Carl Pei-led British startup Nothing has decided to temporarily pull the messaging app Nothing Chats from the Google Play Store. According to the manufacturer, this measure was taken following user privacy and security concerns.
Nothing Chats, launched last week in collaboration with Sunbird, was created to facilitate the exchange of messages between Android and iOS devices. Nothing Phone 2 users could send and receive messages via iMessage. The app also supports the RCS protocol for messaging between Android phones, as well as SMS and MMS.
The concerns arose after users criticized the way the app transmitted Apple ID credentials, using the not-always-secure HTTP protocol instead of HTTPS. To use iMessage services, users had to sign in with their Apple ID through the Nothing Chats app, a process involving a Mac located in a remote server farm.
The app has been labeled “extremely insecure”
Kishan Bagaria, the founder of Texts.com, labeled the app as “highly insecure”, claiming that messages sent through Sunbird’s system are not end-to-end encrypted and rely on a server powered by BlueBubbles.
Dylan Roussel (@evowizz) pointed out that Sunbird has access to every message sent and received through the app. All documents (images, videos, audio, PDFs, vCards) sent via Nothing Chats and Sunbird are public. Another user, wukko (@uwukko), discovered that the app sends all messages and media attachments to Sentry, and “all” data is sent and stored through Firebase, completely unencrypted.
Although the Nothing Chats app was designed to support iMessage on Android and includes features such as end-to-end encryption, group messaging, live typing prompts, high-resolution media sharing, read and delivery confirmations, and message reactions , the company decided to delay the release to work on solving the identified problems.