Nothing Chats app has already been pulled from Google Play due to serious privacy issue
Nothing he withdrew Nothing Chats beta version from Google Play Store “until further notice”, after reports that “Sunbird sends messages in plain text format”.
Nothing decided on this move stating that “is delaying the launch until further notice until they fix a few bugs“.
The application promised users Nothing Phone 2 to be able to send messages via iMessage, but it required permission for Sunbird, which provides the platform, to access users' iCloud accounts on their Mac Mini servers, which is… not very desirable?
Nothing Chats messages arrive without end-to-end encryption
The takedown came after users widely shared a blog from Texts.com showing that messages sent through Sunbird's system aren't actually end-to-end encrypted and aren't difficult to compromise. The app launched in beta yesterday after being announced earlier this week.
Twitter / X9to5Google pointed out to a discussion by site author Dylan Roussel, who revealed that part of the Sunbird solution involves decrypting and transmitting messages via HTTP to a Firebase server for cloud synchronization and storing those messages in an unencrypted, plain text format. Roussel said the company itself has access to the messages because it logs them as errors using Sentry, a debugging service.
Sunbird claimed yesterday that HTTP “used only as part of a one-time initial request from the application that notifies the backend of an incoming iMessage message.” That was their response to someone who pointed out a blog from Texts.com that pointed out the vulnerability.
Texts.com wrote that “willan attacker who subscribes to the Firebase database can always access messages in real time before or at the moment the user reads them.” The blog also indicates that the company can review messages on its Sentry panel, directly refuting the Nothing FAQ's claim that no one at Sunbird can access messages that have been sent or received.
What will happen in the end, whether they will solve this problem or maybe someone will file a lawsuit, remains to be seen.