Android @lemdro.id ijeff @lemdro.id 7 mo. ago

Nothing Chats, an iMessage app for Android, is a privacy nightmare

9to5google.com Nothing Chats, the Sunbird-based iMessage app, is a privacy nightmare with unencrypted messages and images

The Nothing Chats app, powered by Sunbird, promises encrypted iMessage for Android, but it's literally a privacy nightmare.

22 comments

It's bizarre that Sunbird touted their solution as end-to-end encrypted, when it can't be - iMessage drops to plaintext on the Mac farm.
- Well not sure about Sunbird. Beeper advertises this also but it's not entirely untrue. It's E2EE from the sender to your Beeper server, where it's decrypted, then re-encypted as a Matrix message. But it's all open source so you can see what's going on.
  
  You can get around this vulnerability by hosting your own Beeper server.
  
  While it's a good solution, it is entirely untrue. A message is either End to End Encrypted or it is not. If the message is decrypted at any point between the sender and the intended recipient, it is definitively not End to End Encrypted.
  
  E2EE means it's End-to-End Encrypted. If it's decrypted at any point during transit then it's by definition not E2EE and Beeper shouldn't be making that claim.
  
  Permanently Deleted
  
  It's E2EE from the sender to your Beeper server, where it's decrypted, then re-encypted as a Matrix message.
  
  Then it's not E2E encrypted.
  
  One end is your device, the other end is the other device. It's only E2E encrypted if it is not decrypted until it reaches the other device.
  
  It sounds like Beeper on your own server is as close as practical to E2EE as you can get given the circumstances, but the point of the term end-to-end is that there is no, nor is it possible for there to be, any way for it to be unencrypted “except for this one part”. That is the very definition of something that is not end-to-end encrypted.
  
  How does one host their own beeper server?
  
  Edit: found it
- As someone who works in the tech industry, this is not surprising to me at all. Typically the people who communicate with the media and customers don't know a single thing about tech. They don't know what end to end encryption means. They know just know encryption is involved and they have heard the buzzword, so they repeat it.
E2ee, except when we have to switch protocols. Trust us bro.
Shady service turns out to be insecure and shady. I’m shocked. The real take away from this is if Nothing thought this was a good idea, what other horrible things have they done to their ROM we haven’t found out about yet.
Hmm, tracks. I will continue using nothing from them
Just don't use apple services? Force everyone to use signal or fuck off... Thats what i did.
- You fucked off?
I was sure that something like this would happen, but I'm really impressed by how quickly it happened.

You've viewed 22 comments.