Nothing Chats App Removed from Google Play Store
The Nothing Chats app, an iMessage alternative that was launched earlier this week, has been removed from the Google Play Store. The company behind the app, Nothing, initially attributed the removal to "several bugs" that needed to be fixed. However, a comprehensive technical analysis by security researchers suggests that the app's removal was likely due to significant security concerns.
Security Concerns Raised
Kishan Bagaria, Founder of Texts.com, initially raised these concerns on X/Twitter. Later, the Texts.com team also published a detailed blog outlining the app's vulnerabilities.
Their investigation revealed that Sunbird, Nothing's service provider, had been misleading users about the end-to-end encryption of messages routed through its servers. While messages sent to Sunbird's servers were encrypted, the JSON Web Tokens (JWT) generated by the service were sent without any encryption to another Sunbird server, making them vulnerable to interception.
Additionally, the messages were decrypted and stored on Sunbird servers, leaving them susceptible to unauthorized access.
Demonstrating Vulnerabilities
Texts.com demonstrated this by intercepting the JWTs exchanged between two devices, gaining access to the Firebase real-time database. Researchers then were able to intercept JWT tokens and access user information and conversations with just 23 lines of code.
While the privacy issues are directly attributable to Sunbird, Nothing has drawn criticism for choosing to work with the company and for downplaying the severity of the situation by labeling it as "bugs.
Diminishing Appeal
With Apple's recent announcement of RCS support, the Nothing Chats app's appeal has diminished further. Users should exercise caution when logging into third-party services using their Apple IDs, even if encryption is promised.
It remains to be seen whether Nothing Chats will be able to address these security concerns and make a successful return to the Play Store.
