Nothing has pulled the No beta chats from the Google Play store, saying it is “delaying the release until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users send text messages with iMessage, but it required allowing Sunbird, which provides the platform, to log into users’ iCloud accounts on its own Mac Mini servers, which… .isn’t it great?
The removal came after users widely shared a Textos.com blog showing that messages sent with Sunbird’s system are not actually end-to-end encrypted and that it is not difficult to compromise them. The app launched yesterday in beta after being announced earlier this week.
9to5Google pointed to a thread of site author Dylan Rousselwho discovered that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud sync server and storing them there in unencrypted plaintext. Roussel published that The company itself has access to the messages because it logs them as errors using Sentry, a debugging service.
Sunbird claimed yesterday that HTTP “is only used as part of the application’s single initial request that notifies the backend of the upcoming iMessage connection.”
That was in response to someone pointing out The Texts.com blog examining vulnerability. Texts.com wrote that “an attacker subscribed to Firebase’s real-time database will always be able to access messages before or at the time the user reads them.” The blog also notes that the company could look at messages on its Sentry dashboard, which directly contradicts the tech%2Fpages%2Fnothing-chats%23%3A~%3Atext%3DYes%252C%2520Nothing%2520Chats%2520is%2520built%2520on%2520Sunbird%25E2%2580%2599s%2520platform%2520and%2520all%2520Chats%2520messages%2520are%2520end%252Dto%252Dend%2520encrypted%252C%2520meaning%2520neither%2520we%2520nor%2520Sunbird%2520can%2520access%2520the%2520messages%2520you%25E2%2580%2599re%2520sending%2520and%2520receiving.”>Nothing FAQ claim that no one at Sunbird can access the messages that are sent or received.
We reached out to Nothing for further comment, but the company did not respond by press time.
