Nothing Chats app pulled from the Play Store due to privacy issues
The Nothing Chats app has come under fire from security researchers for privacy risks. The app which promised iMessage compatibility for Android devices, is no longer available for download, just a day after it was released on Google's Play Store.
Remember when I told you it sounds like a huge security risk to sign in to a third-party service with your Apple ID credentials? Well, it is. MKBHD had pointed out in his video that the log in process involved using your Apple ID, and that this is sent to Sunbird's servers, which are basically Mac Minis on a server farm. He called it a massive privacy risk, and if that was not a red flag, what could be? The video got the attention of security researchers who wanted to test the app. Nothing Chats is a reskinned version of the Sunbird app, with a few changes.
Researchers at Texts Blog discovered that Nothing Chats made a request which contained user credentials, and that this was being sent over an unencrypted channel (HTTP). This process was being handled by a backend called BlueBubbles, but Sunbird quickly denied this by saying that its servers are called Blue Bubbles, and that it was not using an instance of another technology.
It also said that it sends the key that is used to encrypt the data via HTTPS, to ensure that messages or credentials sent via HTTP are secure, and that all data are encrypted at all times. Sunbird claimed that the HTTP request was used as a one-off initial request from the app notifying back-end of the upcoming iMessage Connection.
The security experts were not convinced by this, and pointed out that one of the main technologies used by Sunbird is JSON Web Tokens, and these JWTs are signed, but not encrypted. They contain payloads that are accessible, and also function as an access token. One of these which is sent back to another Sunbird service, is hosted on a load-balanced Express server that does not implement SSL, i.e. it can be intercepted by attackers.
The JWTs are used to authenticate users into a real-time Firebase database (cloud server) that lets them access the account details, messages, attachments, etc. Even vCards (contact cards) are visible in plain-text, which means the usernames, phone numbers, email addresses, and other personal data are easily accessible. The researchers have a published a proof-of-concept to highlight how Sunbird stores messages in plain-text.
It is worth noting that both Sunbird and Nothing Tech had claimed that they do not store any of the user's messages on their servers, and that all data sent between users are end-to-end encrypted locally on their phones.
Android app developer Dylan Roussel says that Sunbird has access to all user messages. How is this possible? Well, Sunbird has a debugging service called Sentry, which it abuses to store messages as errors. These messages can then be viewed by anyone at Sunbird. All documents including images, videos, audios, pdfs, vCards that are sent via Sunbird / Nothing Chats are accessible publicly.
Nothing has confirmed in a statement sent to 9to5Google, that it has pulled Nothing Chats from the Play Store. The company will delay the launch of the app, to work with Sunbird to fix several bugs in it.
While Sunbird may be the main party to blame for the privacy nightmare, Nothing should also be held responsible for this fiasco. The company should have checked how Sunbird works, whether it actually encrypts the data, stores no logs, etc. It should have ensured that the privacy and security standards are in-place before deciding to release the app publicly.
In related news, Apple has officially announced that it will add support for RCS in iMessage next year, via an iOS update. It won't replace iMessage, but it will replace SMS / MMS as the default standard for communication, including all the modern features such as typing indicators, read receipts, high resolution media sharing, and more.
