Nothing Chat, the messaging app by Nothing, encountered a setback: The beta version was removed from the Play Store just one day after its initial release. The official launch has been postponed to allow for further evaluation and improvement.
Nothing Chat” was developed in collaboration with Sunbird and promised end-to-end encrypted messaging with blue bubbles, aiming to address communication challenges between Android and iPhones by supporting both RCS and iMessage. Critics expressed concerns about potential security risks associated with these solutions.
9to5Google and Text.com exposed security risks, revealing that contrary to Nothing and Sunbird’s claims, the app was not actually end-to-end encrypted. Sunbird stored messages in plain text at Sentry and Firebase, where unencrypted authentication tokens could be intercepted, allowing unauthorized parties to access messages.
Among various bugs, 9to5Google found that media files sent via Nothing Chat were publicly accessible, with 630,000 stored by Sunbird. The decision to remove the app followed the publication of a blog post by Texts.com, which revealed the lack of end-to-end encryption in the Sunbird system, the basis of the app. While messages to the Sunbird servers were encrypted, they could be intercepted when sending unencrypted JSON web tokens to another server. The messages were decrypted and stored on the Sunbird servers, where they were vulnerable to unauthorized access. Texts.com intercepted JWTs and gained access to the Firebase real-time database and user information with minimal code.
In light of the security concerns raised by the Nothing Chat incident, users are reminded of the importance of staying vigilant when adopting new messaging apps. It’s crucial to thoroughly evaluate the claims made by developers and to be cautious when submitting sensitive data until the security of an app has been thoroughly vetted. In addition, this incident should stimulate a broader community dialog about messaging app security. By encouraging collaboration between users, developers, and regulators, joint efforts can be made to establish best practices, share insights, and ensure that messaging apps prioritize privacy and data security in both design and implementation.