We’re not armchair quarterbacking here; we called this last Tuesday — Nothings iMessage app was a security catastrophe, taken down in 24 hours Nothing promised end-to-end encryption, then stored texts publicly in plain text.
Ron Amadeo – Nov 20, 2023 11:11 pm UTC Enlarge / The Nothing Phone 2 all lit up. Ron Amadeo reader comments 134 with
It turns out companies that stonewall the media’s security questions actually aren’t good at security. Last Tuesday, Nothing Chatsa chat app from Android manufacturer “Nothing” and upstart app company Sunbirdbrazenly claimed to be able to hack into Apple’s iMessage protocol and give Android users blue bubbles. We immediately flagged Sunbird as a company that had been making empty promises for almost a year and seemed negligent about security. The app launched Friday anyway and was immediately ripped to shreds by the Internet for many security issues. It didn’t last 24 hours before Nothing pulled the app from the Play Store Saturday morning. The Sunbird app, which Nothing Chat is just a reskin of, has also been put “on pause.”
The initial sales pitch for this appthat it would log you into iMessage on Android if you handed over your Apple username and passwordwas a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as you could possibly be. Here’s Nothing’s statement: Nothing Chat’s shut down post.Twitter
How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentryand in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages. Advertisement
Further ReadingNothing Phone says it will hack into iMessage, bring blue bubbles to AndroidThe Text.com investigation uncovered a pile of vulnerabilities. The blog says, “When a message or an attachment is received by a user, they are unencrypted on the server side until the client sends a request acknowledging, and deleting them from the database. This means that an attacker subscribed to the Firebase Realtime DB will always be able to access the messages before or at the moment they are read by the user.” Text.com was able to intercept an authentication token sent over unencrypted HTTP and subscribe to changes occurring to the database. This meant live updates of “Messages in, out, account changes, etc” not just from themselves, but other users, too.
Text.com released a proof-of-concept app that could fetch your supposedly end-to-end encrypted messages from Sunbird’s servers. Batuhan Iz, a product engineer for Text.com, also released a tool that will delete some of your data from Sunbird’s servers. Iz reccomends that any Sunbird/Nothing Chat users change their Apple IDs now, revoke Sunbird’s session, and “Assume your data is already compromised.”
9to5Google’s Dylan Roussel investigated the app and found that, in addition to all of the public text data, “All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.” Roussel found 630,000 media files are currently stored by Sunbird, and apparently he could access some. Sunbird’s app suggested that users transfer vCardsvirtual business cards full of contact dataand Roussel says the personal information of 2,300-plus users are accessible. Roussel calls the whole fiasco “probably the biggest “privacy nightmare” I’ve seen by a phone manufacturer in years.” Page: 1 2 Next → reader comments 134 with Ron Amadeo Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS and Google products. He is always on the hunt for a new gadget and loves to rip things apart to see how they work. He loves to tinker and always seems to be working on a new project. Advertisement Channel Ars Technica ← Previous story Related Stories Today on Ars