[ad_1]
Nothing Chats was supposed to provide a solution to the long-standing texting issues between Android and iPhones, with support for both RCS and iMessageto bridge the gap.However, critics have raised concerns about the security risks associated with such workarounds.
The removal of the app came after users shared a blog post from Texts.com, which showed that messages sent with Sunbird’s system, on which the app is based, are not end-to-end encrypted and can be compromised easily.
Texts.com’s reverse engineering team discovered that Sunbird and Nothing Chats required users to send their Apple ID credentials to their servers. The team found several security issues, including the fact that crucial credentials were being sent over an unencrypted channel (HTTP). Despite Sunbird claiming to have ISO27001 certification, the investigation found that the company was providing misleading information about end-to-end encryption.
Although messages sent to Sunbird’s servers were encrypted, JSON Web Tokens (JWT) were being sent without encryption to another Sunbird server, making them vulnerable to interception.
The messages were decrypted and saved on Sunbird’s servers, which made them vulnerable to unauthorised access. Texts.com was able to intercept JWTs, which gave them access to the Firebase real-time database and user information with only 23 lines of code.
Although Sunbird is the one responsible for the privacy issues, Nothing is being criticised for collaborating with them and downplaying the situation as “bugs.”
Sunbird stated that HTTP is only utilised for the initial request from the app to the back-end, notifying it of the upcoming iMessage connection.
The app was launched in beta on the Play Store on Tuesday after being announced earlier this week.
[ad_2]
Source link
