Unveiling Security Concerns: Nothing Chats Messaging App Faces Scrutiny

6 min read
Unveiling Security Concerns: Nothing Chats Messaging App Faces Scrutiny


In an ambitious move to bridge the messaging divide between Android and iOS, Nothing launched the highly-anticipated Nothing Chats messaging platform last week. However, what was meant to be a revolutionary step forward has instead stirred a considerable amount of controversy, with users expressing concerns about the security and privacy of the platform.

Beta Removal from Google Play Store:

Nothing has pulled the beta version of Nothing Chats from the Google Play Store, announcing a delay in the official launch to address identified bugs in collaboration with Sunbird. While the company refrained from specifying the nature of the bugs, it is evident that privacy issues have played a pivotal role in this decision.

Transmission of Apple ID Credentials:

One of the primary criticisms directed at Nothing Chats is its method of transmitting Apple ID credentials via HTTP, a less secure protocol compared to HTTPS. Users must log in with their Apple ID to access iMessage services, prompting concerns regarding the vulnerability of this process to potential security breaches.

Lack of End-to-End Encryption:

Despite Nothing's initial claims that the Nothing Chats messaging app would feature end-to-end encryption, recent revelations have brought to light a significant security gap. Security experts and users alike have expressed deep concern over the absence of end-to-end encryption in messages transmitted through the Sunbird system integrated into Nothing Chats.

End-to-end encryption is a fundamental security measure that ensures only the intended recipient can decipher and access the contents of a message. This is achieved by encrypting the message on the sender's device and decrypting it on the recipient's device, effectively preventing intermediaries from intercepting or accessing the message during transmission.

The lack of this critical security feature in Nothing Chats raises questions about the overall privacy and integrity of user communications. End-to-end encryption is often considered the gold standard in securing messaging platforms, providing users with the assurance that their conversations remain confidential and protected from unauthorized access.

In the absence of end-to-end encryption, messages sent through Nothing Chats may be susceptible to interception or surveillance, compromising user privacy. This revelation contradicts the initial narrative presented by Nothing, emphasizing the need for a thorough examination of the security infrastructure of the messaging app.

As users increasingly prioritize secure and private communication, the absence of end-to-end encryption in Nothing Chats stands as a significant setback, prompting both users and industry observers to scrutinize the company's commitment to providing a secure messaging experience. The implications of this security flaw underscore the importance of robust encryption measures in ensuring the confidentiality and trustworthiness of messaging platforms in an era where privacy concerns are at the forefront of user considerations.

Privacy Issues with Sunbird:

Dylan Roussel's revelations about privacy concerns associated with Sunbird, Nothing's collaborative partner in developing Nothing Chats, have triggered heightened scrutiny. Users and security experts alike are expressing apprehension over the handling of sensitive user data within the messaging platform.

The primary concern highlighted by Roussel is the unrestricted access Sunbird allegedly has to all messages sent and received through Nothing Chats. This poses a direct threat to user privacy, as the essence of private messaging is undermined when a third-party entity can access the content of conversations without user consent.

Moreover, the claim that all data, including documents, images, videos, audio, PDFs, and vCards sent through Nothing Chats and Sunbird, is public raises serious questions about the security practices employed by the messaging platform. Users naturally expect their shared content to remain private and inaccessible to unauthorized entities, making the public visibility of this data a glaring breach of trust.

In addition to concerns about Sunbird's access to message content, the data storage and transmission methods employed by Nothing Chats have come under scrutiny. Kishan Bagaria's investigation revealed that all messages and media attachments are sent to Sentry, introducing an additional layer of potential vulnerability. The reliance on Firebase for data transmission and storage, coupled with the revelation that the process is completely unencrypted, further compounds the privacy concerns surrounding user data.

The implications of these privacy concerns are far-reaching. Users may find themselves grappling with the unsettling reality that their supposedly private conversations and shared media could be accessed by external entities, compromising the confidentiality and trustworthiness of the messaging platform. As privacy becomes an increasingly critical aspect of user decision-making, addressing these concerns is imperative for Nothing to regain user trust and confidence in the security of their personal data within the Nothing Chats ecosystem.

Data Storage and Encryption Concerns:

An investigation by Kishan Bagaria and the Texts.com team has uncovered that the Nothing Chats app sends all messages and media attachments to Sentry. Furthermore, it was revealed that all data is transmitted and stored through Firebase, intensifying concerns about the absence of robust encryption protocols to safeguard user information.

Initial Claims vs. New Findings:

Despite Nothing's initial claims regarding end-to-end encryption, recent findings suggest a misalignment between promises and the actual security features implemented in the app. Users are now grappling with the realization that the security infrastructure of Nothing Chats may not be as airtight as originally communicated.

Process and Trust in Third Parties:

A significant point of contention revolves around the sign-in process, requiring users to trust a third party, Sunbird, with sensitive Apple ID data and passwords. Nothing, however, has attempted to assuage these concerns by asserting that, after the initial login, credentials are tokenized in an encrypted database, rendering them inaccessible to Sunbird or any other entity, even if they were to gain access to the physical server.

Security Issues Post-Public Release:

Since the app became publicly available for download, users have stumbled upon additional security issues. Of particular concern is the revelation that the app utilizes HTTP instead of the more secure HTTPS for certain information transmissions, intensifying worries regarding the overall robustness of the security architecture.


While Nothing Chats was introduced as a groundbreaking solution to harmonize messaging experiences across Android and iOS, the current wave of security concerns has compelled Nothing to remove the beta version from the Google Play Store. As users eagerly await updates on the bug-fixing efforts from Nothing and Sunbird, the spotlight remains on addressing these identified issues to ensure a more secure messaging platform in the future.

Follow us on social media

Cyber Unfolded Light Logo
Copyright © 2024 CYUN. All rights reserved.