In big setback, Nothing pulls Chats app from Google Play Store

Nothing Chats, a new messaging app has been swiftly removed from Google Play Store amid serious security concerns, exposing vulnerabilities.

| Updated on: Nov 19 2023, 16:40 IST
Nothing chats app has been removed from Google Play Store amidst security concerns and reports about encryption flaws. (Amritanshu / HT Tech)
Nothing chats app has been removed from Google Play Store amidst security concerns and reports about encryption flaws. (Amritanshu / HT Tech)

In a swift move, Nothing Chats, the messaging app launched by Nothing earlier this week, has been yanked from the Google Play Store. Officially, the reason cited is "several bugs" that require fixing before a relaunch- an action accompanied by an unspecified waiting period. However, emerging evidence pointed put by 9to5Google and others suggests that the withdrawal may be more about glaring security flaws than mere bugs.

Sunbird's Deceptive Claims

A meticulous technical examination conducted by Rida F'kih from, along with Twitter users @batuhan and @1ConanEdogowa, revealed unsettling revelations about Nothing's service provider, Sunbird. The company allegedly misrepresented the end-to-end encryption of messages transmitted through its servers.

Previously, users signing up for Nothing Chats needed to log in to Sunbird servers using their Apple ID, hosted on a Mac mini running a virtual machine. While Sunbird claimed message encryption during transit to the servers, the investigative trio discovered a critical lapse. The JSON Web Tokens (JWT) generated by the service were sent unencrypted to another Sunbird server lacking SSL, making them vulnerable to interception by potential attackers.

Adding to the security woes, messages were encrypted and stored on Sunbird servers, providing attackers a window of opportunity to access them before the intended recipient. demonstrated this vulnerability by intercepting JWTs, gaining access to the Firebase realtime database with just 23 lines of code, resulting in the download of all user information and conversations.

Nothing's Response Raises Transparency Questions

The author went a step further, offering a website where users with coding expertise could intercept their own messages when sent between two devices, one of which runs the Nothing Chats app.

While the privacy breach is squarely Sunbird's responsibility, Nothing, by choosing to collaborate with the company, finds itself entangled in the matter. Furthermore, addressing these significant security lapses as mere "bugs" raises questions about transparency.

Follow HT Tech for the latest tech news and reviews , also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 19 Nov, 16:40 IST