Nothing’s iMessage App Was a Security Catastrophe
Ron Amadeo (via Hacker News, MacRumors):
Last Tuesday, Nothing Chats—a chat app from Android manufacturer “Nothing” and upstart app company Sunbird—brazenly claimed to be able to hack into Apple’s iMessage protocol and give Android users blue bubbles. We immediately flagged Sunbird as a company that had been making empty promises for almost a year and seemed negligent about security. The app launched Friday anyway and was immediately ripped to shreds by the Internet for many security issues. It didn’t last 24 hours; Nothing pulled the app from the Play Store Saturday morning. The Sunbird app, which Nothing Chat is just a reskin of, has also been put “on pause.”
[…]
How bad are the security issues? Both 9to5Google and Texts.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages.
Previously:
- Apple to Add RCS Messaging in iOS 17 Update
- iMessage on Windows via Microsoft’s Phone Link
- Beeper Brings iMessage to Android and Windows
- Zoom Meetings Aren’t End-to-End Encrypted
3 Comments RSS · Twitter · Mastodon
Nothing ends up looking really silly after this.
Shame, because I've liked what they've done so far.
Yeah, I have a Nothing Phone 1, which I really like. Both the software and hardware are well designed and thoughtful.
However, this has really hit my confidence in Nothing's competence. They really failed to do due diligence here at the cost of their user's security. Very bad.
Apple ID credentials were also being passed in cleartext over HTTP, which to me is worse than anything else.