Last week was certainly exciting for the prospect of green and blue bubbles finding peace and harmony in the chat realm, though that excitement was a bit premature in Nothing’s case.
Nothing, the company behind the Android-based Nothing Phone, announced Nothing Chats, an app that could send and receive iMessage-style messages through the same servers as Apple users. Then, just as quickly as it launched, to particularly rave fanfare, it was pulled from the Google Play Store for significant privacy and security vulnerabilities.
To make Nothing Chats work, Nothing teamed up with a third-party service called Sunbird to handle logistics. iMessage requires an Apple ID login, typical of any iMessage workaround service. Beeper, a similar app that calls itself a “universal” messenger, does the same thing. Both services enable you to log into a server farm that spoofs your Android device as an Apple one.
Theoretically, this is one way to ensure that messages from outside parties are encrypted. Apple has said it keeps iMessage closed to ensure that chat history stays encrypted.
Unfortunately, Sunbird did not stick to its public promises that its servers “do not store user data.” An X—formerly Twitter—user named Wukko posted evidence that Nothing Chats weren’t sealed off once they pinged back to the home base servers. 9to5Google was able to confirm the user’s findings independently:
We found that once a user authenticates with the JSON Web Tokens (JWT) that are insecure in transit, they can access Nothing Chat’s Firebase database and see messages and files from other users sent in real-time and in plain text.
Messages sent through Sunbird included contact cards with tons of identifying information, like emails and addresses. Media files sent between folks, including images, were stored internally on Sunbird’s servers.
9to5Google reached out to Nothing to confirm the discovered vulnerability. After that, Nothing pulled Nothing Chats from the Play Store and released the following statement:
We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.
The security vulnerabilities may be particular to Sunbird, its service offerings, and how it coded its workaround. But the optics are dire nonetheless. Here is Nothing, a representative of the Android ecosystem, attempting to bridge the gap with Apple users through a catchy value-add. But what they ended up offering screwed over faithful users and gave Apple more validation for why it doesn’t open up iMessage in the first place.
Much of this drama seems like it was merely a stunt concocted by Nothing’s co-founder, Carl Pei, who maybe wanted to look like a hero to the ecosystem for bringing peace between platforms. It ended up making Nothing look bad.
At the very least, Apple has an official way to end this drama soon without requiring some hackneyed workaround. Having RCS compatibility will make life a little easier for Android users who just want to share a damn photo with a family member without having it dialed down in resolution.