Nothing, the smartphone manufacturer started by Carl Pei, has pulled its Nothing Chats app from the Google Play Store.
After announcing and releasing it last week, it was discovered that there were some security flaws in its implementation. The issues were stemming from how it managed iMessage integration into the app.
The app was made in partnership with Sunbird who has a similar app on the Google Play Store. The apps operate by having the user sign into their Apple ID. It is then associated with a Mac Mini in a datacenter. This is what facilitates moving messages between Apple iMessages and anything outside of it.
To be clear, they are not the first company to do this. Beeper has been around for a while and does a similar process. According to Beeper’s FAQ, they are encrypting messages from your client to their server, decrypting it to get the message then sends it via iMessage (FAQ specifically says WhatsApp). In the end, the messages aren’t end-to-end encrypted (E2EE), but it looks like more than what Sunbird does.
Texts.com had began notifying Sunbird of a vulnerability with data being sent over HTTP after being decrypted. Sunbird then responded saying that it is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”
This appears to fly in the face of Sunbird stating that messages were E2EE and that nobody could see messages being sent to and from Sunbird. Remember, Beeper admits that they do NOT have E2EE for iMessages.
And this is where I think the problem actually lies. It is one thing to have data just flying through plain text to get a hacky version iMessage on Android working. It’s another to state that your implementation is secure when it isn’t and then try to hand wave it away.
While I’m not one to say don’t use a service (I have used Beeper for iMessages on Windows several times), I will say to just keep an eye on what’s happening with the service. You never know what’s happening behind the scenes.
Source: The Verge