Four days after cult favorite smartphone startup Nothing announced its first-of-its-kind iMessage on an Android phone app, powered by another startup named Sunbird, the company pulled Nothing Chats from the Google Play store. This followed independent research which argued that, though Sunbird and Nothing claimed that Nothing Chats were end-to-end encrypted and secure, these promises couldn’t have been further from the truth.
Nothing Chats was an app that sent iMessages through the Android-based Nothing Phone 2, exclusively circumventing the distinctive green bubble Android messages have when sent to iPhones. Android SMS and MMS messages also currently face lower media quality, limited group chat compatibility and an unencrypted format when communicating with iPhones, though that may change soon as Apple switches to RCS messages for texts coming from Android.
“Wukko” on X (formerly Twitter) first posted screenshots on Friday revealing that Nothing Chats sends and stores all data, including texts, attachments and user images, on Google’s mobile and web cloud computing service Firebase. This contradicts what Nothing told users–that neither it nor Sunbird could access any iMessages sent or received through Nothing Chats.
Wukko also pointed out that data appeared completely unencrypted, meaning it lacked protection from unauthorized access, modification, or theft from other parties.
Soon after Wukko and other users sounded the alarm, the Texts.com reverse engineering team took a deep dive into Nothing Chats and discovered that a request for important user credentials happened through HTTP, an unencrypted channel, instead of HTTPS. Sunbird denied security issues and said that the HTTP request was only a one-off to notify users of an iMessage connection. The connection itself, according to Sunbird, happened on a secure channel.
However, the Texts.com reverse engineering team was still easily able to access information regarding a Nothing Phone 2 user and all of their conversations through the Sunbird-powered Nothing Chats app with just 23 lines of code.
The Texts.com team confirmed what X user Wukko pointed out: When users send messages using Sunbird or Nothing Chats, every piece of information related to that message, including user contact information and attachments, is sent to the Sunbird’s Sentry, or debugging platform. This allows authorized parties within Sunbird to view messages, leading to possible insider threats.
Nothing initially said that Sunbird wouldn’t store any messages or Apple ID credentials in external servers and that messages could only be recovered locally.
Nothing removed the Chats app from the Play Store on November 18, stating that it would delay the launch as it worked with Sunbird to “fix several bugs.”