The app is designed to allow Nothing Phone 2 users to communicate via iMessage. However, this requires users to give Sunbird – the platform provider – access to their iCloud accounts on Sunbird’s Mac Mini servers, a practice that has raised security concerns.
The decision to stop the application came after A Texts.com blog post Which revealed that messages sent through the Sunbird system were not end-to-end encrypted and could be easily hacked. The app was released in beta just the day before.
Dylan Russell, the site’s author, discovered that Sunbird’s method involved decrypting messages and transmitting them via HTTP to a server in the Firebase cloud, where they were stored in unencrypted plaintext. Russell also revealed that Sunbird had access to these messages as they were logged as errors using Sentry, a debugging service.
Sunbird defended its practices, noting that only HTTP was used for the initial request from the app to notify the backend of an upcoming iMessage connection. This statement was made in response to a Texts.com blog post, which highlighted a security vulnerability in the app.
According to Texts.com, a malicious user who can subscribe to Firebase’s real-time database can access messages either before or at the same time the user reads them. The related article also notes that Sunbird can see messages on the Sentry dashboard, contrary to Nothing’s claim in its FAQ that no one at the company can access messages sent or received.
So far there has been no comment on the issue or the reason for the removal of Nothing Chats from the Play Store.
“Avid problem solver. Extreme social media junkie. Beer buff. Coffee guru. Internet geek. Travel ninja.”