Nothing launched the Nothing Chats messaging platform last week to dismantle messaging barriers between Android and iOS devices in collaboration with Sunbird. The messaging app allows Nothing Phone 2 users to send and receive texts via iMessage enabling messages to appear as blue bubbles on iMessage. It also supports texting over the RCS protocol to other Android phones, along with SMS and MMS. However, since its announcement, a lot of users have voiced concerns over the security and privacy issues of the service. Now, the Carl Pei-led UK startup has pulled the beta for its new messaging app from the Google Play Store due to privacy concerns.
Nothing has pulled the Nothing Chats beta from Google Play Store saying it is “delaying the launch until further notice to work with Sunbird to fix several bugs”. The company did not specify the bugs or address any privacy issues.
We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
We apologise for the delay and will do right by our users.
— Nothing (@nothing) November 18, 2023
The removal came after users widely criticised the system for transmitting Apple ID credentials via HTTP rather than the more secure HTTPS. Users are required to log in with their Apple ID through the Nothing Chats app to use iMessage services. This routes the login through a Mac located in a remote server farm. Kishan Bagaria, the founder of Texts.com, took to X to call the app “extremely insecure,” claiming that messages sent with Sunbird’s system are not end-to-end encrypted and it relies on a BlueBubbles-powered backend.
texts team took a quick look at the tech behind nothing chats and found out it’s extremely insecure
it’s not even using HTTPS, credentials are sent over plaintext HTTP
backend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
— Kishan Bagaria (@KishanBagaria) November 17, 2023
Additionally, Dylan Roussel (@evowizz) pointed out that Sunbird has access to every message sent and received through the app on your device. All of the documents (images, videos, audio, PDFs, vCards…) sent through Nothing Chats and Sunbird are public.
Meanwhile, another X user wukko(@uwukko) posted findings that the Nothing Chats app sends all messages and media attachments to Sentry. Further, “all” data is sent and stored through Firebase, and it’s also completely unencrypted.
The Nothing Chats app was built to bring iMessage support to Android. It allowed blue bubble conversations from an Android phone with iMessage users and also supports RCS (Rich communication services) between compatible devices. The app also gets features like end-to-end encryption, group messaging, live typing indications, high-resolution media sharing, read and delivery receipts, and responding with reactions, with more claimed to come in the future.