Affiliate links on Android Authority may earn us a commission. Learn more.
Nothing Chats pulled from Play Store after investigations find serious security flaws
- Nothing has removed Nothing Chats from the Play Store after multiple investigations found that it’s a complete security mess.
- Sunbird, the platform that powers Nothing Chats, has access to every message sent and received through the app on your device.
- All images, documents, and messages sent through Nothing Chats and Sunbird are also publicly accessible.
Nothing recently made a big deal about its new iMessage-compatible texting platform called Nothing Chats. It even promised that messages sent over the service, which is powered by Sunbird, are end-to-end encrypted and not stored on any servers. However, multiple investigations have now proved that Nothing and Sunbird’s security claims are utterly false. Nothing has also pulled the app from the Play Store and delayed its official launch.
We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.We apologise for the delay and will do right by our users.— Nothing (@nothing) November 18, 2023
It’s interesting how Nothing has deemed the severe security flaws in its apps as mere “bugs.”
According to X user Wukko and 9to5Google’s independent findings, Nothing Chats are not at all encrypted, as all user data from the app can be accessed in plain text. Nothing Chats reportedly sends all messages and media attachments to Sentry, a cloud-based application performance monitoring & error tracking service. Additionally, all app data is sent unencrypted and stored on Firebase, Google’s mobile and web app development platform.
– Sunbird has access to every message sent and received through the app on your device.– All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.– Nothing Chats is not end-to-end encrypted.— Dylan Roussel (@evowizz) November 18, 2023
9to5Google’s Dylan Roussel further discovered that Sunbird, the service that powers Nothing Chats, can access every message sent and received through the app.
The security issues get even murkier since Roussel discovered that anyone can access Sunbird and, by extension, Nothing Chats’ Firebase database. That means all messages and files ever sent by users, as well as their phone numbers, names, and email addresses, can be viewed by anyone.
Roussel said Sunbird stores more than 637,780 media files in Firebase, and the personal information of over 2,300 users is publicly accessible.
Meanwhile, the folks at Texts.com also detailed the security loopholes in Nothing Chats in a blog post. They figured that a short bit of code was all that was needed to automate the process of downloading the app’s user data, including messages and media files.
If you are someone who has used Sunbird or Nothing Chats, researchers at Texts recommend you change your Apple ID password immediately and remove the apps from your phones. It would be best if you also headed to this link to remove your data from Firebase.