A few days ago, Nothing Chats dropped and surprised the world. At that time, a lot of people speculated that it would end the fight between Apple and Android users over blue and green bubbles. However, at the same time, there were some people who speculated that this might not be all that secure, and it turns out that people who had their doubts were true.
Nothing Chats is not the most secure app for messaging, but you might need it by next year
At the time of launch, the company claimed that the Nothing chats were end-to-end encrypted and even claimed that the device was private and secure. However, things are not looking good.
Nothing Chats uses Sunbird’s app architecture, which is designed by Nothing. It was supposed to allow the Nothing Phone 2 to have compatibility with the iMessage app. Users can just download the app on their phone and sign into the app using an Apple ID. Doing so gives you a virtual instance of one of Sunbird’s Mac Minis, and when you communicate with an iPhone, it basically thinks that you are communicating with another Apple device.
It has now become public knowledge that Nothing Chats has a lot of flaws and security issues. Kishan Bagaria, founder of Texts.com, had his team look into the app, and it appears that the app is sending all the information over HTTP instead of the more secure HTTPS.
texts team took a quick look at the tech behind nothing chats and found out it’s extremely insecure
it’s not even using HTTPS, credentials are sent over plaintext HTTP
backend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
— Kishan Bagaria (@KishanBagaria) November 17, 2023
Going through the Twitter thread, you will see that Nothing Chats is also using the technology developed by BlueBubbles, another rival app that allows similar functionality. Nothing was quick to issue a statement to Nothing Chats, however.
While the protocol is HTTP, all data is encrypted and the key used to encrypt that data is provided via HTTPS so Apple credentials or messages sent via that HTTP request are secure and not open to the public. All sensitive user data such as Apple ID credentials and messages are encrypted at all times. The HTTP is only used as part of the one-off initial request from the app notifying the back-end of the upcoming iMessage connection iteration that will follow via a stand alone communication channel.
Regarding the other part of his tweet, years ago when the servers were being built Sunbird’s co-founder named them Blue Bubbles. Sunbird/Chats is not using an instance of anyone else’s technology – the naming is strictly coincidence.
Additionally, I want to add that from the start, that Sunbird has been focused on security and its ISO27001 certification (Certificate Number: IA-2023-09-21-01), an internationally recognized specification for an information security management system, is a reflection of its commitment to user privacy.
News Source: Kishan Bagaria
