Nothing Chats: A Privacy Nightmare Unveiled in the Pursuit of iMessage on Android

By Roze 4 Min Read
Nothing Chats

In the ever-evolving landscape of messaging apps, the quest to bring iMessage functionality to Android has taken a disconcerting turn. Sunbird, the company behind this ambitious endeavor, promised not just iMessage support but emphasized end-to-end encryption, touting a safe and secure messaging environment on its platform. However, recent revelations about its offspring, Nothing Chats, have exposed a glaring privacy nightmare.

The Promise: iMessage for Android with End-to-End Encryption

Sunbird’s approach involved having users log into their Apple ID through the app, routing the login through a Mac server farm. This method, while not unique, was presented as groundbreaking for maintaining end-to-end encryption throughout the entire process. On both Sunbird and Nothing Chats’ platforms, explicit claims were made about not storing user data and providing a secure and private messaging experience.

The Harsh Reality: Encryption Claims Shattered

Contrary to these assurances, recent findings have dismantled the illusion of end-to-end encryption. A Twitter user, “Wukko,” exposed the alarming fact that media attachments, including user images, were being sent to Sentry with links visible in plain text. What’s more, all data, including vCards with sensitive information, was being sent and stored through Firebase, completely unencrypted.

Independent confirmation by 9to5 Google solidified the validity of these findings. Research unveiled that once a user authenticated with insecure JSON Web Tokens (JWT), accessing Nothing Chat’s Firebase database revealed messages and files from other users in real time and in plain text. Over 630,000 media files were identified in Sunbird’s storage via Firebase, undermining the claim that user data isn’t stored.

The Fallout and Nothing’s Response

Upon the discovery of this egregious privacy lapse, Nothing Chats was promptly removed from the Play Store, and the launch was delayed to address several bugs. Nothing, the parent company, acknowledged the issues and expressed an intention to collaborate with Sunbird to rectify the vulnerabilities. However, the fate of Sunbird’s app remains uncertain, given its identical privacy flaws.

You may be interested in our other articles about technology if you enjoyed this one:

Concerns and Questions: Lack of Due Diligence and Future Vulnerabilities

The gravity of this privacy breach raises questions about Nothing’s due diligence in vetting its partnership with Sunbird. How did such a significant vulnerability elude detection during the months of collaboration? As users grapple with the shock of private data exposure, the worry persists: could more severe vulnerabilities emerge over time?

In the wake of these revelations, a strong advisory stands – refrain from downloading Nothing Chats or Sunbird, as the depth of this privacy violation is nothing short of a nightmare. As the dust settles, the tech community awaits to see how Nothing and Sunbird address the aftermath and what steps will be taken to restore faith in the pursuit of secure cross-platform messaging.

Share this Article
Leave a comment