After announcing it earlier this week, Nothing has launched its “Nothing Chats” app that brings Apple iMessage to the Android-based Nothing Phone (2).
Update: The big security concern has now graduated to full privacy nightmare with unencrypted media and messages.
The premise of “Nothing Chats” is pretty simple. The app, which is free to download but exclusively available on Nothing Phone (2), aims to make it possible to use iMessage on the Phone (2) but also merge that with support for your existing RCS and SMS chats.
To accomplish that, you’ll need to do a few things to set up. Firstly, you’ll need to link Google Messages. This is done via a QR code, and the app essentially piggybacks off of the same Google Messages linking you get on the web. It’s not a new method, as the other popular “all your chats in one” app, Beeper, does the same thing.
Beyond that, you’ll need to sign into your Apple ID to use iMessage in “Nothing Chats.”
This is all handled by Sunbird, and it means your Apple ID is signing into a Mac in a remote server farm. In a statement to 9to5Google, Nothing explains that the Apple ID data is “destroyed” after you log in.
Once the Apple ID is provided, whether existing or newly created, it’s then tokenized in an encrypted database and the Apple ID data is destroyed. The token is of no use to bad actors as it does not contain any sensitive information like your Apple ID, and the data you initially provided is automatically deleted, ensuring your Apple ID is secure and at no point vulnerable to bad actors.
Sunbird and Nothing both say that it’s all end-to-end encrypted.
That said, it’s worth noting that Sunbird has a pretty sketchy reputation. The company started talking about bringing iMessage to Android in 2022 and was supposed to launch in Summer 2023, but as of today is still on a waitlist. Prior to its beta launch, as Ars Technica reports, Sunbird hosted a briefing session with members of the media. During this meeting, the company shut down open questions during the meeting and refused to answer any technical questions, which is a major red flag.
Another big red flag, as spotted by Kishan Bagaria on Twitter/X, is that the app sends your Apple ID credentials over HTTP, not the secure HTTPS. 9to5Google can also independently corroborate this.
So, as with any app that promises to bring iMessage to Android, take this one with a grain of salt.
Update: It got worse.
Nothing Chats is now available on the Play Store, again only for the Nothing Phone (2) and only in the US, Canada, UK, and the EU.
Meanwhile, this comes a day after Apple announced that RCS messaging would be coming to the iPhone in 2024.
Update: Nothing issued the following statement to us this afternoon:
While the protocol is HTTP, all data is encrypted and the key used to encrypt that data is provided via HTTPS so Apple credentials or messages sent via that HTTP request are secure and not open to the public. All sensitive user data such as Apple ID credentials and messages are encrypted at all times. The HTTP is only used as part of the one-off initial request from the app notifying the back-end of the upcoming iMessage connection iteration that will follow via a stand alone communication channel.
Regarding the other part of his tweet, years ago when the servers were being built Sunbird’s co-founder named them Blue Bubbles. Sunbird/Chats is not using an instance of anyone else’s technology – the naming is strictly coincidence.
Additionally, I want to add that from the start, that Sunbird has been focused on security and its ISO27001 certification (Certificate Number: IA-2023-09-21-01), an internationally recognized specification for an information security management system, is a reflection of its commitment to user privacy.
Nothing spokesperson
FTC: We use income earning auto affiliate links. More.