Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Android Central
Android Central
Technology
Nickolas Diaz

Nothing CMF Watch app remains a security risk

Nothing Phone (2) with its back Glyph lights illuminated.

What you need to know

  • Nothing's CMF Watch app has a serious vulnerability regarding its supposed encrypted user data,
  • Discoveries show the Nothing's encryption of a user's email and password doesn't actually work as the keys aren't hidden well, increasing the risk of exposure.
  • Nothing has only upgraded the encryption strength behind user's passwords but emails are still at risk.

It appears that Nothing is wrapped in another vulnerability problem that is putting users' information at risk of exposure.

According to Android developer Dylan Roussel, Nothing has yet to correct a critical vulnerability problem within its CMF Watch app (via Android Authority). The problem is with the app's encryption of a user's email and password, as it doesn't offer total protection.

From what was discovered, the method Nothing used, in partnership with the company Jingxun, makes it easy for anyone to access a person's sensitive information using the decryption data within the app, which "essentially made the encryption useless."

Roussel came across this vulnerability back in September, and their evidence of it showed how "badly" Nothing hid the ever-so-important keys required to decrypt a user's information.

Since its initial discovery in September, Nothing has worked to rectify its odd encryption problem — but only for passwords. Roussel adds a user's email is still at risk of exposure despite the password encryption receiving an upgrade.

They state, "Nothing replied to my initial report, but stopped replying afterward."

There is another vulnerability, reported back in August, that wasn't disclosed. Allegedly, this has something to do with Nothing's internal data and has yet to be fixed.

Android Central has reached out to Nothing about the problematic encryption problems users are facing in the CMF Watch app.

The company's struggles with the privacy and dependability of its software continue following a recent blunder with the Nothing Chats app. Following a surge of reports, the app was found to not have any encryption for user's media or messages, which went directly against what Nothing claimed.

Moreover, further digging showed that a user's information was readily available to read as it was being stored on a server. Nothing created its "bridge" between Android and iMessage with Sunbird; however, the latter apparently "has access to every message sent and received through the app."

Users who've used in the app are advised to take serious measures to safeguard their sensitive Apple ID information.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.