Nothing Chats is available in select countries at the moment (Photo credit: Nothing)

Nothing Chats might raise security concerns among users: Here's why

By Akash Pandey

Nov 18, 2023

09:09 pm

---

What's the story

The "Nothing Chats" app has been unveiled for Nothing's Android-based Phone (2), enabling users to access Apple's iMessage on their devices.

However, Nothing's latest service has come under fire for transmitting Apple ID credentials via HTTP rather than the more secure HTTPS.

Kishan Bagaria, the founder of Texts.com, took to Twitter to call the app "extremely insecure," noting that it relies on a BlueBubbles-powered backend that lacks end-to-end encryption.

Details

How Nothing Chats works

Designed to facilitate iMessage use on the Phone (2) while supporting existing RCS and SMS conversations, "Nothing Chats" requires users to connect to Google Messages through a QR code and login with their Apple ID.

The app is managed by Sunbird, which means the Apple ID is used to sign into a Mac located in a remote server farm.

Nothing, however, asserts that the Apple ID information is "destroyed" after login and stored as a token in an encrypted database.

Scenario

Sunbird has sketchy reputation

Sunbird, the firm responsible for "Nothing Chats," reportedly has a dubious track record. It first mentioned plans to bring iMessage to Android in 2022 but remains on a waitlist to this day.

Earlier this week, Ars Technica reported that Sunbird held a media briefing last year but abruptly refused to answer open questions and declined to address technical inquiries, raising suspicions about its transparency.

Twitter Post

Take a look at Bagaria's post

texts team took a quick look at the tech behind nothing chats and found out it's extremely insecure

it's not even using HTTPS, credentials are sent over plaintext HTTP

backend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet pic.twitter.com/IcWyIbKE86

— Kishan Bagaria (@KishanBagaria) November 17, 2023

Insights

Nothing's response to security concerns

Addressing the security issues, Nothing has released a statement to 9to5Google explaining that although the protocol is HTTP, all data is encrypted, and the encryption key is supplied via HTTPS.

The company added that sensitive user information, including Apple ID credentials and messages, is encrypted at all times.

The HTTP is only employed for a single initial request from the app to inform the backend of an impending iMessage connection iteration, it said.

Facts

Service now available in select regions

Nothing Chats can now be downloaded from the Google Play Store exclusively on the Nothing Phone (2) in the United States (US), Canada, United Kingdom (UK), and Europe. Its India availability is yet to be confirmed by Nothing.

This release follows Apple's announcement that RCS messaging will be available on the iPhone in 2024.

Due to the security concerns raised, users are advised to exercise caution when using "Nothing Chats."