{"id":26958,"date":"2023-11-24T06:52:10","date_gmt":"2023-11-24T11:52:10","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/nothing-chats-imessage-for-android-security-disaster\/26958\/"},"modified":"2023-11-24T15:05:48","modified_gmt":"2023-11-24T15:05:48","slug":"nothing-chats-imessage-for-android-security-disaster","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/nothing-chats-imessage-for-android-security-disaster\/26958\/","title":{"rendered":"Nothing worked out with Nothing Chats"},"content":{"rendered":"<p>The <em>Nothing Chats<\/em> app is a messenger created by the developer of the quite popular smartphone <em>Nothing Phone<\/em> \u2014 yet another \u201ciPhone killer\u201d. The main selling point of <em>Nothing Chats<\/em> <span style=\"text-decoration: line-through;\">is<\/span> was the promise of giving Android users the ability to fully communicate using iMessage \u2014 a messaging system previously available only to iPhone owners.<\/p>\n<p>However, <em>Nothing Chats<\/em> was almost immediately found to have a whole host of security and privacy issues. These problems were so serious that less than 24 hours after its release in the Google Play Store, <a href=\"https:\/\/arstechnica.com\/gadgets\/2023\/11\/nothings-imessage-app-was-a-security-catastrophe-taken-down-in-24-hours\/\" target=\"_blank\" rel=\"nofollow noopener\">the application had to be removed<\/a>. Let\u2019s delve into this in more detail.\n<\/p>\n<h2>Nothing Chats, Sunbird, and iMessage for Android<\/h2>\n<p>\nThe <em>Nothing Chats<\/em> messenger was announced on November 14, 2023, in a video by the well-known YouTube blogger Marques Brownlee (aka MKBHD). He talked about how the new messenger from <em>Nothing<\/em> had plans to allow owners of a <em>Nothing<\/em> <em>Phone<\/em> (which is Android-based) to communicate with iOS users through iMessage.<\/p>\n<p>By the way, I recommend watching the video by MKBHD, at least to see how the messenger worked.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/ji5HwS3bhlU?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>The video also briefly outlines how the messenger operates from a technical point of view. To begin, users have to provide <em>Nothing Chats<\/em> with the login and password to their Apple ID account (and if they don\u2019t have one yet, they need to create one). After this, to indirectly quote the video, \u201con some Mac mini somewhere on a server farm\u201d, this Apple account is logged in to, after which this remote computer serves as a relay transmitting messages from the user\u2019s smartphone to the iMessage system, and vice versa.<\/p>\n<p>To give credit where credit is due, at the end of the sixth minute, the author of the video makes a point of <a href=\"https:\/\/www.youtube.com\/watch?v=ji5HwS3bhlU%23t=5m52s\" target=\"_blank\" rel=\"nofollow noopener\">emphasizing<\/a> that this approach carries some serious risks. Indeed, logging in with your Apple ID on some unknown device that doesn\u2019t belong to you, located who knows where, is a <a href=\"https:\/\/www.kaspersky.com\/blog\/stranger-apple-id\/25028\/\" target=\"_blank\" rel=\"noopener nofollow\">very, very bad idea<\/a> for a number of reasons.<\/p>\n<div id=\"attachment_49897\" style=\"width: 1510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115637\/nothing-chats-imessage-for-android-security-disaster-01.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-49897\" class=\"size-full wp-image-49897\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115637\/nothing-chats-imessage-for-android-security-disaster-01.jpg\" alt=\"Nothing Chats messenger teaser\" width=\"1500\" height=\"1000\"><\/a><p id=\"caption-attachment-49897\" class=\"wp-caption-text\">The coveted blue message clouds of iMessage \u2014 the main promise of Nothing Chats<\/p><\/div>\n<p>The <em>Nothing<\/em> company made no secret of the fact that \u201ciMessage for Android\u201d was not their own development. The company partnered with another company, <a href=\"https:\/\/www.washingtonpost.com\/technology\/2023\/11\/14\/imessage-on-android-nothing-sunbird\/\" target=\"_blank\" rel=\"nofollow noopener\">Sunbird<\/a>, so the <em>Nothing Chats<\/em> messenger was a clone of the <em>Sunbird: iMessage for Android<\/em> application, with some cosmetic interface changes. By the way, the Sunbird app was announced to the press back in December 2022, but its full launch for a wide audience was constantly postponed.\n<\/p>\n<h2>Nothing Chats and security issues<\/h2>\n<p>\nAfter the announcement, <a href=\"https:\/\/arstechnica.com\/gadgets\/2023\/11\/nothing-phone-says-it-will-hack-into-imessage-bring-blue-bubbles-to-android\/\" target=\"_blank\" rel=\"nofollow noopener\">suspicions immediately arose<\/a> that <em>Nothing<\/em> and Sunbird would face serious privacy and security issues. As mentioned earlier, the idea of logging in with your Apple ID on someone else\u2019s device is highly risky because this account gives full control over a significant amount of user information and over the devices themselves through the Apple feature <em>Find My\u2026<\/em><\/p>\n<p>To reassure users, both Sunbird and <em>Nothing<\/em> asserted on their websites that logins and passwords aren\u2019t stored anywhere, all messages are protected by end-to-end encryption, and everything is absolutely secure.