Affiliate links on Android Authority may earn us a commission. Learn more.
Nothing Chats seems even less secure than we thought
- Concerns about security arose shortly after Nothing Chats was announced.
- Nothing clarified how Nothing Chats works to reassure users that it is safe to use.
- New findings show that the app may be less secure than previously thought.
When Nothing announced Nothing Chats, the company claimed its new Phone 2 messaging platform was end-to-end encrypted. Although Nothing insists that its app is private and secure, new findings suggest it is less secure than we initially thought.
Nothing Chats is built on the Sunbird app’s architecture but is designed by Nothing. It is meant to give the Phone 2 compatibility with the iPhone’s iMessage app. To do this, users are required to sign into the app with an Apple ID, which then assigns your account to a virtual instance of one of Sunbird’s Mac Minis. This tricks an iPhone into thinking it is communicating with another Apple device (we tested the Nothing Chat service for ourselves).
This brought up concerns that users would need to place their trust in a third party to keep their Apple ID data and password safe. However, a spokesperson for Nothing clarified that after you log into the app the first time, “credentials are tokenized in an encrypted database” and “cannot be accessed by Sunbird or anyone else even if they had access to the physical server itself.”
Now that the app is publically available for download, users are discovering other security issues. Kishan Bagaria, founder of Texts.com, had his team investigate the app and found the app is sending information over hypertext transfer protocol (HTTP) instead of hypertext transfer protocol secure (HTTPS).
texts team took a quick look at the tech behind nothing chats and found out it’s extremely insecureit’s not even using HTTPS, credentials are sent over plaintext HTTPbackend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet pic.twitter.com/IcWyIbKE86— Kishan Bagaria (@KishanBagaria) November 17, 2023
The Texts team also discovered the term “bluebubbles,” suggesting Sunbird is piggybacking its app on the technology developed by BlueBubbles, a rival service that also allows for iMessage access through Android.
However, after this discovery was made, Nothing issued this statement to 9to5Google:
While the protocol is HTTP, all data is encrypted and the key used to encrypt that data is provided via HTTPS so Apple credentials or messages sent via that HTTP request are secure and not open to the public. All sensitive user data such as Apple ID credentials and messages are encrypted at all times. The HTTP is only used as part of the one-off initial request from the app notifying the back-end of the upcoming iMessage connection iteration that will follow via a stand alone communication channel.Regarding the other part of his tweet, years ago when the servers were being built Sunbird’s co-founder named them Blue Bubbles. Sunbird/Chats is not using an instance of anyone else’s technology – the naming is strictly coincidence.Additionally, I want to add that from the start, that Sunbird has been focused on security and its ISO27001 certification (Certificate Number: IA-2023-09-21-01), an internationally recognized specification for an information security management system, is a reflection of its commitment to user privacy.
At the end of the day, you’ll need to decide for yourself if you trust Sunbird and Nothing in light of these revelations. Besides, now that Apple has announced it will support RCS in 2024, these apps are on borrowed time anyway.