Nothing Chats pulled from Play Store amidst privacy blunder

A close look at the design of the Nothing Phone (2)
(Image credit: Nicholas Sutrich / Android Central)

What you need to know

  • Less than 24 hours after launching its new Chats app, Nothing has pulled the app from the Play Store.
  • This comes following reports that any sent media or messages are unencrypted, counter to the company's claims.
  • Making matters worse, it seems that the data is accessible and stored on a server.

The week started off on a pretty wild foot as Nothing Chats was announced as a way to build "a blue bubble bridge" to bring iMessage to Nothing Phone (2) owners. Then, Apple essentially rendered the app useless as it announced RCS support would be coming to iPhones next year. Now, Nothing might be in a bit of hot water as some disastrous privacy issues were unearthed by several individuals, including Dylan Roussel and 9to5Google.

For some background, Nothing didn't just create a bridge out of thin air, bringing iMessage to Android. Instead, the company partnered with Sunbird, which was announced in 2022 as an app akin to Beeper.

In order to use iMessage, you'll need either a phone number or Apple ID, with the former being the de-facto option for iPhone users. So, in order to take advantage of either Sunbird or Beeper, you'll need to sign in with an Apple ID before being able to use the app. 

What iMessage might look like on a Google Pixel 6a

(Image credit: Nicholas Sutrich / Android Central)

This might not sound like much of an issue, but in order to "bridge the gap," these companies rely on rooms full of either physical Mac computers or macOS servers. The only control that you, the user, have over these is that you can sign into your Apple ID from a browser and remove your account from whatever Mac you are "signed into."

A lot of the appeal of iMessage, at least in the way that Apple explains it, is that your messages are end-to-end encrypted. But, when trying to use something like Sunbird, we're kind of just expected to take the company at its word. On paper, it sounds pretty enticing, especially when you see Sunbird stating it "has its ISO27001 certification" to combat security threats and protect your privacy.

It didn't take long for some damning evidence to surface revealing that Sunbird, and by extension Nothing Chats, aren't as secure as the company claimed. Not only are your messages not end-to-end encrypted, but as Roussel points out, Sunbird actually "has access to every message sent and received through the app."

When pressed on the matter, higher-ups at Nothing and the Sunbird team both denied any potential security concerns. Kishan Bagaria, founder of Texts.com, discovered that "it's not even using HTTPS," and "backend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet."

For reference, BlueBubbles is an app that allows you to essentially build your own bridge for iMessage using a Mac that you own or macOS in a Virtual Machine. However, it seems that something else could be afoot if you opt for that route, as the BlueBubbles website states that "all connections are done over HTTPS/WSS and utilizes TLS encryption by default."

That notwithstanding, the larger problem is that Nothing launched its Chats app, seemingly without doing its due diligence. The company recently announced that it surpassed two million devices sold but didn't provide firm figures about how many of those devices were phones. 

Nothing Chats Play Store listing

(Image credit: Android Central)

We aren't exactly sure when the move was made, but at the time of this writing, the Nothing Chats app is no longer available to download from the Play Store. Instead, if you manage to access the Play Store listing, you'll be greeted with a message that says "This item is not available in your country."

For those who already managed to download and install the Nothing Chats app, we highly recommend deleting it immediately from your phone. Additionally, even if you created an Apple ID solely for being able to use iMessage, change the account password. Lastly, you can remove any devices signed in with your Apple ID by following these steps:

1. From your browser, navigate to appleid.apple.com.

2. Click the Sign In button and sign into the Apple ID that you used with Nothing Chats.

How to remove devices from your Apple ID

(Image credit: Android Central)

3. On the left side, click Devices

How to remove devices from your Apple ID

(Image credit: Android Central)

4. Scroll through the list of devices, then locate and click any that you don't own. More than likely, it will be a Mac.

How to remove devices from your Apple ID

(Image credit: Android Central)

5. Click the Remove from account button.

How to remove devices from your Apple ID

(Image credit: Android Central)

6. To confirm, click the Remove button.

How to remove devices from your Apple ID

(Image credit: Android Central)

Then, shortly after the reports surfaced this morning, the official Nothing X account posted the following, confirming that it's working with Sunbird to address "several bugs" in the Nothing Chats beta:

Judging by the post, it seems that Nothing is only "delaying the launch," and not committing to canceling the project altogether. It will be interesting to see how everything plays out in the coming days. But if we were to wager, we'd guess that Nothing Chats is eventually canned entirely, unless Carl Pei has another Ace hidden up his sleeve.

Andrew Myrick
Senior Editor — Smartphones (North America), Chromebooks & Tablets

Andrew Myrick is a Senior Editor at Android Central. He enjoys everything to do with technology, including tablets, smartphones, and everything in between. Perhaps his favorite past-time is collecting different headphones, even if they all end up in the same drawer.

  • Jerry Hildenbrand
    357610
    Reply
  • spARTacus
    I kind of chuckle at the alarm about Nothing/Sunbird having access to all messages sent/received, since that's kind of what Apple has for all iOS/Apple iMessages users (and kind of what Google has for all RCS Messages), no?
    Reply