<\/p>\n<div id=\"attachment_49898\" style=\"width: 1898px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115650\/nothing-chats-imessage-for-android-security-disaster-02.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-49898\" class=\"size-full wp-image-49898\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115650\/nothing-chats-imessage-for-android-security-disaster-02.png\" alt=\"Security assurances on the Sunbird website\" width=\"1888\" height=\"720\"><\/a><p id=\"caption-attachment-49898\" class=\"wp-caption-text\">Sunbird\u2019s website confirming the security and privacy of iMessage for Android, as well as the use of end-to-end encryption (spoiler: this isn\u2019t true)<\/p><\/div>\n<p>However, the reality was way off even the most skeptical predictions. Once the application became available, it quickly became clear that it totally failed to deliver on its promises regarding end-to-end encryption. Worse still, all messages and files sent or received by the user were <a href=\"https:\/\/texts.blog\/2023\/11\/18\/sunbird-security\/\" target=\"_blank\" rel=\"nofollow noopener\">delivered by <em>Nothing Chats<\/em> in unencrypted form to two services simultaneously<\/a> \u2014 the Google Firebase database and the Sentry error monitoring service, where Sunbird employees could access these messages.<\/p>\n<div id=\"attachment_49899\" style=\"width: 1320px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115707\/nothing-chats-imessage-for-android-security-disaster-03.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-49899\" class=\"size-full wp-image-49899\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115707\/nothing-chats-imessage-for-android-security-disaster-03.png\" alt=\"Security assurances on the Nothing website\" width=\"1310\" height=\"758\"><\/a><p id=\"caption-attachment-49899\" class=\"wp-caption-text\">The FAQ section on the official Nothing Chats page also explicitly mentions end-to-end encryption<\/p><\/div>\n<p>And if that still wasn\u2019t enough, not only Sunbird employees but <a href=\"https:\/\/9to5google.com\/2023\/11\/18\/nothing-chats-sunbird-unencrypted-data-privacy-nightmare\/\" target=\"_blank\" rel=\"nofollow noopener\">anyone interested<\/a> could read the messages. The issue was that the token required for authentication in Firebase was transmitted by the application over an unprotected connection (HTTP) and could, therefore, be intercepted. Subsequently, this token provided access to all messages and files of <em>all users<\/em> of the messenger \u2014 as mentioned earlier, all this data was sent to Firebase in plain text.<\/p>\n<p>Once again: despite assurances of using end-to-end encryption, <em>any<\/em> message from <em>any<\/em> user on <em>Nothing Chats<\/em> and <em>all<\/em> files sent by them \u2014 photos, videos, and so on \u2014 could be intercepted by anyone.<\/p>\n<div id=\"attachment_49900\" style=\"width: 1330px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115719\/nothing-chats-imessage-for-android-security-disaster-04.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-49900\" class=\"size-full wp-image-49900\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/11\/24115719\/nothing-chats-imessage-for-android-security-disaster-04.png\" alt=\"Nothing Chats page claims that user messages are never stored anywhere\" width=\"1320\" height=\"984\"><\/a><p id=\"caption-attachment-49900\" class=\"wp-caption-text\">Also, the FAQ page of Nothing Chats claims that messages are never stored anywhere \u2014 doesn\u2019t it make you want to cry?<\/p><\/div>\n<p>One of the researchers involved in analyzing the vulnerabilities of <em>Nothing Chats\/Sunbird<\/em> <a href=\"https:\/\/sunbird-poc.vercel.app\/\" target=\"_blank\" rel=\"nofollow noopener\">created<\/a> a simple website as proof of an attack\u2019s feasibility, allowing anyone to see that their messages in <em>iMessage for Android<\/em> could indeed be easily intercepted.<\/p>\n<p>Shortly after the vulnerabilities were made public, <em>Nothing<\/em> <a href=\"https:\/\/twitter.com\/nothing\/status\/1725902458189119690\" target=\"_blank\" rel=\"nofollow noopener\">decided to remove their app from the Google Play Store<\/a> \u201cto fix a few bugs\u201d. However, even if <em>Nothing Chats<\/em> or <em>Sunbird: iMessage for Android<\/em> returns to the store, it\u2019s best to avoid them \u2014 as well as any similar apps. This story demonstrates vividly that when creating an intermediary service that allows access to iMessage, it\u2019s very easy to make catastrophic mistakes that put users\u2019 data at extreme risk.