Nothing's iMessage bridge doesn't appear to be encrypted at all

Nothing Chats

Despite the Nothing company co-founder claiming that its chat service that bridges iMessage would be end-to-end encrypted, the source code appears to reveal quite the opposite.

The creators of Nothing Phone (2) announced Nothing Chats on November 14. It's a service allowing Android users to send messages in iPhone-style blue bubbles — assuming that they want to log into a remote server with their Apple ID.

Nothing requires users to have Phone (2) to access Nothing Chats. The iMessage-like technology is from Sunbird, a technology company based in New York, and is integrated into the Nothing messages application.

texts team took a quick look at the tech behind nothing chats and found out it's extremely insecure

it's not even using HTTPS, credentials are sent over plaintext HTTP

backend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
— Kishan Bagaria (@KishanBagaria) November 17, 2023

On Friday, the founder of Texts.com tweeted that his team "took a quick look" at the code behind Nothing Chats and found that it's insecure.

"It's not even using HTTPS, credentials are sent over plaintext HTTP," Kishan Bagaria said.

Exposing data with insecure protocols

The primary concern is the absence of HTTPS (Hypertext Transfer Protocol Secure) in the service's communication protocols. HTTPS, a fundamental security standard for modern internet communication, encrypts data between a user's device and the server.

The lack of this encryption means that sensitive information, including login credentials, is sent over the internet using plaintext HTTP. Using that method is insecure as it allows relatively easy interception of data by third parties, especially on unsecured networks.

The investigation revealed that Nothing Chats uses a backend powered by BlueBubbles, a messaging service known for its lack of end-to-end encryption. End-to-end encryption is a critical feature in secure messaging, ensuring that only the communicating users can read the messages.

The absence of this encryption means that messages can potentially be accessed by the service provider or intercepted by external entities, posing a significant privacy threat.

Nothing has yet to respond to the claims.

Secure messaging solutions

According to Nothing, the primary reason behind its messaging app was to entice iPhone users of its earbuds to commit to its smartphone fully. The company determined that messaging barriers deter iPhone users from switching platforms, particularly the stigma associated with being the sole person in a group chat with Android green bubble messages instead of the typical Apple blue ones.

"We were like, how can we do something about this?" said Nothing's Carl Pei. "And started looking at the different teams working on this problem... and we got in touch with the Sunbird team."

Echoing more prominent companies like Google and Samsung, Nothing also mentioned Apple's lack of support for RCS in iMessage. It further claimed that Apple's reluctance to adopt RCS endangers user privacy.

Fortunately, Apple announced on November 16 that it will add the RCS Universal Profile to iMessage, likely with iOS 18 in 2024. Although that profile doesn't include Google's version of end-to-end encryption, Apple is working with the industry body GSMA on a possible inclusion of an industry-wide encryption standard.