Nothing to see here because Chats was pulled from Play Store

Something sounded fishy about this from the start.

MajorLinux
MajorLinux - Editor-in-chief

Nothing, the smartphone manufacturer started by Carl Pei, has pulled its Nothing Chats app from the Google Play Store.

Background

After announcing and releasing it last week, it was discovered that there were some security flaws in its implementation. The issues were stemming from how it managed iMessage integration into the app.

The app was made in partnership with Sunbird who has a similar app on the Google Play Store. The apps operate by having the user sign into their Apple ID. It is then associated with a Mac Mini in a datacenter. This is what facilitates moving messages between Apple iMessages and anything outside of it.

To be clear, they are not the first company to do this. Beeper has been around for a while and does a similar process. According to Beeper’s FAQ, they are encrypting messages from your client to their server, decrypting it to get the message then sends it via iMessage (FAQ specifically says WhatsApp). In the end, the messages aren’t end-to-end encrypted (E2EE), but it looks like more than what Sunbird does.

Vulnerabilities

Texts.com had began notifying Sunbird of a vulnerability with data being sent over HTTP after being decrypted. Sunbird then responded saying that it is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”

This appears to fly in the face of Sunbird stating that messages were E2EE and that nobody could see messages being sent to and from Sunbird. Remember, Beeper admits that they do NOT have E2EE for iMessages.

And this is where I think the problem actually lies. It is one thing to have data just flying through plain text to get a hacky version iMessage on Android working. It’s another to state that your implementation is secure when it isn’t and then try to hand wave it away.

While I’m not one to say don’t use a service (I have used Beeper for iMessages on Windows several times), I will say to just keep an eye on what’s happening with the service. You never know what’s happening behind the scenes.

Source: The Verge

Share This Article
Editor-in-chief
Follow:
Marcus Summers is a Linux system administrator by trade. He has been working with Linux for nearly 15 years and has become a fan of open source ideals. He self identifies as a socialist and believes that the world's information should be free for all.
1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *