Less than 24 hours after its launch, the messaging app Nothing Chats has come under fire for serious privacy and security flaws, causing it to be swiftly removed from the Play Store. The app, which positioned itself as a secure platform for sending messages to iMessage users, has been found to log every message in plain text and store unencrypted data including text messages, images, videos, and more.

The revelations about Nothing Chats' lack of security protocols have raised significant concerns about the privacy of its users. The alarming discovery was made by investigations following the app's launch, prompting immediate action as the company removed the app from the Play Store and cited the need to fix "several bugs."

From the start, Nothing Chats faced skepticism due to its ambitious goal of providing an iMessage workaround for Android users. While alternatives already exist, such as routing messages through personal Macs or remote server farms, the backing of a phone manufacturer like Nothing raised the bar. However, it took only a few hours after the app's launch for security concerns to emerge online, and now, just a day since hitting the Play Store, Nothing Chats seems to be turning into a nightmare.

Nothing advertised its product as a rival to similar apps like Beeper or AirMessage, emphasizing end-to-end encrypted messaging for iMessage users. However, as reported by security researchers, the platform was found to be sending credentials over plain text HTTP rather than the expected HTTPS, undermining its claims of privacy focus. Although Nothing downplayed these findings by highlighting its use of HTTPS encryption keys, further investigations by 9to5Google and Twitter user Wukko revealed the situation to be worse than anticipated.

As detailed in a scathing article by 9to5Google, Nothing Chats' security flaws were exposed, with the messaging app logging every message in plain text and storing the data unencrypted in Firebase. This encompassed not only text messages but also images, videos, usernames, phone numbers, and all other content sent through the app. Compounded by the fact that the app specifically requests users to send their data to contacts through a vCard, this represents a significant and alarming security breach.

9to5Google's findings revealed that over 600,000 pieces of media, including 2,300 vCards, were publicly available for download from Nothing's insecure Firebase server. Authentication through the app's vulnerable JSON Web Tokens allowed anyone access to this data in real-time, as demonstrated in a detailed blog post by Texts, another competing service.

Upon being alerted to these security flaws, Nothing was reportedly informed by 9to5Google. Users on Reddit also reported that they were unable to download the app from the Play Store, suggesting that the company took action to rectify the situation. Nothing eventually confirmed on Twitter that the launch had been "delayed" due to the need to fix "several bugs."

The significant breach in trust caused by the messaging platform's security flaws poses a challenge for Nothing as a smaller brand in the Android ecosystem. Reliance on tech-savvy users and positive reviews to recommend its hardware will be compromised by such a flawed rollout. Trust in Sunbird, the parent company behind Nothing, has been called into question as users quickly discovered the holes in the app's security. Whether through false claims of encryption or a lack of proper testing, the repercussions for the brand are significant.

In light of these revelations, it is strongly advised to avoid using the Nothing Chats app or Sunbird's services. The privacy and security risks associated with the app make it an unsafe choice for users concerned about protecting their personal data.