Last week Nothing announced a brand new chat app, Nothing Chats, which effectively brings a version of Apple’s iMessage to Android. That way you’re not sending messages and files by the old, insecure SMS and MMS systems. Unfortunately, Nothing has now pulled the app from Google Play, and it’s apparently all due to serious security concerns.
Nothing Chats works, and the process requires you to let Sunbird log into your iCloud account from its servers — allegedly powered by a Mac Mini. Which is sketchy enough already, but it gets worse than that. According to a report from Texts.com, it turns out Songbird messages aren’t end-to-end encrypted. Apparently, it’s not that difficult to compromise the system either.
9to5Google spotted that the site’s owner, Dylan Roussel, went into much greater detail on a Twitter/X thread.
Thread time!Summary:- Sunbird has access to every message sent and received through the app on your device.- All of the documents (images, videos, audios, pdfs, vCards...) sent through Nothing Chat AND Sunbird are public.- Nothing Chats is not end-to-end encrypted.November 18, 2023
Roussel claims that Sunbird works by decrypting and transmitting messages via HTTP to a Firebase cloud-syncing server and storing them in unencrypted plain text. He noted that Sunbird also has access to these messages, since they’re logged as errors by debugging service Sentry.
Sunbird is said to have claimed that transmitting via HTTP is fine, because it’s only used as part of the initial request. Roussel notes that this still leaks users' email addresses. It still doesn’t change the fact that Sunbird messages are publicly visible via the Firebase real time database, and not encrypted.
Nothing’s FAQ claims that the Sunbird system is secure and end-to-end encrypted, while also stating that messages and Apple credentials are not stored at any point in its journey. According to Roussel, the exact opposite appears to be true.
One of the biggest benefits of iMessage is that it’s end-to-end encrypted by default. Apple also cited additional security as one of the reasons why it will be adopting the RCS messaging standard next year. In both cases your messages are secure, and inaccessible by third parties — Apple included.
So if you’re going to be left to communicate in a hilariously insecure manner, you may as well stick with the traditional SMS option. At least that doesn’t ask you to log into a third-party server with your Apple credentials.
The official Nothing Chats page confirms that the beta app has now been pulled from the Play Store, with launch being delayed until Nothing and Sunbird can fix “several bugs." Which is putting it lightly.
When asked for comment, a Nothing spokesperson said “We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.”
In the meantime, your dream of hiding as a blue-bubbled Apple user without buying an iPhone is not going to come true anytime soon. And given everything that’s come to light, it’s probably something you should try and avoid going forward.