The past week has certainly been exciting when it comes to the prospect of green and blue bubbles finding peace and harmony in the chat realm, even if that excitement was a bit premature in Nothing’s case.
Nothing, the company behind the Android system Nothing phone, announcement Nothing is discussed, an app that could send and receive iMessage-style messages through the same servers as Apple users. Then, as quickly as it was launched, with great fanfare, it was drawn from the Google Play Store for significant privacy and security vulnerabilities.
To make Nothing Chats work, Nothing partnered with a third-party service called Souimanga to manage logistics. iMessage requires an Apple ID login, typical of any iMessage workaround service. Beeper, a similar app who calls himself a “universal” messenger, does the same thing. Both services allow you to connect to a server farm that spoofs your Android device as an Apple device.
Theoretically, this is a way to ensure that messages from third parties are encrypted. Apple said it keeps iMessage closed to ensure chat history remains encrypted.
Unfortunately, Sunbird has not kept its public promises that its servers “do not store user data.” A user from X, formerly Twitter, named Wukko published evidence that Nothing threads were not closed once they were returned to the base servers. 9to5Google was able to independently confirm the user’s findings:
We found that once a user authenticates with JSON Web Tokens (JWT) which are not secure in transit, they can access Nothing Chat’s Firebase database and view messages and files other users sent in real time and in plain text.
Messages sent through Sunbird included contact cards containing tons of identifying information, like emails and addresses. Media files exchanged between people, including images, were stored internally on Sunbird’s servers.
9to5Google contacted Nothing to confirm the discovered vulnerability. After that, nothing more pulled Nothing Cats from the Play Store and released the following statement:
We have removed the Nothing Chats beta from the Play Store and will delay the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do the right thing for our users.
Security vulnerabilities may be specific to Sunbird, its service offerings, and how it coded its workaround. But the outlook is nonetheless dire. Here is Nothing, a representative of the Android ecosystem, attempts to bridge the gap with Apple users through eye-catching added value. But what they ended up coming up with screwed over loyal users and gave Apple more validation as to why it doesn’t open iMessage in the first place.
Much of this drama appears to simply be a stunt concocted by Nothing co-founder Carl Pei, who perhaps wanted to seem like an ecosystem hero to bring peace between platforms. This ended up making Nothing look bad.
At the very least, Apple has an official way end this drama soon without requiring a hackneyed workaround. RCS compatibility will make life a little easier for Android users who just want to share a damn photo with a family member without reducing it in resolution.