Nothing's iMessage app was a security catastrophe, taken down in 24 hours | Nothing promised end-to-end encryption, then stored texts publicly in plain text.

Orange site: https://news.ycombinator.com/item?id=38361259

It turns out companies that stonewall the media's security questions actually aren't good at security. Last Tuesday, Nothing Chats—a chat app from Android manufacturer "Nothing" and upstart app company Sunbird—brazenly claimed to be able to hack into Apple's iMessage protocol and give Android users blue bubbles. We immediately flagged Sunbird as a company that had been making empty promises for almost a year and seemed negligent about security. The app launched Friday anyway and was immediately ripped to shreds by the Internet for many security issues. It didn't last 24 hours; Nothing pulled the app from the Play Store Saturday morning. The Sunbird app, which Nothing Chat is just a reskin of, has also been put "on pause."

The initial sales pitch for this app—that it would log you into iMessage on Android if you handed over your Apple username and password—was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as we expected. Here's Nothing's statement:

How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages.

The Text.com investigation uncovered a pile of vulnerabilities. The blog says, "When a message or an attachment is received by a user, they are unencrypted on the server side until the client sends a request acknowledging, and deleting them from the database. This means that an attacker subscribed to the Firebase Realtime DB will always be able to access the messages before or at the moment they are read by the user." Text.com was able to intercept an authentication token sent over unencrypted HTTP and subscribe to changes occurring to the database. This meant live updates of "Messages in, out, account changes, etc" not just from themselves, but other users, too.

Text.com released a proof-of-concept app that could fetch your supposedly end-to-end encrypted messages from Sunbird's servers. Batuhan Içöz, a product engineer for Text.com, also released a tool that will delete some of your data from Sunbird's servers. Içöz recommends that any Sunbird/Nothing Chat users change their Apple password now, revoke Sunbird's session, and "assume your data is already compromised."

9to5Google's Dylan Roussel investigated the app and found that, in addition to all of the public text data, "All of the documents (images, videos, audios, pdfs, vCards...) sent through Nothing Chat AND Sunbird are public." Roussel found 630,000 media files are currently stored by Sunbird, and apparently he could access some. Sunbird's app suggested that users transfer vCards—virtual business cards full of contact data—and Roussel says the personal information of 2,300-plus users is accessible. Roussel calls the whole fiasco "probably the biggest 'privacy nightmare' I've seen by a phone manufacturer in years."

Despite being the cause of this huge catastrophe, Sunbird has been bizarrely quiet during this whole mess. The app's X (formerly Twitter) page still doesn't say anything about the shutdown of Nothing Chats or Sunbird. Maybe that's for the best because some of Sunbird's early responses to the security concerns raised on Friday do not seem like they came from a competent developer. At first, the company defended its use of unencrypted HTTP for some web transactions, telling Text.com's Bagaria that "the HTTP is only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection iteration that will follow via a stand alone communication channel. From the start, Sunbird has been focused on security." The Text.com investigation clarified this was "a load-balanced Express server which does not implement SSL, so requests can be easily intercepted by an attacker." This usage of HTTP allowed Text.com to intercept authentication tokens.

Modern security best practices would say it is never OK to use unencrypted HTTP for any Internet transaction, and many platforms outright block plaintext HTTP transmission by default. Chrome shows a full-page warning when trying to access an HTTP page and requires the user to click through a warning message. Android disables clear text traffic by default and needs a developer to turn on a special flag for the request to go through. Projects like Let's Encrypt have not only made HTTPS usage easy and free, but it's actually easier to encrypt everything because you don't have to deal with all the security roadblocks. These are the basics of 2023 Internet usage, and seeing any developer argue against them is shocking, especially when that developer also wants to be trusted with your Apple account. It would be one thing if this was some kind of horrible mistake, but Sunbird thought this was OK!

Nothing has always seemed like an Android manufacturer that was more hype than substance, but we can now add "negligent" to that list. The company latched on to Sunbird, reskinned its app, created a promo website and YouTube video, and coordinated a media release with popular YouTubers, all without doing the slightest bit of due diligence on Sunbird's apps or its security claims. It's unbelievable that these two companies made it this far—the launch of Nothing Chats required a systemic security failure across two entire companies.

Nothing claims the app will be back once it and Sunbird work to "fix several bugs." When your whole app was built with seemingly no concern for security, I don't see how you can just patch that up in a week or two. If Nothing Chats makes it back to the Play Store, will anyone still trust it enough to enter their credentials?