Skip to main content

Nothing’s iMessage for Android app is unbelievably bad

The Nothing Chats splash page in the app.
Andy Boxall / Digital Trends

Earlier this week, Nothing did the unexpected and launched the “Nothing Chats” app for the Nothing Phone 2. The premise? Let anyone with a Nothing Phone 2 send and receive texts via iMessage. Nothing partnered with Sunbird to make Nothing Chats work, with Nothing essentially using Sunbird’s own messaging tech to bring iMessage to Android.

It was a bold idea … but one that was short-lived. That’s because Nothing Chats is already dead (for the time being) due to a shocking number of security vulnerabilities that were discovered almost immediately. And by security vulnerabilities, we don’t mean minor oversights that could have been easy to overlook. We’re talking about major, game-breaking design flaws that massively compromise the personal information of anyone who used Nothing Chats.

The problem with Nothing Chats

Nothing Chats on a Nothing Phone 2 compared with iMessage on an iPhone 15 Pro Max.
iMessage on an iPhone 15 Pro Max (left) and Nothing Chats on a Nothing Phone 2 Andy Boxall / Digital Trends

Nothing Chats launched in beta access on November 17, and within hours of people getting their hands on the app, worrying security concerns started popping up. One of the first reports came from Kishan Bagaria, the founder of Bagaria and their team discovered that messages sent via Nothing Chats weren’t using HTTPS security credentials. Instead, messages were being sent on the much less secure HTTP standard in plain text.

texts team took a quick look at the tech behind nothing chats and found out it's extremely insecure

it's not even using HTTPS, credentials are sent over plaintext HTTP

backend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet

— Kishan Bagaria (@KishanBagaria) November 17, 2023

But it wasn’t just Bagaria who discovered these vulnerabilities. Wukko on X (formerly Twitter) also confirmed that anything sent via Nothing Chats — including standard text messages, images, and other media attachments — was done using plain text and clearly visible to anyone who knew where to look.

Furthermore, and even more troubling, Wukko found that all messaging data sent by and stored in Nothing Chats was done unencrypted and via an easily accessible Firebase platform.

nothing chats app (skinned sunbird) is an absolute privacy nightmare that sends/stores ALL data unencrypted on firebase

and for whatever reason it also sends ALL messages and attachments to sentry (again, in plain text)

— wukko (@uwukko) November 18, 2023

These reports were bad enough, but additional reporting from 9to5Google further reiterated just how serious these vulnerabilities really were. Per 9to5’s own findings:

“In our Dylan Roussel’s research, we found that once a user authenticates with the JSON Web Tokens (JWT) that are insecure in transit, they can access Nothing Chat’s Firebase database and see messages and files from other users sent in real-time and in plain text.”

Connecting to iMessage in the Nothing Chats app.
Andy Boxall / Digital Trends

The report goes on to mention how vCards (aka contact cards) were also fully accessible — including people’s names, numbers, email addresses, and other personally identifiable information. And as if that wasn’t enough, 9to5Google also discovered more than 630,000 media files stored in Sunbird’s Firebase server — the company that powers the Nothing Chats app.

In summary, this is what we’re looking at:

  • Nothing Chats is not end-to-end encrypted
  • Messages from Nothing Chats are sent in plain text
  • Media and other attachments are publicly accessible
  • Sunbird does have access to messages and attachments sent from Nothing Chats

In other words, this is all very, very bad. It’s especially worse considering how quick Nothing was to rebuke these initial security concerns, further claiming that messages were end-to-end encrypted when — in reality — they absolutely were not.

Where does Nothing go from here?

The Sunbird information page in Nothing Chats.
Andy Boxall / Digital Trends

On November 18, just one day after launching Nothing Chats, Nothing announced on X that it was officially removing the Nothing Chats app from the Play Store and “delaying the launch until further notice” so the company could “work with Sunbird to fix several bugs.”

Pulling the app and delaying the launch is the right call on Nothing’s end, but it’s impossible to overstate how much damage has likely already been done by this whole debacle.

We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.

We apologise for the delay and will do right by our users.

— Nothing (@nothing) November 18, 2023

At the end of the day, these security issues are Sunbird’s fault. Nothing Chats was built on Sunbird’s backend, and it’s up to Sunbird to address these concerns. However, Nothing still decided to partner with Sunbird to create and launch Nothing Chats, and the fact that the company never discovered these vulnerabilities while creating Nothing Chats is troubling.

