Nothing Chats, The Sunbird-Based iMessage App Is A Privacy Nightmare

Sunbird has been promising iMessage support on Android for about a year now, but the company has always seemed rather sketchy, 9TO5 Google reported. Now, as Nothing Chats, built on Sunbird, has launched, the privacy nightmare is coming true – not only is the app not end-to-end encrypted as promised, but image files from other users are pretty easy to access in plain text.

The promise of Sunbird, and in turn, Nothing Chats is to deliver iMessage support to Android. This is done by having users log into their Apple ID through the app which routes the login through a Mac server farm. It’s not a unique method, but the big differentiator here is that Sunbird has made a big deal out of claiming that end-to-end encryption is kept in place throughout the process.

Apple Insider reported that Nothing and Sunbird pulled the shockingly insecure iMessage bridge, but only after it was discovered that not only did Sunbird log and retain messages, vCards, and more, but that retained users data could also be downloaded by others.

According to Apple Insider, Nothing Chats was pulled from the Google Play Store on Saturday only a few days after it was introduced. Launched on November 14, suspicions were raised about the app within days, including its seeming lack of encryption, and the sending of login credentials over the internet using plaintext HTTP.

On Saturday, things got worse for the Nothing and Sunbird service, with more revelations over the astounding lack of security safeguards for the app.

Early in the day, Nothing removed the app from the Google Play Store. In a post on X, formerly Twitter, the phone maker somewhat optimistically says it is “delaying the launch until further notice to work with Sunbird to fix several bugs.”

Engadget reported that Nothing has pulled the beta on its new messaging app, Nothing Chats, from the Play Store just a day after release, and says it’s delaying the launch “until further notice.”

According to Engadget, the company touted the Sunbird-based Nothing Chats as the answer to the longstanding “Android vs Apple” texting woes, with support for both RCS and iMessage to bridge the gap. But since it’s announcement, a growing number of critics have voiced concerns over the risks that workarounds like this bring, arguing that Nothing Chats is an inherently less secure message option.

The @nothing account on X posted: “We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.”

Readers added context to @nothing’s post: Contrary to Nothing’s claim about fixing ‘bugs’ in their upcoming app, these issues are serious security & privacy lapses. 

Falsely advertised as end-to-end encrypted, exposes user data in plain text. The app was pulled for major fixes due to unencrypted user images & data.

In my opinion, Nothing should have tested out its app more before shipping its beta version of the app to the Play Store. Instead, it appears to have lied to users about how secure the app was, and now has removed it from the Play Store.