Affiliate links on Android Authority may earn us a commission. Learn more.
It's important we not forget the Nothing Chats shitshow
Last week was a whirlwind for Nothing. In the span of five days, the company announced, launched, and subsequently removed access to a chat app called Nothing Chats. This app — built in collaboration with a company called Sunbird — promised to bring iMessage support to the Nothing Phone 2.
As soon as Nothing announced the app’s launch, many press outlets (including Android Authority) called out the obvious and scary security risks present with the app. We also pointed out that the tech behind Sunbird isn’t long for this world. Undeterred, Nothing pushed out multiple statements defending Sunbird’s pedigree before finally launching it. Less than 36 hours later, the app was partially disabled because — surprise, surprise — it’s a security and privacy nightmare.
Whether or not you’re a Nothing fan, own a Nothing product, or even respect the company, one thing is abundantly clear: We can forgive the company for this epic blunder, but we should not forget it.
Nothing Chats: The complete timeline
A lot was happening simultaneously with the launch of Nothing Chats. We also saw several Sunbird activities the year before the app’s announcement. If you weren’t following along or need to catch up, here’s how it all went down.
Early beginnings of Sunbird
- December 1, 2022: Sunbird holds a virtual press event announcing its eponymous app. The company claims the Sunbird app brings certain iMessage features to Android phones. I attended and thought it was intriguing. However, the press event felt incredibly sketchy because there were no explanations of how the app worked and no questions taken from press attendees. In other words, the event could be summarized as Sunbird saying, “We made this app; it works great, and you should just trust us that it’s on the level, so please give us press.” After the event, I emailed Sunbird a few questions to inquire about how the app works and its security protocols. Danny Mizrahi, Sunbird’s CEO, enthusiastically gave me access to the early version of Sunbird in response to my questions.
- December 2, 2022: I had numerous emails back and forth with Sunbird trying to get the app running on my Android phone. There were a lot of problems: my Apple ID didn’t work at first, messages wouldn’t send, and the app overall didn’t do most of what Sunbird said it should. I was told at one point that the app works great for most people using it, but my issues were an anomaly. Eventually, after getting Sunbird to partially work, I published an article about my Sunbird experience. In the article, I showed that Sunbird works as a proof-of-concept, but there was no way it was ready for a proper rollout. I also expressed skepticism over the company’s claims but gave it the benefit of the doubt until proven otherwise.
- Rest of December 2022: Over the next few weeks, I worked with Sunbird to try and get more of the promised features working. It was clear Sunbird wanted me to update my article or write a new one to talk about the success. However, not much changed with all the troubleshooting we did, so I said I would create new content if/when Sunbird rolled out a public beta of Sunbird or had a new version that worked better than this one.
- First half of 2023: From January 2023 until June, I received over a dozen emails from Sunbird. Most would tout how many signups there were for Sunbird’s waitlist. Each message would encourage me to refer Sunbird to friends. Doing so would move me up the waitlist by 1,000 slots. Of course, I already had access to Sunbird, so these emails were canned and sent to everyone on the company’s mailing list. A few touted a Summer 2023 launch, which never happened. Elsewhere, users and news outlets were discovering incredibly concerning security problems with Sunbird, including data suggesting all chats are unencrypted and that Sunbird is scraping data from conversations for ad delivery. I kept these revelations in the back of my mind, knowing I would write about them if and when Sunbird ever became publicly available.
- June 14, 2023: Danny Mizrahi and a Sunbird PR team member contacted me directly. They wanted to know if I could publish an article updating Android Authority readers on what’s happened with Sunbird since December. They provided a Google Doc and a video recorded by Mizrahi as support. However, I examined the material and saw that not much had changed. One thing that did change, though, was its promise of a stable rollout by Summer 2023. This promise had been altered to a beta rollout in late Summer 2023. I told the team I wouldn’t write any new coverage because there was nothing new to report, but I would gladly publish an article when the beta rollout started. Interestingly, I didn’t get any response from Sunbird after this email, and all communication from Sunbird stopped: no more email blasts, no more troubleshooting, and no more direct PR pitches.
Nothing Chats, built on Sunbird
- November 14, 2023: Nothing announces Nothing Chats to the public for the first time. In its announcement, it acknowledged the app is built on Sunbird with tweaks made by the Nothing team to make it aesthetically match Nothing OS. Essentially, Nothing Chats is a skinned version of Sunbird. It’s interesting to note that, in most cases with Nothing announcements, we receive advance notice with a promise to keep the information private before a specific date. However, that didn’t happen with Chats — we learned about it at the same time as everyone else. Nothing said Chats would be available on November 17. Since this was big news, we wrote an article about the announcement, with the headline referencing the security problems we had found with Sunbird over the past year. We also noted that the list of features Nothing said Chats provided was nearly identical to the features Sunbird supplied in December 2022, suggesting little progress had been made. Articles from other tech sites had similar concerns. A Nothing PR rep contacted me on the phone shortly after the article went live to express frustration with our focus on the app’s expected privacy risks, saying the claims were not factual. We did not change the article’s content but altered the headline to be less definitive about the privacy risks because we hadn’t used the app and couldn’t say anything for sure. Later that day, at our request during that phone conversation, Nothing and Sunbird formally stated that Chats is fully encrypted and safe to use. It explained how the system works (a virtual Mac Mini acts as a relay between the Android phone and iPhones) but did not explain the methodology used to keep the chats encrypted at each step. The Nothing PR rep I spoke to said this information was proprietary and would not be disclosed.
