Article 6GHEC Nothing’s iMessage app was a security catastrophe, taken down in 24 hours

Nothing’s iMessage app was a security catastrophe, taken down in 24 hours

by
Ron Amadeo
from Ars Technica - All content on (#6GHEC)
100-800x546.jpg

Enlarge / The Nothing Phone 2 all lit up. (credit: Ron Amadeo)

It turns out companies that stonewall the media's security questions actually aren't good at security. Last Tuesday, Nothing Chats-a chat app from Android manufacturer "Nothing" and upstart app company Sunbird-brazenly claimed to be able to hack into Apple's iMessage protocol and give Android users blue bubbles. We immediately flagged Sunbird as a company that had been making empty promises for almost a year and seemed negligent about security. The app launched Friday anyway and was immediately ripped to shreds by the Internet for many security issues. It didn't last 24 hours; Nothing pulled the app from the Play Store Saturday morning. The Sunbird app, which Nothing Chat is just a reskin of, has also been put "on pause."

The initial sales pitch for this app-that it would log you into iMessage on Android if you handed over your Apple username and password-was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as we expected. Here's Nothing's statement:

floorp_laUwX5QvqL.png

Nothing Chat's shut down post. (credit: Twitter)

How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentryand in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages.

Read 7 remaining paragraphs | Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments