for the time being) due to the shocking number of security vulnerabilities discovered almost immediately. And by security vulnerabilities, we don’t mean small mistakes that could have been easy to overlook. We’re talking about major, game-breaking design flaws that massively compromise the personal information of anyone who uses Nothing Chats.
Nothing Chats launched into beta access on November 17, and within hours of people getting their hands on the app, worrisome security concerns began to surface. The first report came from Kishan Bagaria, founder of Texts.com. Bagaria and his team found that messages sent through Nothing Chats were not using HTTPS security credentials. Instead, messages were being sent over the much less secure HTTP standard. plain text.
But it was not just Bagaria who discovered these vulnerabilities. Vukko at No matter where to look for him, he is clearly visible.
Additionally, and even more disturbingly, Vukko discovered that all messaging data sent and stored by Nothing Chats was carried through the Firebase platform unencrypted and easily accessible.
These reports were bad enough, but additional reporting from 9to5Google reiterated how serious these vulnerabilities really were. Per 9to5’s own findings:
“In our Dylan Roussel research, we found that once a user authenticates with JSON Web Tokens (JWT) that are vulnerable in transit, they can access Nothing Chat’s Firebase database and other messages sent Can view users’ messages and files in real time And in plain text.”
The report noted how vCards (aka contact cards) were also completely accessible – containing people’s names, numbers, email addresses and other personally identifiable information. And as if that weren’t enough, 9to5Google also discovered more than 630,000 media files stored in Sunbird’s Firebase servers — the company that powers the Nothing Chats app.
In short, this is what we are looking for:
- Nothing Chats is not end-to-end encrypted
- Messages in Nothing Chats are sent in plain text
- Media and other attachments are publicly accessible
- Sunbird has access to messages and attachments sent from Nothing Chats
In other words, this is all very, very bad. This is especially worse considering how quick Nothing was to dismiss these initial security concerns, further claiming that messages were end-to-end encrypted, when – in fact – they were not at all. .
On November 18, just a day after launching Nothing Chats, Nothing announced on X that it was officially removing the Nothing Chats app from the Play Store and “delaying the launch until further notice” so that the company can “We were able to work with Sunbird to fix several bugs.”
Pulling the app and delaying the launch is the right call to end nothing, but it’s impossible to tell how much damage has already been done by this whole debacle.
After all, these safety issues are Sunbird’s fault. Nothing Chats was built on Sunbird’s backend, and it is up to Sunbird to address these concerns. However, Nothing still decided to partner with Sunbird to create and launch Nothing Chats, and the fact that the company never discovered these vulnerabilities when it created Nothing Chats is troubling.
If you still have the Nothing Chats app on your phone, we strongly advise you to stop using it immediately. The same recommendation applies if you’re using the regular Sunbird app. Having iMessage on an Android phone is a fun feature, but it doesn’t have to come with the risk of putting too much of your personal information at risk. You’d be better off waiting for Apple to add RCS to the iPhone in 2024.
As far as the future of Nothing Chats is concerned, it’s hard to say what will happen next. There’s nothing to say that the launch is being “delayed”, but in order to fix all the issues we just talked about here, Sunbird would have to dramatically change its entire backend process. Will Nothing want to wait for that to happen, or will it just decide to cut its losses and shut down Nothing Chats forever? At this point, it seems like the latter might be the better option.