The Nothing Chats app, introduced on November 14, made a swift exit from the Google Play Store on Saturday, sparking concerns over its security vulnerabilities. The shocking revelation came after Android app developer Dylan Roussel exposed a series of flaws, leading to the app’s removal.
Initially praised for its simplicity, Nothing Chats quickly faced scrutiny for its apparent lack of encryption and the insecure transmission of login credentials over plaintext HTTP. However, the situation escalated when it was discovered that Sunbird, the service behind Nothing Chats, not only logged and retained messages but also allowed the download of retained user data by unauthorized parties.
Amid mounting concerns, Nothing decided to delay the app’s launch indefinitely, emphasizing the collaboration with Sunbird to address critical bugs. Roussel’s findings shed light on the app’s alarming lack of security measures, raising questions about user privacy and data protection.
Among the key revelations, it was exposed that Sunbird had unrestricted access to every message exchanged through the app, leaving user communications vulnerable. Additionally, all shared documents, including images, videos, and vCards, were found to be publicly accessible, posing a significant risk to user privacy.
The absence of end-to-end encryption in Nothing Chats further fueled the security concerns, contradicting the app’s advertised claims. Roussel uncovered that Sunbird exploited an error detection tool, Sentry, not for logging errors but for monitoring and recording user messages.
The storage of over 637,000 media items, including vCards, raised serious data privacy issues. Roussel demonstrated the potential severity by downloading vCards from the archive, exposing other users’ phone numbers and details. The inclusion of original file names in stored files also presented a security risk, as it could inadvertently disclose confidential or sensitive information.
As the revelations unfolded, Roussel emphasized the urgency of removing the app from the Play Store and notifying all users about the security vulnerabilities. With Sunbird having 72 hours under Europe’s GDPR rules to inform affected users, the situation underscored the critical need for transparent communication and immediate action to safeguard user data.
Commenting on the matter, Roussel pointed out that while Nothing Chats was not directly developed by Nothing, the company should have ensured the app’s security before associating its name with it. The unfolding events marked a significant privacy concern and highlighted the importance of thorough security assessments in the development and deployment of messaging apps.