In big setback, Nothing pulls Chats app from Google Play Store
Nothing Chats, a new messaging app has been swiftly removed from Google Play Store amid serious security concerns, exposing vulnerabilities.
In a swift move, Nothing Chats, the messaging app launched by Nothing earlier this week, has been yanked from the Google Play Store. Officially, the reason cited is "several bugs" that require fixing before a relaunch- an action accompanied by an unspecified waiting period. However, emerging evidence pointed put by 9to5Google and others suggests that the withdrawal may be more about glaring security flaws than mere bugs.
Sunbird's Deceptive Claims
A meticulous technical examination conducted by Rida F'kih from Texts.com, along with Twitter users @batuhan and @1ConanEdogowa, revealed unsettling revelations about Nothing's service provider, Sunbird. The company allegedly misrepresented the end-to-end encryption of messages transmitted through its servers.
Previously, users signing up for Nothing Chats needed to log in to Sunbird servers using their Apple ID, hosted on a Mac mini running a virtual machine. While Sunbird claimed message encryption during transit to the servers, the investigative trio discovered a critical lapse. The JSON Web Tokens (JWT) generated by the service were sent unencrypted to another Sunbird server lacking SSL, making them vulnerable to interception by potential attackers.
Adding to the security woes, messages were encrypted and stored on Sunbird servers, providing attackers a window of opportunity to access them before the intended recipient. Texts.com demonstrated this vulnerability by intercepting JWTs, gaining access to the Firebase realtime database with just 23 lines of code, resulting in the download of all user information and conversations.
Nothing's Response Raises Transparency Questions
The author went a step further, offering a website where users with coding expertise could intercept their own messages when sent between two devices, one of which runs the Nothing Chats app.
While the privacy breach is squarely Sunbird's responsibility, Nothing, by choosing to collaborate with the company, finds itself entangled in the matter. Furthermore, addressing these significant security lapses as mere "bugs" raises questions about transparency.