The Carl Pei-led UK tech startup Nothing has withdrawn the beta version of its new messaging app, Nothing Chats, from the Google Play Store, citing the need to address numerous bugs and security concerns. The app, initially launched to bridge the messaging gap between Android and iOS devices, is now under scrutiny for potentially compromising user privacy and security.
The Nothing Chats app, aimed at users of the Nothing Phone 2, was designed to enable texting through iMessage, marking a significant step towards resolving the long-standing texting issues between Android and Apple users. The app supported the RCS (Rich Communication Services) protocol, SMS, and MMS, allowing for a comprehensive messaging experience. Key features touted included end-to-end encryption, group messaging, live typing indications, and high-resolution media sharing.
However, soon after its announcement, security experts and users raised concerns over the app’s safety. Kishan Bagaria, founder of Texts.com, criticized the app for not providing end-to-end encryption and relying on a BlueBubbles-powered backend. Bagaria described the app as “extremely insecure,” highlighting the transmission of Apple ID credentials via HTTP instead of HTTPS.
A detailed investigation by 9to5Google revealed further vulnerabilities. The report, led by author Dylan Roussel, uncovered that the app’s process involved decrypting messages and transmitting them unencrypted via HTTP to a Firebase cloud-syncing server. This method left the messages exposed in plain text and accessible to external interception.
In response to these findings, Nothing announced the removal of the Nothing Chats beta from the Play Store, stating, “We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.” The company, however, did not specifically address the privacy issues raised.
Sunbird, collaborating with Nothing on this project, claimed that HTTP was used only for the initial request to notify the backend of the iMessage connection. This statement contradicted Nothing’s own FAQ, which assured users that Sunbird staff couldn’t access sent or received messages.
The decision to pull the app highlights the ongoing challenges tech companies face in innovating while ensuring user privacy and security. As of now, Nothing has not provided further comments in response to the security concerns raised, leaving questions about the app’s future and the company’s approach to user data protection.