Nothing pulled the Nothing Chats beta version from the Google Play Store, saying it is “delaying the launch until further notice” while fixing “several bugs.” The app promised to let Nothing Phone 2 users send text messages with iMessagebut that required allowing Sunbird, which provides the platform, to connect to users’ iCloud accounts on its own Mac Mini servers, which… isn’t that great?
The removal came after users widely shared a Texts.com blog showing that messages sent with Sunbird’s system are not actually end-to-end encrypted – and that it is not difficult to compromise them. The application was launched in beta yesterday after announced earlier this week.
9to5Google sharp by a thread of author of the site Dylan Rousselwho discovered that part of Sunbird’s solution involves decrypting and transmitting messages over HTTP to a Firebase cloud sync server and storing them in unencrypted plain text. Roussel posted that the company itself has access to the messages because it logs them as errors using Sentry, a debugging service.
Sunbird claimed yesterday that HTTP is “only used as part of the application’s single initial request informing the backend of the next iMessage connection.”
This was in response to someone showing The Texts.com blog examine vulnerability. Texts.com wrote that “an attacker subscribed to the Firebase real-time database will still be able to access messages before or as they are read by the user.” The blog also points out that the company could be viewing messages from its Sentry dashboard, directly contradicting the Nothing FAQ complaint that no one at Sunbird can access messages sent or received.
We reached out to Nothing for further comment, but the company did not respond at the time of publication.