////
1 min read

Chat App Removed from Google Play Store Due to Privacy Concerns

The beta version of Nothing Chats has been taken down from the Google Play Store owing to concerns surrounding user privacy. This messaging app, utilizing the Sunbird messaging platform, allowed Nothing Phone users to communicate with iMessage users following Apple’s recent announcement of RCS support.

The delay in the app’s launch is attributed to ongoing efforts to eliminate bugs. To enable texting with iMessage, Nothing Chats required access to users’ iCloud accounts. However, reports from Texts.blog criticized the app, labeling it as a less secure, rebranded version of the Sunbird app.

Texts.com’s reverse engineering team conducted an investigation, uncovering that both Sunbird and Nothing Chats necessitated sending Apple ID credentials to their servers. Initial findings exposed vulnerabilities specific to Nothing’s iteration.

Security flaws included the transmission of essential credentials over an unencrypted channel (HTTP). Despite Sunbird’s claim of ISO27001 certification, the investigation revealed deceptive information regarding end-to-end encryption.

While messages sent to Sunbird’s servers were encrypted, the interception of JSON Web Tokens (JWT) lacking encryption to another Sunbird server left them exposed to potential interception. Further, messages were decrypted and stored on Sunbird servers, creating susceptibility to unauthorized access.

Texts.com managed to intercept JWTs, gaining entry to the Firebase real-time database and user information with minimal lines of code (just 23). Though Sunbird bears direct responsibility for the privacy lapses, Nothing faced criticism for its collaboration with Sunbird and downplaying the situation as mere “bugs.” The fate of Nothing Chats returning to the Play Store hinges on its ability to address and rectify these security concerns.

Leave a Reply