The Nothing Chats app is a messenger created by the developer of the fairly in style smartphone Nothing Cellphone — one more “iPhone killer”. The principle promoting level of Nothing Chats is was the promise of giving Android customers the flexibility to completely talk utilizing iMessage — a messaging system beforehand accessible solely to iPhone house owners.
Nonetheless, Nothing Chats was virtually instantly discovered to have a complete host of safety and privateness points. These issues had been so severe that lower than 24 hours after its launch within the Google Play Retailer, the appliance needed to be eliminated. Let’s delve into this in additional element.
Nothing Chats, Sunbird, and iMessage for Android
The Nothing Chats messenger was introduced on November 14, 2023, in a video by the well-known YouTube blogger Marques Brownlee (aka MKBHD). He talked about how the brand new messenger from Nothing had plans to permit house owners of a Nothing Cellphone (which is Android-based) to speak with iOS customers by way of iMessage.
By the best way, I like to recommend watching the video by MKBHD, at the very least to see how the messenger labored.
The video additionally briefly outlines how the messenger operates from a technical viewpoint. To start, customers have to offer Nothing Chats with the login and password to their Apple ID account (and in the event that they don’t have one but, they should create one). After this, to not directly quote the video, “on some Mac mini someplace on a server farm”, this Apple account is logged in to, after which this distant pc serves as a relay transmitting messages from the person’s smartphone to the iMessage system, and vice versa.
To offer credit score the place credit score is due, on the finish of the sixth minute, the creator of the video makes a degree of emphasizing that this method carries some severe dangers. Certainly, logging in along with your Apple ID on some unknown gadget that doesn’t belong to you, positioned who is aware of the place, is a very, very unhealthy concept for numerous causes.
The coveted blue message clouds of iMessage — the primary promise of Nothing Chats
The Nothing firm made no secret of the truth that “iMessage for Android” was not their very own growth. The corporate partnered with one other firm, Sunbird, so the Nothing Chats messenger was a clone of the Sunbird: iMessage for Android utility, with some beauty interface adjustments. By the best way, the Sunbird app was introduced to the press again in December 2022, however its full launch for a large viewers was continually postponed.
Nothing Chats and safety points
After the announcement, suspicions instantly arose that Nothing and Sunbird would face severe privateness and safety points. As talked about earlier, the concept of logging in along with your Apple ID on another person’s gadget is extremely dangerous as a result of this account provides full management over a major quantity of person info and over the units themselves by way of the Apple characteristic Discover My…
To reassure customers, each Sunbird and Nothing asserted on their web sites that logins and passwords aren’t saved wherever, all messages are protected by end-to-end encryption, and every thing is totally safe.
Sunbird’s web site confirming the safety and privateness of iMessage for Android, in addition to using end-to-end encryption (spoiler: this isn’t true)
Nonetheless, the truth was method off even essentially the most skeptical predictions. As soon as the appliance grew to become accessible, it shortly grew to become clear that it completely did not ship on its guarantees relating to end-to-end encryption. Worse nonetheless, all messages and recordsdata despatched or acquired by the person had been delivered by Nothing Chats in unencrypted kind to 2 providers concurrently — the Google Firebase database and the Sentry error monitoring service, the place Sunbird staff might entry these messages.
The FAQ part on the official Nothing Chats web page additionally explicitly mentions end-to-end encryption
And if that also wasn’t sufficient, not solely Sunbird staff however anybody might learn the messages. The problem was that the token required for authentication in Firebase was transmitted by the appliance over an unprotected connection (HTTP) and will, due to this fact, be intercepted. Subsequently, this token supplied entry to all messages and recordsdata of all customers of the messenger — as talked about earlier, all this information was despatched to Firebase in plain textual content.
As soon as once more: regardless of assurances of utilizing end-to-end encryption, any message from any person on Nothing Chats and all recordsdata despatched by them — images, movies, and so forth — may very well be intercepted by anybody.
Additionally, the FAQ web page of Nothing Chats claims that messages are by no means saved wherever — doesn’t it make you need to cry?
One of many researchers concerned in analyzing the vulnerabilities of Nothing Chats/Sunbird created a easy web site as proof of an assault’s feasibility, permitting anybody to see that their messages in iMessage for Android might certainly be simply intercepted.
Shortly after the vulnerabilities had been made public, Nothing determined to take away their app from the Google Play Retailer “to repair a number of bugs”. Nonetheless, even when Nothing Chats or Sunbird: iMessage for Android returns to the shop, it’s greatest to keep away from them — in addition to any comparable apps. This story demonstrates vividly that when creating an middleman service that enables entry to iMessage, it’s very simple to make catastrophic errors that put customers’ information at excessive danger.
What Nothing Chats customers ought to do now
Should you’ve used the Nothing Chats app, you need to do the next:
- Log into your Apple ID account from a trusted gadget, discover the web page with energetic classes (units you’re logged in to), and delete the session related to Nothing Chats/Sunbird.
- Change your Apple ID password. It’s an especially necessary account, so it’s advisable to make use of a really lengthy and random sequence of characters — Kaspersky Password Supervisor might help you generate a dependable password and retailer it securely.
- Uninstall the Nothing Chats app.
- You possibly can then use a software created by one of many researchers to take away your info from Sunbird’s Firebase database.
- Should you’ve despatched any delicate info by way of Nothing Chats, then you need to deal with it as compromised and take applicable measures: change passwords, reissue playing cards, and so forth. Kaspersky Premium will show you how to monitor doable leaks of your private information linked to electronic mail addresses or telephone numbers.
