Nothing's iMessage App For Android Is A Privacy Nightmare, Gets Yanked From Play Store
The Nothing Chats beta app is no longer available in the Play Store, after a surprising number of security and privacy concerns have come to light. The messaging application was released by Nothing as a way to better connect Android and iPhone users, because at the moment, cross platform chats offer a somehwat limited experience.
Unfortunately, Nothing and its partner Sunbird appear to have cut a few corners. Text.com’s reverse engineering team published a blog post with a complete rundown of the app’s security and privacy failings, after the team noticed conflicting statements following the messaging app’s official announcement.
An attacker can access all of a user’s details because of a data in transfer vulnerability, brought about because Sunbird uses a server which does not implement SSL. There’s also a data in rest vulnerability because Sunbird saves data in an unencrypted server. Lastly, there is a possibility that someone working at Sunbird can access user data because all messages are routed through the Sunbird Sentry debugging platform.
Sunbird’s response to this situation has been less than ideal. When presented with the information found by the reverse engineering team, Sunbird felt the need to deny any of the findings and insists that Nothing Chats, along with all of its other services, are completely secure. It’s disappointing to see this response considering the nature of the data they are entrusted with.
Thankfully, there are security pros who take the time to investigate situations such as this one. Time will tell how damaging this saga will be for Nothing.