When Nothing announced last week that it was partnering with Sunbird to release Nothing Chats, a messaging app that would bring the iPhone’s blue bubble experience to Android, the collective world raised an eyebrow. Sunbird has operated under a weird cloak of secrecy for most of the last year since being revealed, and there are always going to be concerns when a service is attempting to use one of Apple’s services with approval, coupled with claims it allows you to do so without worry.
Nothing Chats did indeed launch on November 17 (last Friday) and was then pulled less than 24 hours later because it might be incredibly insecure.
Once folks had the app on their devices, they dove in and found quite the nightmare if you happened to sign-in to Nothing Chats with your Apple ID and then started sending messages. During the process, while there is encryption at various stages, there is a decrypting process that reveals unencrypted data (your messages) that any semi-knowledgable hacker could have accessed with ease.
I encourage you to read this writeup from Texts.blog, where they break down exactly why this Nothing Chats app (and Sunbird) is so insecure. They’ve even offered folks some tips on how to backout of the service to try and protect your privacy and Apple account.
Nothing announced that it had removed Nothing Chats from Google Play to work with Sunbird to “fix several bugs.” Yeah, I’m not sure “bugs” is the proper word there. Sunbird has also sent a notice to its users informing them that they are pausing usage of their app.
We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
We apologise for the delay and will do right by our users.
— Nothing (@nothing) November 18, 2023
My guess is that we’ll never see Nothing Chats again. The damage is done here and it’s going to be hard for anyone to trust that this system will ever be secure. As we mentioned last week when they announced it, we don’t recommend giving your Apple ID to anyone that isn’t actually Apple.