Nothing Chats pulled from Google Play

Sometimes it’s all in the name. The Nothing Chats beta has been pulled from the Google Play Store after reports that the company behind it has access to your (unencrypted) messages.

Nothing Phone 2 owners were promised a first-of-its-kind app developed in partnership with Sunbird, which allowed them to message other iMessage users via blue bubbles on their Nothing Phone.

And, as promised, the beta version was made available for download in the Play Store on Friday November 17, 2023. But today the Nothing Chats page says:

We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.

Now, it’s pretty normal for beta releases to have some bugs that need ironing out. That’s what they are in beta for. But these weren’t some mildly annoying bugs.

Basically, Nothing Chats is just a reskinned version of the existing Sunbird application, which is currently available on the Google Play Store. In essence the Nothing Chats app routes your messages through a macOS virtual machine that sends them on as iMessages. But to do this the Nothing Chats application is required to send your Apple ID credentials to its servers, so it can authenticate on your behalf.

According to Nothing, Sunbird’s architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey. But only one day after the release of the beta, published a blog titled Sunbird / ‘Nothing Chats’ is Not Secure.

Members of the reverse engineering team took it upon themselves to take a look into the Sunbird application and its security practices, and found a few vulnerabilities and implementation issues.

While Sunbird tries to implement end-to-end-encryption (E2EE), its implementation is overshadowed by decrypting, and then storing the unencrypted payloads in its database.

The apps route all data relating to a message sent by Sunbird, and Nothing Chat, including the contact information, message contents, and attachment URLs to the Sunbird’s Sentry. This Sentry acts as a debugging platform, which allows access to the data in plaintext by authorized parties within the company.

Which is not what Nothing promised:

All Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.

Other investigators found that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text.

Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, researchers found all data was sent and stored through Firebase. They found over 630,000 media files currently stored by Sunbird via Firebase including images, videos, PDFs, audio, and more. So, while it may be true that Sunbird doesn’t store user data on its own servers, the data does get stored.

This isn’t a major problem for everyone, but the authentication is. By sending our Apple ID to a third-party service, we are not only trusting the third-party with our texts, but should they become compromised, our photos, videos, contacts, notes, keychain, and more are at risk.

Users worried about a spill of sensitive data should read our guide: Involved in a data breach? Here’s what you need to know.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.