- November 16, 2023: In what could be the most surprising announcement of 2023, Apple says it will bring RCS support to iPhones in 2024. While this won’t be the same as full iMessage support on Android, it will solve several pain points, such as sharing full-resolution media between the two operating systems. Notably, Apple’s RCS support will render Nothing Chats (and Sunbird, Beeper, and other similar services) irrelevant as it will provide in an official capacity all the features these apps provide through workarounds, other than faking out iPhones to show blue bubbles in a chat when an Android phone joins. Nothing CEO Carl Pei said this news does not change the green bubble problem, and therefore, Chats is still a worthwhile product.
- November 17, 2023: Nothing rolls out Nothing Chats to the Phone 2. People who own the Phone 2 could visit the app’s listing on the Google Play Store and install it. The app was (and still is) listed as a beta product, signifying the first time an iteration of Sunbird has entered this phase. We installed the app on a Nothing Phone 2 and tried it out, finding that numerous features didn’t work as advertised. We also saw many undisclosed problems, such as read receipts coming through with dates from 1992 and simple things like sharing a YouTube URL not working. We were also unable to link Nothing Chats with Google Messages, another advertised capability. Elsewhere, with the app finally available to the public, security researchers were tearing it apart and finding incredibly concerning privacy and security risks. One pointed out that Chats was using HTTP instead of HTTPS, which Sunbird tried to explain by saying this was a “handshake” style connection and no private data was actually being transmitted.
- November 18, 2023: A new report on X (formerly Twitter) pointed out even more security problems with Nothing Chats. The report showed proof that Sunbird has unencrypted access to every message sent using Nothing Chats; all media sent through the app is easily accessible by the public in an unencrypted database; and Nothing Chats is not even close to being end-to-end encrypted, despite claims to the contrary. Two hours later, Nothing announced on X that it disabled the ability to install Nothing Chats from the Play Store and it would be “delaying the launch until further notice to work with Sunbird to fix several bugs.” By early evening, Sunbird had pushed a notification to all active users of Nothing Chats to say that media transfer using the app would be temporarily disabled. All in all, Nothing Chats was active for less than 36 hours.
Why didn’t Nothing pull the plug earlier?
Since Nothing pulled access to Chats, the company has been notably silent. The only activity we’ve seen on the company’s official X account — its most active announcement outlet — is a repost about Carl Pei attending the Las Vegas GP.
Before the November 17 launch of Chats, Nothing had multiple opportunities to abandon the app and its partnership with Sunbird. Sunbird had undeniable problems from the moment it arrived, including throwing shady events, making false claims about its product, missing deadlines, and more. Even after Nothing announced Chats and saw backlash from news outlets like Android Authority and independent researchers, it didn’t stop or even slow down. Not even Apple’s announcement of RCS support dissuaded Carl Pei from pulling the plug.
Either Nothing didn't see all the red flags here or it saw them and ignored them. Either way, it is very concerning.
It’s confusing and concerning that Nothing actually thought Chats was a good idea. Our hands-on showed the app didn’t work as advertised. The security risks were blatant and dangerous. Sunbird’s history is suspect. Pei is not stupid, and the team at Nothing is undoubtedly competent enough to have seen Sunbird’s myriad issues. What did the company have to gain by pushing forward anyway?
The only possible explanation for this is to assume Carl Pei thought the positive PR of Nothing making it into major news publications as a disruptor would outweigh the backlash if the app failed. If that’s true, then the company is likely readying damage control to sweep this under the rug and move forward. However, we as a press outlet, and you as consumers can’t let the company do that. We must hold Nothing accountable for this.
We can forgive Nothing, but we can’t forget
One can’t help but wonder: if Nothing couldn’t see (or chose to ignore) all the problems present with Nothing Chats, what else could the company irresponsibly push to launch? Will Nothing OS get a feature in the future that promises significant gains but is unsafe to use? What will happen to Nothing Phone owners in that situation? Nothing Chats is just an app, and its issues are causing people to need to change Apple ID credentials and hope that their private info didn’t get into the wrong hands during the time it was publicly accessible. An OS update is not so easy to fix. If Nothing pushed something directly to Nothing OS of a similar scale in danger to Nothing Chats, users would need to stop using their phones until a new update arrived, which is incredibly problematic.
The only adequate response to this fiasco is for Carl Pei to apologize for the blunder formally. He needs to completely end the Nothing Chats program and sever its ties to Sunbird. Furthermore, he needs to promise future developments and partnerships will be much more scrutinized to ensure they do not put users at risk.
Any response that’s not that — including moving on as if nothing happened (sorry for the pun) — would put the company in a terrible position. Nothing’s user base is not made up of “normal” consumers: they are young, tech-savvy, and tapped into what’s happening within the company thanks to Pei’s unique openness with that information. Users of this type will understand what happened here and not forget about it, or at least they shouldn’t.
If Nothing works hard for forgiveness on this matter, it can rebuild the trust of its fans. But even if it does earn forgiveness — which is a big “if” — we certainly won’t forget it, and we hope you don’t, either.