If you still have the Nothing Chats app on your phone, we strongly advise you to stop using it immediately. That same recommendation applies if you’re using the regular Sunbird app as well. Having iMessage on an Android phone is a fun convenience, but not at the risk of your personal information being so heavily compromised. You’re better off just waiting for Apple to add RCS to the iPhone in 2024.

As for the future of Nothing Chats, it’s difficult to say what will happen next. Nothing says it’s “delaying” the launch, but to fix all of the issues we just talked about here, Sunbird would have to dramatically overhaul its entire backend process. Is Nothing going to want to wait for that to happen, or will it decide to just cut its losses and pull the plug on Nothing Chats for good? At this point, it seems like the latter may be the better choice.

Editors' Recommendations

Joe Maring
Section Editor, Mobile
Joe Maring is the Section Editor for Digital Trends' Mobile team, leading the site's coverage for all things smartphones…
One of our favorite Android phones just got its own iMessage app
Nothing Chats app on a. phone.

Nothing is trying to bridge the great blue/green bubble divide for Android users of iMessage. This is not a personal crusade to shatter walls and open windows, as much as Nothing CEO Carl Pei would want you to believe that. Instead, Nothing is piggybacking on tech created by New York-based startup Sunbird. 
Technically, the Sunbird app can be installed on any Android phone and it features a blue bubble for all iMessage text exchanges involving an Android phone. No more green bubble shame that could get you kicked out of groups for disrupting the harmony or even slim your dating chances. That’s how bad it is! 
Nothing is adopting the Sunbird tech and bundling it as its very own app under the name Nothing Chats. But here’s the fun part. The app only works on the Nothing Phone 2 and not the Nothing Phone 1. And this life-altering boon will only be bestowed upon users in the U.S., Canada, the U.K., or the EU bloc.

The app is currently in the beta phase, which means some iMessage features will be broken or absent. Once the app is downloaded on your Nothing Phone 2, you can create a new account or sign up with your Apple ID to get going with blue bubble texts. 
Just in case you’re concerned, all messages will be end-to-end encrypted, and the app doesn’t collect any personal information, such as the users’ geographic location or the texts exchanged. Right now, Sunbird and Nothing have not detailed the iMessage features and those that are broken. 
We made iMessage for Android...
The Washington Post tried an early version of the Nothing Chats app and notes that the blue bubble system works just fine. Texts between an Android device and an iPhone are neatly arranged in a thread, and multimedia exchange is also allowed at full quality. 
However, message editing is apparently not available, and a double-tap gesture for responding with a quick emoji doesn’t work either. We don’t know when these features will be added. Nothing's Sunbird-based app will expand to other territories soon. 
Sunbird, however, offers a handful of other tricks aside from serving the iMessage blue bubble on Android. It also brings all your other messaging apps, such as WhatsApp and Instagram, in one place. This isn’t an original formula, as Beeper offers the same convenience.

Read more
I love Apple, but it’s totally wrong about iMessage and RCS
An iPhone 15 Pro showing the main iMessage screen.

I’ve been using an iPhone ever since 2008, starting with the original and then every generation since. For several years, the iPhone was only capable of SMS texting, with MMS support arriving with iOS 3 in 2009.

But in 2011, Apple created something new: iMessage. It first arrived on iOS and then went to the Mac in 2012 to replace iChat. iMessage is basically an instant messaging service that is exclusive to all Apple products: iPhone, iPad, Apple Watch, and Mac. You can send text, images and video, documents, rich preview links, stickers, and more between one another. You can also see if a message is delivered, send read receipts (if you want), and everything is encrypted. With iOS 16, you can even edit and unsend messages within a certain time frame.

Read more
The iPhone’s futuristic satellite tech isn’t coming to Android any time soon
The Google Pixel 8's screen.

It could take a while before Android phones allow satellite connectivity to assist users in emergency scenarios, thanks in no part to Qualcomm canceling its ambitious Snapdragon Satellite plans. Apple introduced satellite SOS support last year with the iPhone 14 series, with the intention of helping people when they are out of cellular or broadband coverage range.

The feature allows you to text emergency responders, share locations, and request roadside assistance. But not long after, hope emerged for Android phones. Earlier this year, Qualcomm announced Snapdragon Satellite, with the goal of aping Apple’s initiative for Android phones.

Read more