Nothing worked out with Nothing Chats

The Nothing Chats app from Nothing Phone promised to be the iMessage for Android, but in less than 24 hours it was removed from Google Play due to a shocking lack of security.

Why Nothing Chats is unsafe

The Nothing Chats app is a messenger created by the developer of the quite popular smartphone Nothing Phone — yet another “iPhone killer”. The main selling point of Nothing Chats is was the promise of giving Android users the ability to fully communicate using iMessage — a messaging system previously available only to iPhone owners.

However, Nothing Chats was almost immediately found to have a whole host of security and privacy issues. These problems were so serious that less than 24 hours after its release in the Google Play Store, the application had to be removed. Let’s delve into this in more detail.

Nothing Chats, Sunbird, and iMessage for Android

The Nothing Chats messenger was announced on November 14, 2023, in a video by the well-known YouTube blogger Marques Brownlee (aka MKBHD). He talked about how the new messenger from Nothing had plans to allow owners of a Nothing Phone (which is Android-based) to communicate with iOS users through iMessage.

By the way, I recommend watching the video by MKBHD, at least to see how the messenger worked.

The video also briefly outlines how the messenger operates from a technical point of view. To begin, users have to provide Nothing Chats with the login and password to their Apple ID account (and if they don’t have one yet, they need to create one). After this, to indirectly quote the video, “on some Mac mini somewhere on a server farm”, this Apple account is logged in to, after which this remote computer serves as a relay transmitting messages from the user’s smartphone to the iMessage system, and vice versa.

To give credit where credit is due, at the end of the sixth minute, the author of the video makes a point of emphasizing that this approach carries some serious risks. Indeed, logging in with your Apple ID on some unknown device that doesn’t belong to you, located who knows where, is a very, very bad idea for a number of reasons.

Nothing Chats messenger teaser

The coveted blue message clouds of iMessage — the main promise of Nothing Chats

The Nothing company made no secret of the fact that “iMessage for Android” was not their own development. The company partnered with another company, Sunbird, so the Nothing Chats messenger was a clone of the Sunbird: iMessage for Android application, with some cosmetic interface changes. By the way, the Sunbird app was announced to the press back in December 2022, but its full launch for a wide audience was constantly postponed.

Nothing Chats and security issues

After the announcement, suspicions immediately arose that Nothing and Sunbird would face serious privacy and security issues. As mentioned earlier, the idea of logging in with your Apple ID on someone else’s device is highly risky because this account gives full control over a significant amount of user information and over the devices themselves through the Apple feature Find My…

To reassure users, both Sunbird and Nothing asserted on their websites that logins and passwords aren’t stored anywhere, all messages are protected by end-to-end encryption, and everything is absolutely secure.

Security assurances on the Sunbird website

Sunbird’s website confirming the security and privacy of iMessage for Android, as well as the use of end-to-end encryption (spoiler: this isn’t true)

However, the reality was way off even the most skeptical predictions. Once the application became available, it quickly became clear that it totally failed to deliver on its promises regarding end-to-end encryption. Worse still, all messages and files sent or received by the user were delivered by Nothing Chats in unencrypted form to two services simultaneously — the Google Firebase database and the Sentry error monitoring service, where Sunbird employees could access these messages.

Security assurances on the Nothing website

The FAQ section on the official Nothing Chats page also explicitly mentions end-to-end encryption

And if that still wasn’t enough, not only Sunbird employees but anyone interested could read the messages. The issue was that the token required for authentication in Firebase was transmitted by the application over an unprotected connection (HTTP) and could, therefore, be intercepted. Subsequently, this token provided access to all messages and files of all users of the messenger — as mentioned earlier, all this data was sent to Firebase in plain text.

Once again: despite assurances of using end-to-end encryption, any message from any user on Nothing Chats and all files sent by them — photos, videos, and so on — could be intercepted by anyone.

Nothing Chats page claims that user messages are never stored anywhere

Also, the FAQ page of Nothing Chats claims that messages are never stored anywhere — doesn’t it make you want to cry?

One of the researchers involved in analyzing the vulnerabilities of Nothing Chats/Sunbird created a simple website as proof of an attack’s feasibility, allowing anyone to see that their messages in iMessage for Android could indeed be easily intercepted.

Shortly after the vulnerabilities were made public, Nothing decided to remove their app from the Google Play Store “to fix a few bugs”. However, even if Nothing Chats or Sunbird: iMessage for Android returns to the store, it’s best to avoid them — as well as any similar apps. This story demonstrates vividly that when creating an intermediary service that allows access to iMessage, it’s very easy to make catastrophic mistakes that put users’ data at extreme risk.

What Nothing Chats users should do now

If you’ve used the Nothing Chats app, you should do the following:

  • Log into your Apple ID account from a trusted device, find the page with active sessions (devices you’re logged in to), and delete the session associated with Nothing Chats/Sunbird.
  • Change your Apple ID password. It’s an extremely important account, so it’s advisable to use a very long and random sequence of characters — Kaspersky Password Manager can help you generate a reliable password and store it securely.
  • Uninstall the Nothing Chats app.
  • You can then use a tool created by one of the researchers to remove your information from Sunbird’s Firebase database.
  • If you’ve sent any sensitive information through Nothing Chats, then you should treat it as compromised and take appropriate measures: change passwords, reissue cards, and so on. Kaspersky Premium will help you track possible leaks of your personal data linked to email addresses or phone numbers.