\n<\/p>\n<h2>What Nothing Chats users should do now<\/h2>\n<p>\nIf you\u2019ve used the <em>Nothing Chats<\/em> app, you should do the following:\n<\/p>\n<ul>\n<li>Log into your Apple ID account from a trusted device, find the page with active sessions (devices you\u2019re logged in to), and delete the session associated with <em>Nothing Chats\/Sunbird<\/em>.<\/li>\n<li>Change your Apple ID password. It\u2019s an extremely important account, so it\u2019s advisable to use a very long and random sequence of characters \u2014 <a href=\"https:\/\/www.kaspersky.co.uk\/password-manager?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">Kaspersky Password Manager<\/a> can help you generate a reliable password and store it securely.<\/li>\n<li>Uninstall the <em>Nothing Chats<\/em> app.<\/li>\n<li>You can then use a tool created by <a href=\"https:\/\/twitter.com\/batuhan\/status\/1725985096463724838\" target=\"_blank\" rel=\"nofollow noopener\">one of the researchers<\/a> to <a href=\"https:\/\/sunbird-poc.vercel.app\/nuke-data.html\" target=\"_blank\" rel=\"nofollow noopener\">remove your information from Sunbird\u2019s Firebase database<\/a>.<\/li>\n<li>If you\u2019ve sent any sensitive information through <em>Nothing Chats<\/em>, then you should treat it as compromised and take appropriate measures: change passwords, reissue cards, and so on. <a href=\"https:\/\/www.kaspersky.co.uk\/premium?icid=gb_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Kaspersky Premium<\/a> will help you track possible leaks of your personal data linked to email addresses or phone numbers.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-geek\">\n","protected":false},"excerpt":{"rendered":"<p>The Nothing Chats app from Nothing Phone promised to be the iMessage for Android, but in less than 24 hours it was removed from Google Play due to a shocking lack of security.<\/p>\n","protected":false},"author":2726,"featured_media":26960,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1622,2026],"tags":[105,14,1457,3035,2960,2556,586,434,187,43,97],"class_list":{"0":"post-26958","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-threats","9":"tag-android","10":"tag-apple","11":"tag-apple-id","12":"tag-e2e","13":"tag-end-to-end-encryption","14":"tag-imessage","15":"tag-messengers","16":"tag-mobile-devices","17":"tag-passwords","18":"tag-privacy","19":"tag-security-2"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/nothing-chats-imessage-for-android-security-disaster\/26958\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/nothing-chats-imessage-for-android-security-disaster\/26674\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/nothing-chats-imessage-for-android-security-disaster\/22099\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/nothing-chats-imessage-for-android-security-disaster\/11215\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/nothing-chats-imessage-for-android-security-disaster\/29424\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/nothing-chats-imessage-for-android-security-disaster\/26871\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/nothing-chats-imessage-for-android-security-disaster\/29432\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/nothing-chats-imessage-for-android-security-disaster\/28255\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/nothing-chats-imessage-for-android-security-disaster\/36609\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/nothing-chats-imessage-for-android-security-disaster\/11882\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/nothing-chats-imessage-for-android-security-disaster\/49895\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/nothing-chats-imessage-for-android-security-disaster\/21265\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/nothing-chats-imessage-for-android-security-disaster\/22038\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/nothing-chats-imessage-for-android-security-disaster\/30712\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/nothing-chats-imessage-for-android-security-disaster\/35227\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/nothing-chats-imessage-for-android-security-disaster\/27227\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/nothing-chats-imessage-for-android-security-disaster\/32949\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/nothing-chats-imessage-for-android-security-disaster\/32598\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/messengers\/","name":"messengers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=26958"}],"version-history":[{"count":11,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26958\/revisions"}],"predecessor-version":[{"id":26970,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26958\/revisions\/26970"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/26960"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=26958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=26958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=26958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}