Nothing has unveiled its latest project, Nothing Chats, an app that aims to make iMessage accessible to Android users. But behind this attractive promise there are major security problems with the application.
Update from November 19th:
Nothing has removed the beta version of Nothing Chats from the Google Play Store “until further notice” following reports that Sunbird was sending unencrypted messages.
Original article from November 17th:
Nothing has just announced its newest app: Nothing Chats. This app aims to bridge a long-standing gap in communication between Android and iPhone users by making messages sent to an iPhone compatible with iMessage.
Nothing Chats is available for free, but has a notable exclusivity: it is only accessible on the Nothing Phone (2).
8/10
A major security risk has been confirmed
The application has been published online (APK). As expected, to use Nothing Chats, users must enter their Apple IDs into a system remotely managed by Sunbird, specifically via a Mac mini located on a server farm. Through this intermediary, the application promises access to iMessage functions on an Android smartphone.
However, since the launch of Nothing Chats, users have encountered significant security issues. This is because the communication that sends Apple ID data occurs without proper encryption and uses the HTTP protocol instead of a secure method.
We can confirm something independently@KishanBagaria shared earlier. Signing in with your Apple ID is done via HTTP.
Do not use Nothing Chat. https://t.co/YrkTvEXis4
— Dylan Roussel (@evowizz) November 17, 2023
This content is blocked because you have not accepted cookies and other trackers. This content is provided by Twitter.
To view it, you must agree to Twitter’s use of your data, which may be used for the following purposes: enabling the display and sharing of content on social media, promoting the development and improvement of products from Humanoid and its partners, show you personalized advertising related to your profile and activity, define a personalized advertising profile, measure the performance of advertising and content on this website and measure the audience of this website (learn more)
I accept everything
Although Sunbird and Nothing claim that the data is end-to-end encrypted, this claim appears to contradict current technical observations. Therefore, due to the potential risks to user security and privacy, the use of this application is strongly discouraged.
Update: Nothing claims that although the protocol uses HTTP, the data sent is encrypted. That’s a lie. Here is a screenshot with SSL proxy disabled. The email used is as clear as possible. No encryption. https://t.co/FC7kiEdW7C pic.twitter.com/GmTNHG65hx
— Dylan Roussel (@evowizz) November 17, 2023
This content is blocked because you have not accepted cookies and other trackers. This content is provided by Twitter.
To view it, you must agree to Twitter’s use of your data, which may be used for the following purposes: enabling the display and sharing of content on social media, promoting the development and improvement of products from Humanoid and its partners, show you personalized advertising related to your profile and activity, define a personalized advertising profile, measure the performance of advertising and content on this website and measure the audience of this website (learn more)
I accept everything
At the same time, Apple announced its intention to support the RCS standard in 2024. Although this initiative is late, it is a step towards better interoperability between operating systems. RCS will allow Android users to benefit from some features previously only available to iPhone users, such as enhanced group chats.