Nothing has pulled the Nothing Chats beta from the Google Play retailer, saying it’s “delaying the launch till additional discover” whereas it fixes “a number of bugs.” The app promised to let Nothing Phone 2 users text with iMessage, however it required permitting Sunbird, who gives the platform, log into customers’ iCloud accounts by itself Mac Mini servers, which… isn’t nice?
The removing got here after customers extensively shared a blog from Texts.com exhibiting that messages despatched with Sunbird’s system aren’t truly end-to-end encrypted — and that it’s not laborious to compromise it. The app launched in beta yesterday after being announced earlier this week.
9to5Google pointed to a thread from site author Dylan Roussel, who discovered that a part of Sunbird’s resolution includes decrypting and transmitting messages utilizing HTTP to a Firebase cloud-syncing server and storing them there in unencrypted plain textual content. Roussel posted that the corporate itself has entry to messages as a result of it logs them as errors utilizing Sentry, a debugging service.
Sunbird claimed yesterday that HTTP is “solely used as a part of the one-off preliminary request from the app notifying back-end of the upcoming iMessage connection.”
That was in response to somebody pointing to Texts.com’s blog inspecting the vulnerability. Texts.com wrote that “an attacker subscribed to the Firebase realtime database will at all times have the ability to entry the messages earlier than or in the meanwhile they’re learn by the person.” The weblog additionally factors out that the corporate may have a look at messages in its Sentry dashboard, straight contradicting the claim from Nothing’s FAQ that no person at Sunbird can entry messages which can be despatched or acquired.
We’ve reached out to Nothing for additional remark, however the firm didn’t reply by press time.