The debut of the Nothing Chats beta on the Play Store, intended as an exclusive iMessage alternative for the Nothing Phone (2), has quickly spiralled into controversy.
Within hours of its launch, significant security issues were brought to light, undermining the app’s promise of privacy and end-to-end encryption.
Initially advertised as a competitor to apps like Beeper or AirMessage, Nothing Chats aimed to offer secure messaging for iMessage users.
However, Kishan Bagaria, founder of Texts (a rival service), exposed a critical flaw: the app was transmitting credentials over unsecured HTTP connections, not the expected HTTPS.
This revelation was a startling contradiction to Nothing Chats’ privacy-focused marketing.
The situation worsened with a report from 9to5Google, corroborating findings from Twitter user Wukko.
Their investigation revealed that the Nothing Chats beta was logging messages in plain text via Sentry, a developer troubleshooting tool, and storing this data unencrypted on Firebase.
This breach exposed not only text messages but also images, videos, usernames, and phone numbers.
Alarmingly, over 600,000 media items, including 2,300 vCards, were accessible from Nothing’s Firebase server.
These security lapses were further detailed in an extensive blog post by Texts, demonstrating the app’s vulnerabilities.
Despite Nothing’s attempt to downplay the issue, claiming encryption keys were secure, the evidence pointed to a far more severe privacy infringement.
9to5Google notified Nothing of these flaws, leading to a noticeable absence of the Nothing Chats beta from the Play Store.
Subsequently, Nothing acknowledged the need to address “several bugs,” opting to delay the app’s launch.
This response seemed to understate the gravity of the discovered security issues.
For Nothing, a smaller player in the Android ecosystem reliant on tech-savvy endorsements, this problematic rollout of the Nothing Chats beta presents a significant challenge.
Trust in the brand is crucial, and these security oversights have likely eroded confidence rapidly.
The Nothing Chats beta, initially pitched as a secure messaging platform, was found transmitting credentials via unsecured HTTP. Additionally, it was logging messages in plain text and storing personal data, including images and videos, on an unencrypted server, making them accessible to unauthorized users.
Following the revelation of these security flaws, Nothing acknowledged the issues and opted to delay the further rollout of the app. They stated the delay was to fix several bugs, although the specifics of these fixes in relation to the exposed vulnerabilities remain unclear.
Reports indicated that over 600,000 pieces of media, including text messages, images, videos, usernames, phone numbers, and 2,300 vCards, were stored unencrypted and were accessible from the app’s server. This breach included a wide array of personal information sent through the app.
Highlights Samsung begins integration of Android 15 features into One UI 7. One UI 7…
Highlights Pura 70 Ultra surpasses competitors with top DxOMark camera score. Features unparalleled image quality…
Highlights •Coolita OS offers the most comprehensive streaming experience with real-time updates on local and…
Highlights Nokia 3210 relaunched with modern updates, priced at EUR 89. Features a 2.4-inch TFT…
Highlights Blazing-fast 120W SuperVOOC charging with a 5500mAh battery Stunning 6.78-inch AMOLED display with a…
Highlights 11-inch iPad Air is heavier than the 11-inch iPad Pro. 13-inch iPad Air also…