Nothing has temporarily removed its Nothing Chats beta app from Google Play. The company announced it's postponing the launch to address various bugs. The app, designed for Nothing Phone 2 users, allowed texting via iMessage. However, it required users to let Sunbird, the platform provider, access their iCloud accounts through its Mac Mini servers, raising significant privacy concerns.
The decision to pull the app follows widespread criticism after a Texts.com blog revealed that messages sent via Sunbird's system weren't fully secure. The blog highlighted that these messages were susceptible to external compromise instead of being end-to-end encrypted. The app had only recently launched in beta, following its announcement earlier in the week.
Sunbird has access to every message sent and received through the app. They do this by abusing @getsentry, which is used to monitor errors.
— Dylan Roussel (@evowizz) November 18, 2023
But Sunbird logs messages, pretending they are errors.
Here are part of the requests (img 1, 3) and their entire "message" (img 2, 4) pic.twitter.com/pzwwQVWfOb
Security flaws exposed
An investigation by 9to5Google, through a thread by site author Dylan Roussel, uncovered Sunbird's method involved decrypting messages and transmitting them via HTTP to a Firebase cloud-syncing server. This process left the messages unencrypted and stored in plain text. Roussel also noted that Sunbird logged these messages as errors using Sentry, a debugging service, implying that the company had access to them.
In response to security concerns, Sunbird claimed that HTTP was used only for the initial request from the app to notify the back-end of the impending iMessage connection. This statement was in reply to the vulnerabilities highlighted in the Texts.com blog. The blog had warned that attackers with access to the Firebase database could intercept messages before or as users read them. It also contradicted Nothing's FAQ, which asserted that Sunbird staff couldn't access sent or received messages.
Company's silence on privacy issues
Despite these revelations, Nothing has yet to respond to requests for comments. The company's silence raises further questions about the app's privacy and security measures. The decision to withdraw the app from the Google Play store underscores tech companies' challenges in balancing innovative features with user privacy and security.
