Nothing’s iMessage clone pulled from the Play Store over security concerns

Nothing Chats, the iMessage clone that the company launched earlier this week, has been pulled from the Google Play Store. The official reasoning is “several bugs” that the company needs time to fix before launching it again after an indefinite period of time.

However, there is enough evidence to support the idea that the app was pulled not due to “bugs”, as Nothing puts it, but rather due to some glaring security issues.

According to a thorough technical analysis by author Rida F’kih and Twitter users @batuhan and @1ConanEdogowa, Nothing’s service provider Sunbird was caught lying about the end-to-end encrypted nature of the messages being routed through its servers.

As was disclosed before, signing up to use Nothing Chats required singing into Sunbird servers using your Apple ID, which were run on a Mac mini running a virtual machine. Messages sent to the servers are encrypted, as claimed by Sunbird. However, as the aforementioned authors discovered, the JSON Web Tokens or JWT that the service generates are sent again unencrypted over to another Sunbird server without SSL, allowing them to be intercepted by an attacker.

Moreover, the messages are decrypted and then stored on the Sunbird servers, allowing an attacker time to access them before the user does. demonstrated this by sending a few messages between two devices and intercepting the JWT, which give them access to the Firebase realtime database. From that point, all it took was 23 lines of code to download all user information and conversations.

The author also provided a website where a user with sufficient knowledge of the code will be able to intercept their own messages when they send messages between two devices, one of them running the Nothing Chats app.

To be clear, the privacy issue is directly Sunbird’s fault. However, by choosing to work with the company, Nothing has also implicated itself into the matter. Moreover, addressing this rather grave situation as “bugs” was extremely dishonest.

We will have to see in what state the service resurfaces when Nothing decides to put the app back on the store. It goes without saying that you probably shouldn’t be logging into a third-party service’s servers with your Apple ID in the first place, even if it was encrypted. But it especially seems pointless now with Apple announcing RCS support.



Denial of responsibility! Elite News is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
DMCA compliant image

Leave a comment