Nothing Chats has already been pulled from Google Play over privacy issues

Share via:

Nothing Chats shown in a promotional image. | Image: Nothing

Nothing has pulled the Nothing Chats beta from the Google Play store, saying it is “delaying the launch until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users text with iMessage, but it required allowing Sunbird, who provides the platform, log into users’ iCloud accounts on its own Mac Mini servers, which… isn’t great?

The removal came after users widely shared a blog from Texts.com showing that messages sent with Sunbird’s system aren’t actually end-to-end encrypted — and that it’s not hard to compromise it. The app launched in beta yesterday after being announced earlier this week.

Sunbird has access to every message sent and received through the app. They do this by abusing @getsentry, which is used to monitor errors.

But Sunbird logs messages, pretending they are errors.

Here are part of the requests (img 1, 3) and their entire “message” (img 2, 4) pic.twitter.com/pzwwQVWfOb

— Dylan Roussel (@evowizz) November 18, 2023

9to5Google pointed to a thread from site author Dylan Roussel, who found that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server and storing them there in unencrypted plain text. Roussel posted that the company itself has access to messages because it logs them as errors using Sentry, a debugging service.

Sunbird claimed yesterday that HTTP is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”

That was in response to someone pointing to Texts.com’s blog examining the vulnerability. Texts.com wrote that “an attacker subscribed to the Firebase realtime database will always be able to access the messages before or at the moment they are read by the user.” The blog also points out that the company could look at messages in its Sentry dashboard, directly contradicting the claim from Nothing’s FAQ that nobody at Sunbird can access messages that are sent or received.

We’ve reached out to Nothing for further comment, but the company did not respond by press time.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

Nothing Chats has already been pulled from Google Play over privacy issues

Nothing Chats shown in a promotional image. | Image: Nothing

Nothing has pulled the Nothing Chats beta from the Google Play store, saying it is “delaying the launch until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users text with iMessage, but it required allowing Sunbird, who provides the platform, log into users’ iCloud accounts on its own Mac Mini servers, which… isn’t great?

The removal came after users widely shared a blog from Texts.com showing that messages sent with Sunbird’s system aren’t actually end-to-end encrypted — and that it’s not hard to compromise it. The app launched in beta yesterday after being announced earlier this week.

Sunbird has access to every message sent and received through the app. They do this by abusing @getsentry, which is used to monitor errors.

But Sunbird logs messages, pretending they are errors.

Here are part of the requests (img 1, 3) and their entire “message” (img 2, 4) pic.twitter.com/pzwwQVWfOb

— Dylan Roussel (@evowizz) November 18, 2023

9to5Google pointed to a thread from site author Dylan Roussel, who found that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server and storing them there in unencrypted plain text. Roussel posted that the company itself has access to messages because it logs them as errors using Sentry, a debugging service.

Sunbird claimed yesterday that HTTP is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”

That was in response to someone pointing to Texts.com’s blog examining the vulnerability. Texts.com wrote that “an attacker subscribed to the Firebase realtime database will always be able to access the messages before or at the moment they are read by the user.” The blog also points out that the company could look at messages in its Sentry dashboard, directly contradicting the claim from Nothing’s FAQ that nobody at Sunbird can access messages that are sent or received.

We’ve reached out to Nothing for further comment, but the company did not respond by press time.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

PayPay expands digital wage payment system in Japan

PayPay's digital wage payment service was initially exclusive...

Apple @ Work Podcast: Password security 101

Apple @ Work is exclusively brought to you...

India issues notice to Wikipedia over concerns of bias

Wikipedia is facing mounting regulatory pressure in India...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!