Nothing Chat catastrophe — more vulnerabilities discovered in iMessage clone

Nothing Phone (2) review.
(Image credit: Future)

The recent launch of Nothing's new messaging app, Nothing Chats, designed to bring a version of Apple’s iMessage to Android, went down like a lead balloon. Just one day after going live on the Google Play Store, Nothing pulled the app over serious security concerns. Now, two more vulnerabilities have purportedly come to light. 

As spotted by Android Authority, Android developer and reverse engineer Dylan Roussel, who previously blew the whistle on security issues with Nothing Chats and the Sunbird platform it's built on, recently shared on X two additional vulnerabilities centered around Nothing's infrastructure. 

The first dates back to September and was discovered in the CMF Watch app, which was reportedly developed in partnership with Nothing and a company called Jingxun. According to Roussel, while the app successfully encrypted both email and password information, the encryption method it used wasn't secure. Anyone with access to the same decryption keys would have all the tools to decrypt the information, which kind of defeats the purpose of encrypting it to begin with. 

Roussel said Nothing/Jingxun has since addressed this vulnerability, but the fix apparently only works for passwords. You could still allegedly decrypt the email address that is used as someone's username. 

As for the second vulnerability, exact details haven't been publicly released, but it purportedly relates to Nothing's internal data. The company was informed of it in August, and the issue remains unpatched.

In a statement to Android Authority, a Nothing spokesperson said the company is currently working to resolve the issues:

"CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users."

The rep added that security reports are now easier to submit on CMF's security vulnerability report page.

Roussel previously blew the lid on how Sunbird, the platform Nothing Chats is built on, works by decrypting and transmitting messages via HTTP to a Firebase cloud-syncing server and storing them in unencrypted plain text. Thus, Sunbird messages are publicly visible via the Firebase real time database, and not encrypted. He also noted that Sunbird also has access to these messages, since they’re logged as errors by debugging service Sentry.

The official Nothing Chats page confirms that the beta app has been pulled from the Play Store, and the company now says it will be "delaying the launch until further notice" pending the fix of “several bugs."

One of the biggest selling points of iMessage is that it offers end-to-end encryption by default. Apple has cited additional security as one of the reasons why it will be adopting the RCS messaging standard next year. In both cases your messages are secure, and inaccessible by third parties — Apple included. Instead, Nothing promised end-to-end encryption, only to then store texts publicly in plaintext. It's quite the fumble — and whether it's one Nothing can recover from remains to be seen.  

More from Tom's Guide

Alyse Stanley
News Editor

Alyse Stanley is a news editor at Tom’s Guide overseeing weekend coverage and writing about the latest in tech, gaming and entertainment. Prior to joining Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk, where she covered breaking tech news — everything from the latest spec rumors and gadget launches to social media policy and cybersecurity threats.  She has also written game reviews and features as a freelance reporter for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and miniature painting.