What you need to know
- Less than 24 hours after launching its new Chats app, Nothing has pulled the app from the Play Store.
- This comes following reports that any sent media or messages are unencrypted, counter to the company’s claims.
- Making matters worse, it seems that the data is accessible and stored on a server.
The week started off on a pretty wild foot as Nothing Chats was announced as a way to build “a blue bubble bridge” to bring iMessage to Nothing Phone (2) owners. Then, Apple essentially rendered the app useless as it announced RCS support would be coming to iPhones next year. Now, Nothing might be in a bit of hot water as some disastrous privacy issues were unearthed by several individuals, including Dylan Roussel and 9to5Google.
For some background, Nothing didn’t just create a bridge out of thin air, bringing iMessage to Android. Instead, the company partnered with Sunbird, which was announced in 2022 as an app akin to Beeper.
In order to use iMessage, you’ll need either a phone number or Apple ID, with the former being the de-facto option for iPhone users. So, in order to take advantage of either Sunbird or Beeper, you’ll need to sign in with an Apple ID before being able to use the app.
This might not sound like much of an issue, but in order to “bridge the gap,” these companies rely on rooms full of either physical Mac computers or macOS servers. The only control that you, the user, have over these is that you can sign into your Apple ID from a browser and remove your account from whatever Mac you are “signed into.”
A lot of the appeal of iMessage, at least in the way that Apple explains it, is that your messages are end-to-end encrypted. But, when trying to use something like Sunbird, we’re kind of just expected to take the company at its word. On paper, it sounds pretty enticing, especially when you see Sunbird stating it “has its ISO27001 certification” to combat security threats and protect your privacy.
It didn’t take long for some damning evidence to surface revealing that Sunbird, and by extension Nothing Chats, aren’t as secure as the company claimed. Not only are your messages not end-to-end encrypted, but as Roussel points out, Sunbird actually “has access to every message sent and received through the app.”
Thread time!Summary:- Sunbird has access to every message sent and received through the app on your device.- All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.- Nothing Chats is not end-to-end encrypted.November 18, 2023
When pressed on the matter, higher-ups at Nothing and the Sunbird team both denied any potential security concerns. Kishan Bagaria, founder of Texts.com, discovered that “it’s not even using HTTPS,” and “backend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet.”
texts team took a quick look at the tech behind nothing chats and found out it’s extremely insecureit’s not even using HTTPS, credentials are sent over plaintext HTTPbackend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet pic.twitter.com/IcWyIbKE86November 17, 2023
For reference, BlueBubbles is an app that allows you to essentially build your own bridge for iMessage using a Mac that you own or macOS in a Virtual Machine. However, it seems that something else could be afoot if you opt for that route, as the BlueBubbles website states that “all connections are done over HTTPS/WSS and utilizes TLS encryption by default.”
That notwithstanding, the larger problem is that Nothing launched its Chats app, seemingly without doing its due diligence. The company recently announced that it surpassed two million devices sold but didn’t provide firm figures about how many of those devices were phones.
We aren’t exactly sure when the move was made, but at the time of this writing, the Nothing Chats app is no longer available to download from the Play Store. Instead, if you manage to access the Play Store listing, you’ll be greeted with a message that says “This item is not available in your country.”
For those who already managed to download and install the Nothing Chats app, we highly recommend deleting it immediately from your phone. Additionally, even if you created an Apple ID solely for being able to use iMessage, change the account password. Lastly, you can remove any devices signed in with your Apple ID by following these steps:
1. From your browser, navigate to appleid.apple.com.
2. Click the Sign In button and sign into the Apple ID that you used with Nothing Chats.
3. On the left side, click Devices.
4. Scroll through the list of devices, then locate and click any that you don’t own. More than likely, it will be a Mac.
5. Click the Remove from account button.
6. To confirm, click the Remove button.
Then, shortly after the reports surfaced this morning, the official Nothing X account posted the following, confirming that it’s working with Sunbird to address “several bugs” in the Nothing Chats beta:
We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologise for the delay and will do right by our users.November 18, 2023
Judging by the post, it seems that Nothing is only “delaying the launch,” and not committing to canceling the project altogether. It will be interesting to see how everything plays out in the coming days. But if we were to wager, we’d guess that Nothing Chats is eventually canned entirely, unless Carl Pei has another Ace hidden up his sleeve.