A hot potato: When Nothing unveiled its chat app last week, it seemed to have cracked the wall separating iMessage users from everyone who doesn't own an iPhone. However, a group of security researchers soon made sharp accusations against its security integrity, suggesting the service is too good to be true.
Amid serious privacy concerns, Nothing has removed the beta for its Android-to-iOS chat app from the Google Play Store. The company also delayed the full launch but hasn't specified for how long.
The new service, Nothing Chats, allowed Nothing Phone 2 owners to send texts to iMessage users on Apple devices with advanced features like end-to-end encryption, high-quality media, group chats, and more. Because iMessage is exclusive to Apple devices and doesn't currently support RCS, it converts messages from Android devices to SMS or MMS, which are less secure and lack modern functionality.
I just want to clarify something. Sunbird *lied* to Nothing. They said messages were end-to-end encrypted. They were not. Sunbird knew this because they upload stuff to Firebase.
– Dylan Roussel (@evowizz) November 18, 2023
Nothing should not just "delay the launch." They should cancel the whole project. https://t.co/COjeFwdMm1
Competitors like Google, Meta, and numerous telecom providers have repeatedly criticized the Cupertino Giant's messaging policies, and the rising threat of regulation from Europe may have pushed Apple to change them. The company plans to implement RCS next year as a new fallback.
Meanwhile, a group of security researchers cast doubt on assertions by Nothing and backend provider Sunbird that their intermediary solution maintained end-to-end encryption. A lengthy technical critique alleges that, at certain points, as Sunbird mediates messages between Android and iMessage, content and account information become unencrypted and vulnerable to attack.
Using Nothing Chats requires users to give Sunbird their Apple IDs – which itself is risky – but the researchers published a proof-of-concept claiming hackers could potentially access that data. Furthermore, they state that the information's visibility to Sunbird employees could make it ripe for insider attacks.
Thread time!
– Dylan Roussel (@evowizz) November 18, 2023
Summary:
- Sunbird has access to every message sent and received through the app on your device.
- All of the documents (images, videos, audios, pdfs, vCards...) sent through Nothing Chat AND Sunbird are public.
- Nothing Chats is not end-to-end encrypted.
Nothing and Sunbird pulled the Nothing Chats beta from the Google Play Store soon after the revelations. Nothing attributed the removal and launch delay to bugs, which drew harsh criticism from commenters accusing the company of lying about its security features. The researchers suggest that anyone who has used Nothing Chats should change their Apple password, revoke account access from the app, and uninstall it.
If Nothing and Sunbird don't address the criticisms, owners of the Nothing Phone 2 and other Android devices will likely have to wait until Apple implements RCS into iMessage in 2024. Although the change will improve how messages from Android to Apple devices appear, they won't incorporate all iMessage features.
Google will work alongside Apple to oversee the integration, which should implement read receipts, live typing indicators, and high-resolution media. RCS on iMessage will use encryption from the GSM Association instead of the system Apple uses for messages between the company's devices. Moreover, iMessage will remain exclusive to Apple hardware, and iOS users receiving messages from Android will continue to see green bubbles.
https://www.techspot.com/news/100911-nothing-pulls-android-ios-chat-app-google-play.html
