Nothing has removed the Nothing Chats beta from the Google Play Store, saying it is “delaying the launch until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users send text messages with iMessage, but it required allowing Sunbird, which provides the platform, to connect to users’ iCloud accounts on its own Mac Mini servers, which …isn’t it great?
The removal came after users widely shared a Texts.com blog showing that messages sent with Sunbird’s system aren’t actually end-to-end encrypted — and that it’s not difficult to compromise. The app launched in beta yesterday after being announced earlier this week.
9to5Google pointed out a thread by site author Dylan Roussel, who discovered that part of Sunbird’s solution involves decrypting and transmitting messages over HTTP to a Firebase cloud sync server and storing them in plain text not encrypted. Roussel posted that the company itself has access to the messages because it logs them as errors using Sentry, a debugging service.
Sunbird claimed yesterday that HTTP was “only used as part of the application’s one-time initial request informing the backend of the next iMessage connection.”
This was in response to someone pointing to Texts.com’s blog examining the vulnerability. Texts.com wrote that “an attacker subscribed to the Firebase real-time database will still be able to access messages before or as they are read by the user.” The blog also points out that the company could view messages in its Sentry dashboard, directly contradicting Nothing’s FAQ claim that no one at Sunbird can access messages sent or received.
We reached out to Nothing for further comment, but the company did not respond at the time of publication.
Gn En tech