A week after Carl Pei announced the Nothing Chats app as the first-ever Android service to support Apple’s iMessage, the app has been pulled down from the Google Play Store.
While the company has said there are “several bugs” that it needs to fix before relaunching it, it is being reported that there are actually some serious security issues.
Interestingly, the app was pulled right after Apple announced to support RCS messaging standard within the iPhone messaging app, bringing iMessage-type features to regular SMS.
All of this can’t be a coincidence. Let’s look at it:
According to Texts.com author Rida F’kih and X users @batuhan and @1ConanEdogowa, Nothing’s service provider Sunbird lied about the end-to-end encryption being routed through its servers.
To use the Nothing Chats app requires you to sign in to Sunbird servers using your Apple ID. Sunbird claimed that messages sent to the servers are encrypted, however, it was discovered that “the JSON Web Tokens or JWT that the service generates are sent again unencrypted over to another Sunbird server without SSL, allowing them to be intercepted by an attacker”, as reported by GSM arena.
It has also come to light that the messages are decrypted and then stored on the Sunbird servers, giving attackers enough time to steal the data.
Even though the responsible party in this fiasco is Sunbird, choosing to work on it Nothing has also implicated itself in the matter.
And, it does not look good on Nothing that it chose to term the situation as bugs. It’s just dishonest.
Right now there is no word when Nothing will bring the service back to the store.
Unfortunately for Nothing, Apple’s decision to support RCS messaging will make the Nothing Chats app redundant since all Android users will be able to enjoy iMessage-type features on their phones.