The Nothing Chats app, which was launched earlier this week as an alternative to iMessage, has been pulled from the Google Play Store. While the company initially attributed the removal to “several bugs,” a detailed technical analysis by security researchers suggests that significant security concerns were the real reason behind the app’s removal.
Founder of Texts.com, Kishan Bagaria, first raised these concerns on Twitter, and the Texts.com team later published a comprehensive blog outlining the vulnerabilities of the app. Their investigation revealed that Sunbird, Nothing’s service provider, had misled users about the end-to-end encryption of messages routed through its servers.
While messages sent to Sunbird’s servers were encrypted, the JSON Web Tokens (JWT) generated by the service were sent without any encryption to another Sunbird server, making them vulnerable to interception. Additionally, the messages were decrypted and stored on Sunbird servers, leaving them susceptible to unauthorized access.
Texts.com demonstrated this vulnerability by intercepting the JWTs exchanged between two devices, gaining access to the Firebase real-time database. With just 23 lines of code, the researchers were able to intercept the JWT tokens and access user information and conversations.
While the ultimate responsibility for the privacy issues lies with Sunbird, Nothing has faced criticism for choosing to work with the company and downplaying the severity of the situation as mere “bugs.” Furthermore, with Apple’s recent announcement of RCS support, the appeal of the Nothing Chats app has diminished further.
Users are advised to exercise caution when logging into third-party services using their Apple IDs, even if encryption is promised. The future of the Nothing Chats app remains uncertain, as it remains to be seen whether they will be able to address these security concerns and make a successful return to the Play Store.
1. Why was the Nothing Chats app removed from the Google Play Store?
The Nothing Chats app was removed from the Google Play Store due to significant security concerns found during a technical analysis by security researchers.
2. What were the security vulnerabilities of the app?
The vulnerabilities included misleading claims about end-to-end encryption, unencrypted transmission of JSON Web Tokens (JWT) between servers, and unauthorized access to decrypted messages stored on Sunbird servers.
3. Who raised concerns about the app’s security?
Kishan Bagaria, the Founder of Texts.com, initially raised concerns on Twitter, and the Texts.com team published a detailed blog outlining the app’s vulnerabilities.
4. How did Texts.com demonstrate the vulnerabilities?
Texts.com intercepted JWT tokens exchanged between devices, gaining access to the Firebase real-time database and user information, with just 23 lines of code.
5. Will the Nothing Chats app be able to address these security concerns?
It is currently uncertain whether the Nothing Chats app will be able to address these security concerns and make a successful return to the Play Store.