Nothing Chats, the messaging app from Nothing, faced a setback as its beta version was swiftly taken down from the Play Store just a day after its initial release. The company has opted to postpone the app’s official launch, citing the need for further evaluation and improvement before proceeding.
As per a report by Gadgets Now, the decision to take down the app followed users sharing a blog post from Texts.com. The post revealed that messages sent through Sunbird’s system, the foundation of the app, lack end-to-end encryption, making them susceptible to easy compromise.
Reportedly, Texts.com’s reverse engineering team uncovered that Sunbird and Nothing Chats mandated users to transmit their Apple ID credentials to their servers. The team identified multiple security concerns, such as the transmission of critical credentials over an unencrypted channel (HTTP). Despite Sunbird asserting ISO27001 certification, the investigation revealed misleading information from the company regarding end-to-end encryption.
While messages directed to Sunbird’s servers were encrypted, the JSON Web Tokens (JWT) were transmitted without encryption to another Sunbird server, exposing them to potential interception, adds the report.
Subsequently, the messages underwent decryption and were stored on Sunbird’s servers, rendering them susceptible to unauthorized access. Texts.com managed to intercept JWTs, providing them access to the Firebase real-time database and user information with just 23 lines of code.
Sunbird clarified that HTTP is exclusively employed for the initial request from the app to the back-end, serving to notify it of the impending iMessage connection.
The app made its beta debut on the Play Store on Tuesday following its announcement earlier this week.
Milestone Alert!Livemint tops charts as the fastest growing news website in the world 🌏 Click here to know more.
Download The Mint News App to get Daily Market Updates & Live Business News.
Updated: 20 Nov 2023, 05:57 PM IST