Highlights
- Nothing Chats beta, aimed to rival iMessage, faces severe security flaws post-launch.
- The app reportedly transmits credentials over unsecured HTTP and logs messages in plain text.
- Over 600,000 media items, including personal data, were found accessible on an unencrypted server.
- Nothing delays further rollout of the beta version to address these critical privacy issues.
The debut of the Nothing Chats beta on the Play Store, intended as an exclusive iMessage alternative for the Nothing Phone (2), has quickly spiralled into controversy.
Within hours of its launch, significant security issues were brought to light, undermining the app’s promise of privacy and end-to-end encryption.
Initially advertised as a competitor to apps like Beeper or AirMessage, Nothing Chats aimed to offer secure messaging for iMessage users.
However, Kishan Bagaria, founder of Texts (a rival service), exposed a critical flaw: the app was transmitting credentials over unsecured HTTP connections, not the expected HTTPS.
This revelation was a startling contradiction to Nothing Chats’ privacy-focused marketing.
The situation worsened with a report from 9to5Google, corroborating findings from Twitter user Wukko.
Their investigation revealed that the Nothing Chats beta was logging messages in plain text via Sentry, a developer troubleshooting tool, and storing this data unencrypted on Firebase.
This breach exposed not only text messages but also images, videos, usernames, and phone numbers.
Alarmingly, over 600,000 media items, including 2,300 vCards, were accessible from Nothing’s Firebase server.
These security lapses were further detailed in an extensive blog post by Texts, demonstrating the app’s vulnerabilities.
Despite Nothing’s attempt to downplay the issue, claiming encryption keys were secure, the evidence pointed to a far more severe privacy infringement.
9to5Google notified Nothing of these flaws, leading to a noticeable absence of the Nothing Chats beta from the Play Store.
Subsequently, Nothing acknowledged the need to address “several bugs,” opting to delay the app’s launch.
This response seemed to understate the gravity of the discovered security issues.
For Nothing, a smaller player in the Android ecosystem reliant on tech-savvy endorsements, this problematic rollout of the Nothing Chats beta presents a significant challenge.
Trust in the brand is crucial, and these security oversights have likely eroded confidence rapidly.
FAQs
What security issues were found in the Nothing Chats beta?
The Nothing Chats beta, initially pitched as a secure messaging platform, was found transmitting credentials via unsecured HTTP. Additionally, it was logging messages in plain text and storing personal data, including images and videos, on an unencrypted server, making them accessible to unauthorized users.
How did Nothing respond to the security concerns?
Following the revelation of these security flaws, Nothing acknowledged the issues and opted to delay the further rollout of the app. They stated the delay was to fix several bugs, although the specifics of these fixes in relation to the exposed vulnerabilities remain unclear.
What data was compromised in the Nothing Chats beta?
Reports indicated that over 600,000 pieces of media, including text messages, images, videos, usernames, phone numbers, and 2,300 vCards, were stored unencrypted and were accessible from the app’s server. This breach included a wide array of personal information sent through the app.