The recent removal of Nothing Chats, an iMessage clone, from the Google Play Store has stirred up discussions about the true reason behind its withdrawal. While Nothing claims that the removal was due to “several bugs,” evidence suggests otherwise, pointing to significant security concerns.
Authors Rida F’kih from Texts.com and Twitter users @batuhan and @1ConanEdogawa conducted an in-depth technical analysis that shed light on the security flaws within Nothing’s service provider, Sunbird. It was revealed that Sunbird had made false claims about the end-to-end encryption of the messages transmitted through its servers.
To sign up for Nothing Chats, users were required to log into Sunbird servers using their Apple ID, which ran on a Mac mini with a virtual machine. While messages sent to these servers were encrypted, the analysis uncovered that the JSON Web Tokens (JWT) generated by the service were sent without SSL encryption to another Sunbird server. This allowed potential attackers to intercept and access these tokens.
Furthermore, the messages were decrypted and stored on Sunbird servers, providing attackers with an opportunity to gain access to them before the intended recipients. A demonstration by Texts.com involved intercepting JWT and extracting all user information and conversations using only 23 lines of code.
It is essential to emphasize that the responsibility for these privacy breaches lies squarely with Sunbird. Nevertheless, Nothing’s decision to work with Sunbird implicates them in the matter, dismissing the reasoning behind the removal as mere “bugs” and displaying a lack of transparency.
When Nothing eventually relaunches the app, it remains to be seen how the service will address these security concerns. However, it is crucial for users to exercise caution when logging into third-party service servers with their Apple ID, even if encryption is claimed. With Apple’s recent announcement of RCS support, the need for such third-party alternatives becomes debatable.
Frequently Asked Questions (FAQ)
Q: Why was Nothing Chats pulled from the Google Play Store?
A: Nothing claimed it was due to “several bugs,” but evidence indicates significant security issues in Sunbird.
Q: What were the security flaws discovered?
A: Messages sent through Sunbird’s servers were found to have unencrypted JSON Web Tokens, making them vulnerable to interception by attackers. Additionally, messages were decrypted and stored on Sunbird’s servers, allowing potential access by attackers.
Q: Whose responsibility is it for the privacy breaches?
A: The privacy breaches are predominantly Sunbird’s fault. However, Nothing’s association with Sunbird implicates them as well.
Q: How should users proceed when the app relaunches?
A: Users should exercise caution when logging into third-party service servers with their Apple ID. It is worth considering the availability of Apple’s RCS support as a potential alternative.