Nothing has removed the beta version of its new messaging app, Nothing Chats, from the Play Store, just one day after its release, and says it is delaying the launch “until further notice”. We explain why.
A few days ago, Nothing presented with great fanfare its Chats application, which allowed Android smartphone users to send messages via iMessage. This application aimed to fix one of the biggest interoperability problems between iPhones and other smartphonesbut Apple finally announced that it would adopt RCS from 2024.
After Apple’s announcements, many Internet users quickly questioned the usefulness of Nothing’s new application. This did not prevent the company from launching its service on its latest generation Phone (2) smartphones, but it did not remain available for long on the Google Play Store.
Nothing Chats is not as secure as the company promised
A Texts.com blog post widely shared on social media showed that messages sent with Sunbird’s system are not truly end-to-end encrypted, and it is not difficult to compromise it. The Texts.com team therefore claims that Sunbird has access to all messages sent and received via the application.
A tweet from Android app developer Dylan Roussel explains that Sunbird does this by “abusing @getsentry, which is used to monitor errors.” But Sunbird “logs messages pretending they are errors”. That therefore contradicts information taken directly from the Nothing website, which claimed that your messages were end-to-end encrypted.
In the Nothing FAQ, we could notably read “ Are my messages secure? ”, with the response “ Yes, Nothing Chats is built on the Sunbird platform and all Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you send and receive “.
Worse still, Kishan Bagaria, founder of Texts.com, discovered that the application was sending information via hypertext transfer protocol (HTTP) instead of Hypertext Transfer Protocol Secure (HTTPS).
As soon as the application was presented, several serious security problems had already been identified. Nothing Chats users are notably forced to log into their Apple accounts on Mac minis located in Sunbird servers, therefore on computers to which they do not have physical access.
Nothing is already removing the Chats app from the Play Store
Following these discoveries, Nothing quickly removed its application from the Google Play Store. However, British manufacturer says decision follows discovery of “bugs”, and that this is not related to these security issues. “ We have removed the Nothing Chats beta from the Play Store and are delaying its launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and we will do what is right for our users “.
Yet, at the same time, Nothing refuted the accusations of the various developers who analyzed the source code in a press release. “ Although the protocol is HTTP, all data is encrypted and the key used to encrypt this data is provided over HTTPS, so Apple credentials or messages sent through this HTTP request are secure and are not accessible to the audience. All sensitive user data, such as Apple IDs and messages, is encrypted at all times. HTTP is only used as part of the application’s single initial request notifying the backend of the next iteration of iMessage connection that will follow via a self-contained communication channel », Explains the company.
It is sad to see that the launch of Nothing Chats was a disasterbecause a survey has already shown that the majority of users would switch to iMessage if there was a cell phone, so such an application was highly anticipated.